Move WAN connection to switch question

simtcrom · September 13, 2025, 9:27am

I currently run OpenWrt 24.10.2 on a Raspberry Pi 4B. My setup currently as below,

A usb to ethernet adapter is plugged on to pi, which is used as my WAN port.

Pis built in ethernet is connected to switch Aruba HP 2530-8G-PoEP Switch (J9774A) 1st port.

And /etc/network/config as below,

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdxxx:8xx0e:xx0::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.2'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option proto 'pppoe'
        option device 'eth1'
        option username 'xxx'
        option password 'xxx'
        option ipv6 'auto'
        option keepalive '0 1'

I would like to try getting rid of the usb to ethernet adapter and use port 8 of the switch as my WAN port. (I understand switch need to come up, before openwrt)

With help of AI, I came up with below. If some one can help me validate it.

On my Switch I do below,

configure terminal

! Create WAN VLAN (10)
vlan 10
   name "WAN"
   untagged 8             <-- ISP modem
   tagged 1               <-- Raspberry Pi trunk
   exit

! Create LAN VLAN (20)
vlan 20
   name "LAN"
   untagged 2-7           <-- LAN device ports
   tagged 1               <-- Raspberry Pi trunk
   exit

! (Optional) Disable default VLAN 1 on trunk port
vlan 1
   no untagged 1
   exit

! Save configuration
write memory

modify opewrt /etc/network/config as below,

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdxxx:8xx0e:xx0::/48'

# LAN bridge (VLAN 20)
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.20'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.2'
        option netmask '255.255.255.0'
        option ip6assign '60'

# WAN interface (VLAN 10)
config interface 'wan'
        option proto 'pppoe'
        option device 'eth0.10'
        option username 'xxx'
        option password 'xxx'
        option ipv6 'auto'
        option keepalive '0 1'

Is above looks correct?

simtcrom · September 14, 2025, 11:55am

I attempted this without any success. Last I tried was,

at switch side,

HP-2530-8G-PoEP# show running-config

Running configuration:

aruba-central disable
timesync sntp
sntp unicast
sntp server priority 1 216.239.35.4
ip default-gateway 192.168.0.2
interface 1
   name "router"
   exit
interface 2
   name "ap"
   exit
interface 3
   name "pinas"
   exit
interface 4
   name "pi5server"
   exit
interface 5
   name "mypc"
   exit
snmp-server community "public" unrestricted
vlan 1
   name "DEFAULT_VLAN"
   no untagged 1-5,8
   untagged 6-7,9-10
   ip address 192.168.0.5 255.255.255.0
   exit
vlan 10
   name "WAN"
   untagged 8
   tagged 1
   no ip address
   exit
vlan 20
   name "LAN"
   untagged 1-5
   no ip address
   exit
no tftp server
no dhcp config-file-update
no dhcp image-file-update
no dhcp tr69-acs-url
activate software-update disable
activate provision disable

And openwrt side,

root@OpenWrt:~# cat /etc/config/network.notwork
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xx:xx:xx::/48'

config interface 'lan'
        option proto 'static'
        option device 'eth0.20'
        option ipaddr '192.168.0.2'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.10'
        option type '8021q'
        option ifname 'eth0'
        option vid '10'

config interface 'wan'
        option proto 'pppoe'
        option device 'eth0.10'
        option username 'xx'
        option password 'xx'
        option ipv6 'auto'
        option keepalive '0 1'

config switch
        option name 'eth0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'eth0'
        option vlan '10'
        option ports '0t 1'

config switch_vlan
        option device 'eth0'
        option vlan '20'
        option ports '0t 1 2 3 4 5'

The moment I do /etc/init.d/network restart. I loose connectivity to 192.168.0.2

As per chatgpt, “VLANs on the onboard NIC for LAN are unreliable.”

mk24 · September 14, 2025, 12:00pm

The first answer was the right way. Use the eth0.N syntax. Do not make bridge-vlans. Do not try to mix tagged and untagged on the same port. In other words once you start with vlans, there should not be a plain eth0 anywhere in the config. The onboard NIC as well as USB adapter drivers have no problem with vlans.

Start up an AP with the built in wifi so you still have a way to log into the Pi if Ethernet breaks.

Configuration of an HPE switch is outside the scope of this forum.

simtcrom · September 14, 2025, 12:22pm

Ok So,

(I know I am told many times switch configuration is outside the scope of this forum, but still if you could advice on overall VLAN plan is good)

Create vlan 10 for WAN with untagged 8 (I want to use port 8 of the switch for WAN) also add tagged 1 (port 1 of switch for raspberry pi 4’s in built eth0)

Create vlan 20 for LAN with untagged 2-7 (port 2 to 7 of switch for all my lan devices) and tagged 1 (port 1 of switch for raspberry pi 4’s in built eth0)

Then at openwrt side, /etc/network/config as below,

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdxxx:8xx0e:xx0::/48'

# LAN bridge (VLAN 20)
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.20'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.2'
        option netmask '255.255.255.0'
        option ip6assign '60'

# WAN interface (VLAN 10)
config interface 'wan'
        option proto 'pppoe'
        option device 'eth0.10'
        option username 'xxx'
        option password 'xxx'
        option ipv6 'auto'
        option keepalive '0 1'

?

simtcrom · September 15, 2025, 9:22am

I was able to get it working. Incase helpful to some one here is overall process.

At Switch Side,

Port 1 for Router LAN, Port 8 for WAN, Port 2 to 7 for LAN Devices.
Create VLAN 100 for LAN and VLAN 200 for WAN.
Add Port 1 to VLAN 100 and 200 as tagged.
Add Port 8 to VLAN 200 as untagged also setting PVID as 200.
Add port 2 to 7 to VLAN 100 as untagged also setting PVID 100

At openwrt side,

Create new WAN interface as below,

Device – eth0.200
Also add it to wan firewall.

Edit Lan interface and change device to eth0.100

That's all.

The tricky part was, to get it all working without loosing network connectivity!

mk24 · September 15, 2025, 1:34pm

It is not necessary to create a new interface. Just change the Device on the existing wan to eth0.200 by typing that name into the bottom of the list, the same as you did for lan.

simtcrom · September 16, 2025, 1:19am

Could there be any security risk or compromise in performance, when running wan like this?

psherman · September 16, 2025, 1:46am

No, it doesn't introduce any risks for security or compute/performance. It's the expected mode of operation when VLAN tags are required.

simtcrom · September 18, 2025, 5:27am

I was watching a video by OneMarcFifty. Where he mentions,

"The web interface of the switch could be bound to the WAN interface. In other words, the web interface of your switch could be accessible from WAN"

But If I have option to change management vlan to a specific VLAN (100 in this case. Then above is not a problem for me right ?

_bernd · September 18, 2025, 9:29am

For that your switch would need an address on wan.

But if only your router handles the wan connection, how on earth should the switch end up with a global reachable ipv4 addresses?
Hopefully your switch only gets address on a management vlan. And IPv6 has the default rule that initially incoming connections are blocked.

Just because he has lots of clicks doesn't make him alright right.

simtcrom · September 18, 2025, 11:12am

Thank you for the response.
I was also referring to Wan port on managed switch question - #9 by psherman