Need Help Setting up VLAN with WRT3200ACM and L2 Switches

Installing and Using OpenWrt Network and Wireless Configuration
1

New to OpenWRT, not to networking. Have a fairly large home network (about 3 dozen host devices), Linksys WRT3200ACM as core router, 24-port HP ProCurve Layer 2 managed switch, and a couple of small Netgear 5-port Layer 2 managed switches remotely. I'm trying desperately to design and implement a VLAN architecture using about 6 VLANs, but the fragmented guides and available online information has me at a loss. I've been experimenting for a week but just can't seem to get it all working even on a basic level.

Help? Anyone know of a decent hand-holding tutorial using roughly the same hardware and OpenWRT? Anyone willing to be a private tutor offline?

2

I (and many others around here) can help with the router (no private tutoring, sorry), but not the switches (have never owned any of those). What do you need to do exactly?

3

If you are new to OpenWrt then you need to know that WRT3200ACM (like many home routers) has an embedded Ethernet switch which needs to be configured with VLANs.

https://openwrt.org/toh/linksys/linksys_wrt3200acm?s[]=wrt3200acm#switch_ports_for_vlans

4

I am trying to configure vlan on my WRT32X. I don't know if you could configure multiple VLAN on the same port? I am using UniFi as my WIFI AP. UniFi allow me to set a VLAN id for each SSID I am creating. So that I am trying to create vlans in OpenWRT so that I could segregate each SSID wifi client into separate vlans. I can't find a way to do that. Any ideas?

5

@dnwk, welcome to the community!

Please refrain from asking the same question on multiple threads.

In the future, please create a new thread for your issue. I responded elsewhere to your question. (link above)

6

Thanks. I saw the other response. After I posted the previous question, I saw this reply and seems like the op has a solution.

7

OK, yes I do know that. But for starters, do the four VLANs I want to create get created on the GUI or at the command line?

8
  • They get created in Network > Interfaces.
  • You make another Interface for each VLAN you desire (e.g. eth0.3, eth0.4, etc.)
  • To make ports, you then enumerate them on the Network > Switch page

You can do this on the web GUI or via command line - I suggest the web GUI for new users..

9

I've spent several days trying to make this work, and I've read everything I could find, but now I need to beg for help!I've spent several days trying to make this work, and I've read everything I could find, but now I need to beg for help!Trying to set up 4 VLANs on WRT3200ACM using the latest DavidC502 load of OpenWRT.  Went into Network>Interfaces and add these four:

• Name: eth0_11, Cover the following interface>Custom interface>eth0.11, Static IP: 10.0.11.1/24

• Name: eth0_21, Cover the following interface>Custom interface>eth0.21, Static IP: 10.0.21.1/24

• Name: eth0_31, Cover the following interface>Custom interface>eth0.31, Static IP: 10.0.31.1/24

• Name: eth0_41, Cover the following interface>Custom interface>eth0.41, Static IP: 10.0.41.1/24

(The router’s IP is set at 10.0.0.1)

Then I went into Network>Switch, enabled VLANs, and added VLANs 11, 21, 31, and 41.  I want to use LAN port 1 as a trunk to my managed switch, so I set the switch matrix as follows:

VLAN      CPU(eth0)    CPU(eth1)      LAN1       LAN2          LAN3          LAN4         WAN

1            TAGGED       OFF               OFF         UNTAG       UNTAG       UNTAG      OFF

2            OFF             TAGGED         OFF          OFF            OFF           OFF           UNTAG

11          TAGGED       OFF               TAGGED   OFF            OFF           OFF           OFF

21          TAGGED       OFF               TAGGED   OFF            OFF           OFF           OFF

31          TAGGED       OFF               TAGGED   OFF            OFF           OFF           OFF

41          TAGGED       OFF               TAGGED   OFF            OFF           OFF           OFF


I have tried every possible combination or tagged and untagged with my four VLANs and I’m 99% certain I have my managed switch correctly configured (HP Procurve 1810G-24).  But regardless of which Procurve VLAN port I plug into, I can’t get a DHCP address.  Worse, even if I assign the correct static IP for the VLAN I am plugged into, I have no connectivity to the router or the internet.I’m sure I’ve set up something wrong in OpenWRT, I’m guessing in the VLAN interfaces.  Help?

10

At first sight, everything seems correct there... just my two cents:

  • "(The router’s IP is set at 10.0.0.1)": I guess you mean on the LAN interface, because your router has several IP addresses now.
  • Sometimes LAN ports have a wrong order on LuCi, and you might be plugging the switch on the wrong port.
  • Can you configure a client to use VLANs too, and connect it directly to the router?
11

Sorry, yes, I mean the br-lan interface (native VLAN 1) of the router is 10.0.0.1. I'm not sure what yu mean about the wrong order, unless you're saying the GUI is wrong. But the GUI also shows graphically when something is plugged into a port, so I'm pretty sure my config corresponds with the physical ports.

What I'm seeing since my post is that I can get the first VLAN to work, VLAN 11, by either setting it on LAN port 1 as untagged and plugging a laptop directly in to port 1, or setting it on LAN port 1 as tagged and plugging my Procurve switch into port 1. Then I plug the laptop into the procurve and it gets assigned the VLAN 11 IP address correctly. BUT, in either case, from the laptop I can still ping the router's primary IP of 10.0.0.1 and access the router GUI, which I should NOT be able to do. Plus, there is no internet access, and I can't repeat this on any of the other 3 created VLANs even though they are all configured exactly the same (except for different names,interfaces, and IPs of course).

12
  • I plug the laptop into the procurve and it gets assigned the VLAN 11 IP address correctly.

So, it seems to be working properly!

  • I can still ping the router's primary IP of 10.0.0.1 and access the router GUI

That is standard Linux behaviour.

  • Plus, there is no internet access

We haven't seen your firewall configuration.

1 Like
13

Yep, the router is, well, routing from one VLAN to the router’s IP as well as quite possibly across VLANs, unless you’ve set up firewall rules to prevent it. You’ll likely want to restrict your listeners to your management VLAN as well.

14

Let's try to configure. Have you configured firewall to block access from specific subnets?

15

Haven't touched the firewall yet, but again, I only get an IP address on one of the four VLANs I created (the first one, VLAN 11), and even then I have no internet connectivity--the only website I can load is the router itself on a different subnet. Does the firewall block internet by default? I'm afraid this is the first time anyone has mentioned firewall, so any help would be really great. I won't send you any firewall config info since I have done nothing with it yet!

16

To access Internet in new zone you should enable forwarding. Let's configure it tomorrow in PM, OK?

17

Absolutely, and thanks! I'm in MDT time zone but that doesn't matter to me, just name the time. Is it possible to send private messages on this forum??

18

Yes, I've sent you message. I've sent it two times by mistake, first one I've deleted.

19

Hi, I am having exact same issue. Could you share you network, firewall and any configurations you used to get this working?

20

What exact same issue? What hardware, and what are you trying to do?