I have recently setup a raspberry pi 4 with openwrt to act as my router. I have an eight port, separate managed switch. I'm reading and watching various videos and something with VLANs isn't going quite right. I keep losing access to internet or access to the router itself when enabling VLANs. Is there some documentation for setting this up with a separate switch?
I personally find the openwrt videos from onemarcfifty very helpful to get a better undestanding.
1 Like
Setting up VLANs on a Pi with OpenWrt is usually very simple...
Your VLANs will be simple dotted notation...
- eth0 is the base device, and a network assigned to eth0 will be untagged.
- eth0.5 would be VLAN 5 on eth0 (tagged).
- you can have zero or one untagged networks
- you can have zero, one, or many tagged ntworks
- many people will suggest that if you have any tagged networks on a port, you should not have any untagged networks. This is not a requirement, but some hardware may not operate properly if you mix tagged and untagged.
- A port that has multiple networks using VLANs is called a trunk
- A port that has only a single network, untagged, is called an access port/
On your switch, you need to set the same VLAN scheme on the port that connects to the pi. So if you have, for example, eth0, eth0.5, and eth0.7 on your Pi, you need to have the corresponding switch port with VLAN1 untagged/PVID, and VLANs 5 and 7 tagged.
From there, you'll create access ports for each of the VLANs as needed (untagged/PVID), and/or trunks where needed to connect to other VLAN aware devices.
2 Likes
I'm also rather new to this but
I believe You have 2 ports on Your Pi 4 ? if that's right I't same as my Nanopi R4S - I did have same issues as You, struggling for many days until I started with setting up the switch (vlan/lan) and then connected from the switch to the router to set it up. Only having one line out makes it difficult to have that line 'trunked' (transporting tagged packets or the vlans) and if Your end device is not tagged (network in pc ) You loose connection.
Hope it can help You and also what @ fow0ryl and @psherman writes which is very good advices
1 Like
All the responses are helpful! Thank you. I'll watch the video. Yes I have two ports on it, made sure to get an adapter. I'll probably need to reword this after I'm home looking again. When creating the vlans do they get connected to the br-lan or just the port device?
I'm using a NanoPi R2S with 6 VLAN's here. So it may be very similar to your setup.
But of course, the switch has to be configured too. If something on the switch or your PI is not configured properly you are lost.
So the best thing for at least your very first setups is to leave the LAN interface untouched and add an additional interface with a testing VLAN functionality.
Make sure you are using vlan-id 1 for LAN and it is marked as untagged in "Bridge VLan filtering" for br-lan.
And do not "Save & Apply" until you are ready !!!
Just finished the video and think it voided my last question. Thank you so much. I think the biggest thing I've been missing is the vlan filtering. I've seen in red several guides and this is the first time I'm seeing that.
Your device will not need VLAN filtering. You'll use standard dotted notation only (vlan filtering is largely a DSA concept)
So I created a bridge with with my second eth device and added my vlans into the bridge filtering which created three vlan devices. One untagged and two tagged. I created a different static dhcp interface for each of the three vlan devices. And I on the right track?
My guess is that this is the wrong approach... as I said before, you should be using dotted notation, not bridge filtering.
Please post your configuration so we can see details of what you have done.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5c:c033:4f20::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
config device
option type '8021q'
option ifname 'eth1'
option vid '10'
option name 'eth1.10'
config device
option type '8021q'
option ifname 'eth1'
option vid '20'
option name 'eth1.20'
option acceptlocal '1'
config device
option type '8021q'
option ifname 'eth1'
option vid '5'
option name 'eth1.5'
option acceptlocal '1'
config interface 'LAN'
option proto 'static'
option device 'eth1'
option ipaddr '10.90.10.1'
option netmask '255.255.255.0'
config interface 'vlan10'
option proto 'static'
option device 'eth1.10'
option ipaddr '10.90.10.1'
option netmask '255.255.255.0'
config interface 'vlan5'
option proto 'static'
option device 'eth1.5'
option ipaddr '10.90.5.1'
option netmask '255.255.255.0'
config interface 'vlan20'
option proto 'static'
option device 'eth1.20'
option ipaddr '10.90.20.1'
option netmask '255.255.255.0'
this looks fine.
1 Like
I'm still missing something though. Either with my managed switch or something. Can't get anything to connect through it. Thank you for looking that over.
Let's see the managed switch config. Please indicate the uplink port that goes to the router.
Unfortunately it can't run openwrt. It gives me the option to set the management ip and pvid and pvid on all ports. Port one has all the vlans tagged and goes to router. After that I'm lost.
That's okay... although this isn't the place to get support for other products, it's not unreasonable to help in this context because we're enabling the OpenWrt config to work.
As it should... let's see what you've got setup in this part of the config.
show me the config for all ports, if you can... usually there is a summary page for the VLAN config.
1 Like
I have to thank everyone SO MUCH. Seems like a wonderful group of people. With the help given I have solved my issue! Mainly I had the tagging set wrong on my switch, also completely forgot about the PVID on the ports! Now to figure out Firewall rules!
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.