Long-standing LUCI Problem with VLANs

tickerguy · January 2, 2025, 2:30pm

Starting with a "Bare" OpenWRT install Luci will improperly configure the VLAN setup in first instance, and what it does will almost-always lock you out of the box entirely.

Take the following configuration required:

AP only; you have your own router off the Internet, and it does VLANs and handles DHCP for IPv4; v6 is SLACC on the client side (the router gets a /56, for example, and partitions it out to the interfaces including the VLANs.)
Two VLANs, the default (untagged) and a second that is tagged, which is used for "DMZ" type things (e.g. Guest access, things on your network that can get outside but can't see your interior services, etc.) Fairly simple and expected "home" type of environment.

So you go into Luci and try to set this up but it screws up the bridges that are required to work. Specifically, this is what you need in the /etc/network file, more or less:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd21:4eb4:bdec::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0:u*'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.10.253'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.10.200'
        option delegate '0'
        list dns '192.168.10.200'
        list dns '192.168.10.100'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'eth0:t'

config device
        option name 'br-lan.3'
        option type '8021q'
        option ifname 'br-lan'
        option vid '3'

config interface 'Guest'
        option proto 'none'
        option device 'br-lan.3'
        list dns '192.168.4.200'
        option delegate '0'

You then can assign the "Guest" network to the proper Wifi interfaces and all is good, except Luci will screw that /etc/network file up. Specifically it does not properly set up both bridges and the requisite two devices when starting from zero.

Once you fix the /etc/network file by hand before using Luci to do the rest (and then reboot of course) all is well in the future (assuming you don't need another VLAN; if you do then you again need to edit it) when it comes to setting up and maintaining the WiFi side with Luci, but that original config has been broken all the way back to when I figure started using Luci.

IMHO this merits some attention as it should be quite easy to correct.

andyboeh · January 3, 2025, 7:16pm

I never had a problem with this. Please post the config file generated by LuCI and the fixed one to see what's going on.

tickerguy · January 18, 2025, 8:22pm

I got my OpenWRT One and it does the same thing.

Here's the LUCI config in the working online unit (A ZyXEL but the above config which I had to set the base VLAN interfaces up manually.) This is what LUCI shows for it:

Pretty simple -- VLAN 1 is untagged and the default, and VLAN 3 is tagged. Ok, so I go into the new router, same device (br-lan) and attempt to set it up identically:

I click "SAVE" and now I have the pending changes which, it says, are these:

If I apply this, however, I'm boned -- instant no connectivity. After the 90 seconds it reverts.

I don't know precisely what Luci tries to do because I can't get into it once it occurs to look as I'm locked out.

I'm going to go set up the bridge manually via ssh in the /etc/network file (again) and once I do it will be fine. But if I set from a cold start, in Luci, what I now have displayed on the device that's working I don't get a working configuration -- I get locked out every time.

psherman · January 18, 2025, 8:32pm

The reason is simple... you didn't update the device that the lan interface uses from br-lan to br-lan.1. This is not a LuCI error, but rather an omitted step in the configuration process.

tickerguy · January 18, 2025, 8:47pm

I would expect setting default would mean just that (which I did check the box for); just did what was suggested before committing and did not get locked out. Thank you -- that's rather not-clear when one says "default" I'd think it would mean just that, but apparently not.

psherman · January 18, 2025, 9:26pm

When you use bridge VLANs, you change the device from br-lan which had the default (untagged + pvid behavior) to a new device that takes precedence since you defined br-lan.1 as the untagged+pvid vlan.

That said, on the OpenWrt One, there is no switch. So, you don’t need to use bridge-VLANs. Instead, you can create new bridges for the tagged network(s) and leave br-lan unchanged.

system · January 28, 2025, 9:27pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.