LAN to VLAN configuration

Hello!

I recently converted two of my older Google Wifi pucks that were sitting around gathering dust to OpenWrt and that went smoother than I thought it would, given that they are Google devices.

My current dilemma is this: I need the wireless clients of SSID WifiA to be on VLAN 50, the clients of SSID WifiB to be on VLAN 10, and any traffic to/from the wan/lan ports to be on VLAN 40 -- pass-through. The port that is connected to the switch with the trunk configuration is wan

I've looked at the docs on how to do this, and after several examples I am unsure on how the interface naming on OpenWrt works with embedded devices works (if this was a normal Linux computer I'd have that done) and since I don't want to lock myself out, I am asking here.

The devices available, according to the kernel...

lrwxrwxrwx    1 root     root             0 Jun 22 20:51 br-lan -> ../../devices/virtual/net/br-lan
lrwxrwxrwx    1 root     root             0 Dec 31  1969 eth0 -> ../../devices/platform/soc/c080000.ethernet/net/eth0
lrwxrwxrwx    1 root     root             0 Dec 31  1969 lan -> ../../devices/platform/soc/c000000.switch/net/lan
lrwxrwxrwx    1 root     root             0 Dec 31  1969 lo -> ../../devices/virtual/net/lo
lrwxrwxrwx    1 root     root             0 Jun 23 01:02 phy0-ap0 -> ../../devices/platform/soc/a000000.wifi/net/phy0-ap0
lrwxrwxrwx    1 root     root             0 Jun 23 01:02 phy1-ap0 -> ../../devices/platform/soc/a800000.wifi/net/phy1-ap0
lrwxrwxrwx    1 root     root             0 Dec 31  1969 wan -> ../../devices/platform/soc/c000000.switch/net/wan

Ifconfig on how they are currently setup...

root@wap-f306ef:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr D8:6C:63:F3:06:F0  
          inet addr:172.16.20.128  Bcast:172.16.20.255  Mask:255.255.255.0
          inet6 addr: fe80::da6c:63ff:fef3:6f0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:175397 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9147 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:24756647 (23.6 MiB)  TX bytes:4462107 (4.2 MiB)

eth0      Link encap:Ethernet  HWaddr 9A:CC:D8:06:3E:07  
          inet6 addr: fe80::98cc:d8ff:fe06:3e07/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:253716 errors:0 dropped:0 overruns:0 frame:0
          TX packets:103344 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:49359072 (47.0 MiB)  TX bytes:22294012 (21.2 MiB)

lan       Link encap:Ethernet  HWaddr D8:6C:63:F3:06:F0  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:62 errors:0 dropped:0 overruns:0 frame:0
          TX packets:62 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6008 (5.8 KiB)  TX bytes:6008 (5.8 KiB)

phy0-ap0  Link encap:Ethernet  HWaddr D8:6C:63:F3:06:F6  
          inet6 addr: fe80::da6c:63ff:fef3:6f6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:19235 errors:0 dropped:0 overruns:0 frame:0
          TX packets:87969 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4916140 (4.6 MiB)  TX bytes:21711931 (20.7 MiB)

phy1-ap0  Link encap:Ethernet  HWaddr D8:6C:63:F3:06:F2  
          inet6 addr: fe80::da6c:63ff:fef3:6f2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:37954 errors:0 dropped:0 overruns:0 frame:0
          TX packets:115752 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9279810 (8.8 MiB)  TX bytes:27857310 (26.5 MiB)

wan       Link encap:Ethernet  HWaddr 9A:CC:D8:06:3E:07  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:253716 errors:0 dropped:2023 overruns:0 frame:0
          TX packets:103374 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:45807048 (43.6 MiB)  TX bytes:22295798 (21.2 MiB)

brctl showing how they're currently bridged.

root@wap-f306ef:~# brctl show
bridge name	bridge id		STP enabled	interfaces
br-lan		7fff.d86c63f306f0	no		lan
							wan
							phy0-ap0
							phy1-ap

Any advice or pointers or configuration examples that would make me understand this (especially confused on what does eth0 play in this situation, since lan and wan seem to be the active devices sending and receiving data) would be appreciated.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
root@wap-f306ef:~# ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "wap-f306ef",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "Google WiFi (Gale)",
	"board_name": "google,wifi",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ipq40xx/chromium",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}
root@wap-f306ef:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdcb:3a39:cced::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'
	list ports 'wan'

config device
	option name 'lan'
	option macaddr 'd8:6c:63:f3:06:f0'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'
	option broadcast '1'
	option delegate '0'

I'd recommend that you upgrade to 23.05.3

Please confirm and answer a few questions so that we can make sure we make the correct adjustments:

  • You have VLAN 10, 40, and 50 on the switch, with that port connected to the wan of the Google Wifi device
  • It seems that one of the VLANs is untagged -- which VLAN is that? Do you want to make them all tagged, or do you want to keep the untagged network as it is?
  • VLAN 40 will be untagged on the lan port.
  • Which VLAN is used for the management of your Google Wifi device?
  • Do you want to keep it as DHCP, or do you want to specify an IP address?

#1: Correct!

#2: To keep connectivity, currently running as untagged on VLAN 40. The port where it will be ultimately at has trunk access configured for VLAN 10, 50, and 40. Anything untagged will go to limbo.

#3: It can go either way. I prefer all tagged. Can change to whatever is simpler -- leave VLAN 40 untagged for through traffic, everything else tagged for 10, VLAN 50, and VLAN 40. Management at VLAN 5.

#4: I just realized that I had not thought about that. All devices are on VLAN 5 for management.

#5: If set for management VLAN 5, then 172.16.16.20/24. Preferred.

ok... so I'm now configuring this for the following configuration from the upstream switch:

  • VLAN 5, untagged + PVID (this can be changed later, if you want)
  • VLAN 10, 40, 50 tagged

Let's start by making some bridge VLANs:

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'wan:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'lan:u*'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '50'
	list ports 'wan:t'

Now we'll edit the lan network interface to use br-lan.5 and the preferred IP address (making a few other edits, too)... it should look like this:

config interface 'lan'
	option device 'br-lan.5'
	option proto 'static'
	option ipaddr '172.16.16.20'
	option netmask '255.255.255.0'

And finally we'll add unmanaged network interfaces for the other VLANs:

config interface 'vlan10'
	option device 'br-lan.10'
	option proto 'none'

config interface 'vlan40'
	option device 'br-lan.40'
	option proto 'none'

config interface 'vlan50'
	option device 'br-lan.50'
	option proto 'none'

Don't forget to turn off the DHCP server for the lan interface (/etc/config/dhcp) by adding option ignore '1' to the lan DHCP stanza.

Now you can setup SSIDs for each of the networks that should have wifi. That should be everything. Restart the device and make sure that the upstream is configured as I described.

If you want to make VLAN 5 tagged, set the bridge-vlan with :t instead of :u* like this:

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'wan:t'

and then change the upstream switch accordingly. Sequencing matters here... you will temporarily be unable to reach the Google Wifi device if/when you make the change, but you'll regain that once you set the switch to match.

I'll take a look and process the changes once I recover one of the two units that I was attempting to upgrade.

Thank you for taking time to answer my question!