Need help achieving working tagged VLAN connection between devices - WR902AC v3 and Speedport 504V

Dear OpenWrt-Community,

first I would like to say that I've been using OpenWrt for a long time and always had a great experience thanks to the community. Next I would like to ask you to please excuse the "weirdness" of my networking setup. It is thrown together from what I have and I am aware that it could be improved with better devices etc.

Anyway, currently I have a TP-Link WR902AC v3 as my main router/wifi device. I use its single Ethernet port to connect to the WAN and access the LAN via wifi.
Up to this point I connected other wired devices directly to WAN, since it basically already is a LAN (our dorm network).

Now I want to move my wired devices to my own LAN. For that I want to use the router's VLAN functionality and an additional Speedport 504V Type A with 4 Ethernet ports. Both devices (on paper) support VLAN. The TP-Link is running OpenWrt 23.05.3 and the Speedport is on 22.03.5 (apparently the newest release bricks the device). This is how I imagine my network setup:

                     ------------Speedport -------------
WAN <---untagged--->< Port 4 | Port 3 | Port 2 | Port 1 <-----tagged-----> TP-Link
                             |   untagged LAN  |             VLAN 1: LAN
                                                             VLAN 2: WAN

Of course you may ask, why not just use the Speedport for NAT and use the TP-Link as wifi-AP only. Well, the Speedport can't achieve 100 Mbps WAN-LAN (even with software offloading) so I'm stuck on this solution.

The problem is: I can't get both devices to communicate on a tagged VLAN.
First I wanted to setup the WAN connection so that the Speedport takes the untagged WAN from Port 4 and converts it to VLAN 2 on Port 1. For testing, the LAN of the Speedport still operates on a seperate subnet. This is my configuration:

Speedport: (in the screenshot/swconfig only 1 device is connected)

LuCI Switch:

Network Config:

The port mapping is:
0 - CPU
1 - unused
2 - Port 1
3 - Port 2
4 - Port 3
5 - Port 4

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'abc'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'b'
	option firmware '/lib/firmware/adsl.bin'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'dsl0'
	option proto 'pppoe'
	option username 'username'
	option password 'password'
	option ipv6 '1'

config interface 'wan6'
	option device '@wan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 3 4'
	option description 'LAN'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '2t 5'
	option vid '2'
	option description 'WAN'

swconfig:

swconfig dev switch0 show
Global attributes:
        enable_vlan: 1
        ar8xxx_mib_poll_interval: 0
        ar8xxx_mib_type: 0
        enable_mirror_rx: 0
        enable_mirror_tx: 0
        mirror_monitor_port: 0
        mirror_source_port: 0
        arl_table: address resolution table

Port 0:
        mib: ???
        pvid: 0
        link: port:0 link:up speed:100baseT full-duplex
Port 1:
        mib: ???
        pvid: 0
        link: port:1 link:down
Port 2:
        mib: ???
        pvid: 0
        link: port:2 link:down
Port 3:
        mib: ???
        pvid: 1
        link: port:3 link:down
Port 4:
        mib: ???
        pvid: 1
        link: port:4 link:up speed:100baseT full-duplex txflow rxflow auto
Port 5:
        mib: ???
        pvid: 2
        link: port:5 link:down
VLAN 1:
        vid: 1
        ports: 0t 3 4
VLAN 2:
        vid: 2
        ports: 2t 5

TP-Link:

Network Config:

Port 4 is the real port and Port 6 is cpu.


config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'abc'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config interface 'wifilan'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option type 'bridge'
	option ipv6 '0'
	option device 'br-wifilan'

config device
	option name 'wlan0'

config switch_vlan
	option device 'switch0'
	option ports '6t 4t'
	option vlan '2'
	option vid '2'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth0.2'
	option force_link '1'

swconfig:

swconfig dev switch0 show
Global attributes:
        enable_vlan: 1
        alternate_vlan_disable: 0
        bc_storm_protect: 0
        led_frequency: 0
Port 0:
        disable: 0
        doubletag: 0
        untag: 0
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 0
        link: port:0 link:down
Port 1:
        disable: 0
        doubletag: 0
        untag: 0
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 0
        link: port:1 link:down
Port 2:
        disable: 0
        doubletag: 0
        untag: 0
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 0
        link: port:2 link:down
Port 3:
        disable: 0
        doubletag: 0
        untag: 0
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 0
        link: port:3 link:down
Port 4:
        disable: 0
        doubletag: 0
        untag: 0
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 12373
        tr_bad: 0
        tr_good: 1083
        pvid: 0
        link: port:4 link:up speed:100baseT full-duplex
Port 5:
        disable: 1
        doubletag: 0
        untag: 0
        led: ???
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 0
        link: port:5 link:down
Port 6:
        disable: 0
        doubletag: 0
        untag: 0
        led: ???
        lan: ???
        recv_bad: ???
        recv_good: ???
        tr_bad: ???
        tr_good: ???
        pvid: 0
        link: port:6 link:up speed:1000baseT full-duplex
VLAN 2:
        ports: 4t 6t

The WAN network isn't getting to the TP-Link. Could you please point out any mistakes I made in my config or give advice on further troubleshooting steps. This should be a pretty simple setup so I am confused on why it is giving me so much trouble. I have checked that the AR8216 switch chip indeed has 802.1q VLAN support.

Any help would be appreciated.
Best Regards
mrfrakes

The best starting place would actually be the default configuration for both devices. Can you reset them and then post the /etc/config/network files from each, please?

Certainly, here are the default configurations:

Speedport:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'abc'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'b'
	option firmware '/lib/firmware/adsl.bin'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'dsl0'
	option proto 'pppoe'
	option username 'username'
	option password 'password'
	option ipv6 '1'

config interface 'wan6'
	option device '@wan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

TP-Link:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'abc'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '4 6t'

Starting on the Speedport:

Create VLAN 2 on the switch:

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '2t 5'

Edit VLAN 1 by removing logical port 5 and tagging logical port 2

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2t 3 4 0t'

Change the address of the lan interface to 192.168.3.2

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.3.2'
	option netmask '255.255.255.0'

And in the Speedport, don't forget to turn off the DHCP server for the lan (add option ignore '1' to the lan DHCP server stanza in /etc/config/dhcp).

Moving on to the MR3020v3:
Add VLAN 2 to the switch:

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4t 6t'

And add a tag to logical port 4 for VLAN 1:

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '4t 6t'

Add a wan interface (case sensitive -- use lower case):

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

and edit the lan with the desired address:

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

Reboot both devices and it should work as expected.

Hi,

I implemeted the config described by the previous post but I was still facing issues. I did some more testing and now suspect the AR8216 switch on the Speedport to be the main culprit.

Using the windows device manager I am able to set my NIC to different VLANs.
In the meantime I changed LAN to VLAN 11 and WAN to VLAN 12 since I read that the AR8216 treats VLAN 1 as untagged. Here are the results of my tests:

TP-Link (LAN on VLAN 11) <----> PC (on VLAN 11)     => connection ok

Speedport (LAN on VLAN 11)------|
                               \./
TP-Link (LAN on VLAN 11) <---Switch--> PC (on VLAN 11)  => both devices reachable

Configuration as described in my first post, PC on untagged LAN on Speedport connection:
PC (on VLAN 11): able to reach both devices (this is weird, it is supposed to be an untagged port)
PC (no VLAN): only able to reach Speedport

The results of these tests lead me to believe that there is something wrong with the AR8216 driver. It seems like it is not handling tagging/untagging of packets correctly.
I will test different versions of OpenWrt today and will look further into it, but I suspect this issue is above my paygrade. Maybe somebody knows more about this issue.

Edit: Behaviour is the same on version 19.07.10

Best Regards
mrfrakes

Let’s see the configs as implemented on both devices:

ubus call system board
cat /etc/config/network

Okay, now I am pretty sure that there is something fishy with the Speedports switch configuration.

The easiest way to replicate the issue is:

1) Reset the device configuration
2) Set CPU port to untagged, LAN port to tagged on VLAN 1
3) Move br-lan interface to eth0
4) Ping router from external device both on VLAN 1 and without VLAN

On my TP-Link WR902AC v3 this results in:

Ping without VLAN: No Response
Ping on VLAN 1: OK

In my opinion this is expected and correct behaviour. I have included the network config of both devices at the end.

On the Speedport this results in:

Ping without VLAN: OK
Ping on VLAN 1: No Response

which is the reverse behaviour.
I think this shows issues with VLAN tagging on external ports. Time to look into the switch driver code I guess?

TP-Link:

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7628AN ver:1 eco:2",
        "model": "TP-Link TL-WR902AC v3",
        "board_name": "tplink,tl-wr902ac-v3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ramips/mt76x8",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'abc'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '6 4t'

Speedport

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.10.176",
        "hostname": "OpenWrt",
        "system": "Danube rev 1.5",
        "model": "Speedport W 504V Typ A",
        "board_name": "arcadyan,arv8539pw22",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "lantiq/xway",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'abc'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'b'
        option firmware '/lib/firmware/adsl.bin'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'dsl0'
        option proto 'pppoe'
        option username 'username'
        option password 'password'
        option ipv6 '1'

config interface 'wan6'
        option device '@wan'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 2t'
        option vid '1'

Let’s get the speed port device running the latest firmware:

https://firmware-selector.openwrt.org/?version=23.05.3&target=lantiq%2Fxway&id=arcadyan_arv8539pw22

Well, theres a big disclaimer on the device page that OpenWrt Release 23 bricks the device but I went ahead anyway. Indeed it did brick the device.

No worries, I recovered the device using the u-boot console and used the opportunity to flash OpenWrt 15.04. I tried the same procedure I described but the same behavoiur is observed.

Now, I am back to 22.03.5.

If 22.03 works, let's at least make sure you're as far up to date as you can be on this release series... 22.03.6.
https://firmware-selector.openwrt.org/?version=22.03.6&target=lantiq%2Fxway&id=arcadyan_arv8539pw22

Menawhile can you provide more detail on these:

What were the exact addresses that you were pinging and from where? It is most helpful to have the IP address of the device and the target to understand the details of the ping tests.

Certainly, the tests were done using the following setup:

PC <----> TP-Link or Speedport

PC IP: 192.168.1.10
Router IP: 192.168.1.1 (default OpenWrt)

The PC is running Windows and has a Realtek 8125 network adapter. I am able to change its VLAN ID using Device Manager.

In the meantime, I upgraded the Speedport to OpenWrt 22.03.6. But the results haven't changed.

Also meanwhile, I was able to get Wireshark to capture VLAN headers on Linux.
Then I made the following discovery:
On the speedport, I created a seperate VLAN only consisting of one tagged and one untagged port seperate from CPU.
The setup looks like this:

                   ----------Speedport----------
Windows PC <-----> Untagged Port    Tagged Port <------> Linux PC

I was able to capture the following: If an Untagged Packet enters the Untagged Port, the switch indeed adds a 802.1q header. But it fails to set the correct VLAN ID, as it always is set to 0. This is independent of the VLAN ID set in OpenWrt.
It can be seen in this screenshot:

Switching the config around:

                 ----------Speedport----------
Linux PC <-----> Untagged Port    Tagged Port <------> Windows PC

Sniffing the traffic on the Linux PC reveals, that the switch does indeed remvove the 802.1q header from the VLAN traffic. And most importantly, it only transmits packets that have the correct VLAN ID on the tagged port.

I believe the network is soo close to working, we only need to figure out the issue of correctly assigning the VLAN-ID to the untagged packets.

Something is not right with the current speedport config. Can you reset it to defaults again.

I have reset the Speeports config once more.
This is the configuration now:
The only thing I've changed is "option port". I changed port 5 to port 5t so that I can sniff tagged traffic on my Linux machine. Again every tagged packet that arrives has VLAN ID 0, showing the same symptoms.


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd61:4af2:a062::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'b'
	option firmware '/lib/firmware/adsl.bin'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'dsl0'
	option proto 'pppoe'
	option username 'username'
	option password 'password'
	option ipv6 '1'

config interface 'wan6'
	option device '@wan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5t 0t'

That looks better. I would expect this to work as expected.

I was able to get the tagged port to output on VLAN 1 using the following commands:

swconfig dev swtich0 port 5 set pvid 1
swconfig dev switch0 set apply

But that sets the VLAN-ID on a per port basis, which is not very useful.

That should not be necessary.

Let's do some simple manipulations to test the situation.

  • On the speedport (starting from a default configuration):
    • turn off the DHCP server
    • change the address to lan 192.168.1.2.
  • On the WR902AC (starting from a default configuration):
    • turn on wifi
  • Connect the Speedport port 4 to the WR902AC.
  • Plug a computer into one of the other lan ports on the Speedport.
    • verify that you can reach both devices (WR902AC at 192.168.1.1, Speedport at 192.168.1.2).

From there, once we've verified everything here, we'll make some VLAN changes.

Upon further inspection of the driver source code, the 802.1q VLAN support of the AR8216 seems to be broken on a hardware level.

Looking in the source code at https://github.com/openwrt-mirror/openwrt/blob/master/target/linux/generic/files/drivers/net/phy/ar8216.c, there is the function: ar8216_mangle_rx.
From my understanding, it takes incoming untagged packets and manually looks at which port they came from and assigns the correct VLAN.
This is the commit that references this issue: https://github.com/openwrt-mirror/openwrt/commit/66fc7bca04c0c80bdd938c87d075207cf2b9145f

use packet mangling to fix up the vlan for incoming packets (workaround for hardware bug, which renders normal 802.1q support unusable)

As this is a per-packet-modification this obviously only works if traffic passes through the CPU, making my goal impossible.

It seems like the AR8216-Chip was Atheros first ethernet switch and they sure f'ed it up. As I learned quite a lot about VLANs, linux drivers and OpenWrt in general, I am not really fuzzed about it.

I will close this issue and look for another solution. "Software" VLANs using bridging are not an option, as the cpu itself is only connected to the switch via 100 Mbit/s limiting the throughput of a software solution.

Also, I would like to thank psherman for giving great advice :slight_smile:

I guess that probably means that you'll need different hardware. You can do this with any standard managed switch, of course, but make sure that you don't get one of the entry level TP-Link or Netgear devices, as they have some firmware issues that will cause problems in this scenario. The small business grade devices are fine, as are many options from other vendors.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.