Luci don't want to set my LAN port as VLAN tagged

I have a WCR-1166DS with OpenWrt 19.07.2 (last stable available for this one).
I use it as dumb ap, WAN port is unconnected
LAN port is connected to my LAN.

I wanted to set a guest wifi AP using VLAN (it works great on a different device I own, also on openwrt).

The issue is that I cannot get the LAN port tagged in Luci.
it kind of break the connexion and luci revert to previous config.

it seems the device has only one eth interface (eth0).
eth0.1 (lan) & eth0.2 (wan) are set by default after fresh install of openwrt.

I added VLAN 11 & 22.

if I set LAN port to "tagged" either on VLAN11 or 22 and click "save & apply", it will wait 30sec and then propose to revert.

On the other hand, it allows me to set "tagged" on WAN column for VLAN 11 & 22. :sweat:

Do you have any idea why LAN does want to be tagged ?

if it's HW bug, as a work around, do you think I could plug my cable in WAN port instead of LAN and set the switch this way:

This is not a bug -- it is simply auto-rollback in action because the network connectivity between the router and the computer is disrupted due to the change you are attempting to make. You can force it... more on that in a second.

The 'normal' mode of operation for an ethernet connection is untagged. Most computers and network equipment are not expecting tagged networks. So when you tag your VLAN1 on your LAN port, your computer, which is expecting that untagged network, can't communicate with the router anymore. And it won't be able to communicate unless you either configure your network interface for VLAN 1 tagged, or use a managed/smart switch to take the trunk you're creating on your LAN port and to provide VLAN 1 untagged on an access port that is connected to your computer.

If you want to force the settings to apply, click the little arrow next to "save & apply" and you'll see "apply unchecked" as an option. This will not roll back.

WARNING: As I explained above with tagged vs untagged networks, once you tag VLAN 1, you will not be able to connect to your device if you are unable to work with tagged VLANs. That being said, it looks like the WAN port of this device is also untagged on VLAN 1, so you should theoretically be able to plug into that port and have normal untagged access.

If you don't want to connect the AP to the main network using the WAN port (i.e. You are not using the WAN port), why don't you just make it past of your LAN so you have two ports: one tagged to connect to the main router and sort out the guest VLANS, and the other untagged so that you can use it to connect your PC to the device directly by cable if you need to.

@psherman,maybe I mis-explained but I don't want to do anything on vlan 1 which, as far as I understand is normal lan.
I want to set vlan 11 & 22 as tagged on the so call lan port: I mean set tagged the 2 cell highlighted in red.

@Hegabo my proposal (2nd screen shot) is to kind of convert the wan port as a 2nd lan port, with vlan 1 untagged and my both vlan 11 & 22 tagged. It's not tested yet but seems acceptable for luci. I will test today.
If it works I don't need the lan port but it could be used maybe later.

The main point is that I don't understand why I cannot tag something in the lan column, whatever I try from my computer connected by wire or by wifi.

What exactly happens when you set those two VLANs to tagged on the LAN port?
What is connected to the LAN port when you try to adjust the configuration?

It's probably best to make the "WAN" port off in VLAN 1.

1 Like

If I set to tagged vlan 11 or 22 on lan column,when6I click save&apply, it will try and revert.
My lan is connected to that port: a switch then my router, some computer.
I can connect to openwrt either from lan or from wifi

What would be the advantage? If I do so, I will need 2 rj45 cable to connect the device.

Is your switch managed or unmanaged? And does the router have the same VLANs configured on the port connected to the switch?

Did you try the “apply unchecked “ method?

Router is set, vlan 11&22 are already working well with an other openwrt device (different hw
My switch are unmanaged, got to check if I have a different one on the path to this buffalo device.
But an incompatible switch may lead to a not working communication... Can it lead to an non applicable setting?

I did not tried unchecked apply yet. I wanted to figure out the issue before

The behavior of an unmanaged switch is undefined, by its nature. Unmanaged switches should never be used with VLANs. It is unpredictable and can potentially cause major problems, even if it appears to be working.

1 Like

What would be the advantage of what? It would be easier if you quote the part you are replying to, because I have no idea what cable you are talking about.

To cut long story short, you want to extend your guest WiFi to that access point, so you will need VLANs. The problem with VLANs is that you need to tag the port, and when you tag the port some devices that don't understand tagging will not be able to connect to it via the cable, such as your PC for example.

Solution: you have 2 ports (LAN and WAN). As you don't need a WAN port for your use case, repurpose it. So you will have both ports at the LAN side. One will be untagged and surve as a management interface, so if you need to directly access the device you connect to it using a cable. The other port will be used for VLAN 11 and 22 to extend the guest WiFi.

So to summarize
VLAN 1: CPU tagged, LAN untagged, WAN off
VLAN 11: CPU tagged, LAN off, WAN tagged
VLAN 22: CPU tagged, LAN off, WAN tagged

You can swap LAN and WAN settings above (which would be what I proposed earlier, and closer to what you were doing), but I think it's better practice to keep the LAN port as the management one. That way if you don't use the device for a while then come to use it, you don't get into the dilemma of which port you should use to access the device).

1 Like

Good guess
1-this openwrt was on a dumb switch
2-I have an other switch that I though was an unmanaged but vlan friendly switch...
.It appears to be a managed switch (that I never managed :crazy_face:... But at least it does not cause troubles to vlan.
when connectedon this switch, I can now tag my port.

Next step, manage my switch :laughing:

Sorry for this thread, I would have never suspect a switch could prevent making some settings in luci.

@Hegabo sorry for the missing quote. :sweat:
I use "reply" button to your previous last message on mobile but quote gets losts.

I think it's not problem to have:
On my WCR-1166DS:
VLAN 1: CPU tagged, LAN untagged, WAN off
VLAN 11: CPU tagged, LAN tagged, WAN off
VLAN 22: CPU tagged, LAN tagged, WAN off
WAN port open.
and use a single cable from LAN port to next switch which I discover is a managed one.
I take a little time to configure this switch (Netgear GS108E) correctly as following:
VLAN1 untagged on all ports.
VLAN11 tagged on port1 (router), port2 (openwrt AP),port3 (other openwrt AP).... other OFF.
VLAN11 tagged on port1 (router), port2 (openwrt AP),port3 (other openwrt AP).... other OFF.

Well, my point is that if you have the luxury of having two ports, one of them you don't need, it can be a good idea to make it untagged (so CPU tagged and that port untagged) so you have it as a spare for managing the AP directly. So that in case you do something wrong with the other VLANs, at least you don't get yourself locked out.

1 Like

It is possible to create a Guest LAN with out using VLANs[]=guest&s[]=network

Yes, it's possible and it's what I did before. But let me tell this:
1/ without vlan: network management is shared in 2 places : main router + dumb ap (with its own "local" dhcp & firewall settings)
Also needs additional settings like a static route in main router.
It can also bring strange setups with rules to manage in 2 firewalls, for example if you need to share a lan printer with guests.
In case you have 2 AP it's worse! You need then 2 subnets (one per ap), 2 static routes etc...

2/ with vlan: add 1,2,3... wifi AP, bridge them with vlan eth interface in openwrt, that's it (a real "dumb" ap). No dhcp, no firewall in AP.
Dhcp & firewall for guests is all managed in one place in main router.

Both works fine.
And It can be some situations where the no vlan way is better, but after trying both, using vlan made my network much much clean and easy.

If some are interested to build a dumb guest ap without vlan, you may like this howto too:

I think the one on forget to mention you need a static route in the router.

Thank you for this information. I have not seen Steven Engalnds Weblog before, but it seems to preceded the original Michis blog that I was using. I have not taken the time yet to see if they are the same, but expect very similar.

I am not clear on the static route's purpose or how to configure this. I am not aware I have had any issues. I only offer one in the main area of the house, too bad for guests if they need more.

I do not wish to hijack this thread. If you can can you please respond to the linked thread on the reason for and config of a static route I will test this.

@grenouille - would you mind sharing the brand/model of the unmanaged switch for reference?

Hi @grenouille

WAN port is unconnected
LAN port is connected to my LAN.

On the other hand, it allows me to set "tagged" on WAN column for VLAN 11 & 22.
Do you have any idea why LAN does want to be tagged ?

So if i get it right, you try to make a mixed port
where Vlan1 is untagged(access) and Vlan11 & Vlan22 are tagged
Sorry to say, but i tried this setup many time. Some switch chips are okay with that, but mostly it does not work

That is the reason why Luci "let" you setup WAN, it is unconnected, so from Luci point of view, you could make any damage, it is not important, because web page still "see" router on LAN cable. But when you make a mess on LAN side, Luci simply lost connection and automatic revert kick in