Not receiving any traffic on VLAN interface

I've been going through this repeatedly to no avail.

I have a VLAN (VLAN 10) designated for security cameras. They are on ports 1, 2, 3, 4, 5, and 6 of a Netgear GC110P.

My router running OpenWRT is a Linksys WRT3200ACM

My cameras show up in OpenWRT with the correct IP and subnet I have designated. I can ping them from Windows with a 0% packet loss.

I can't login to the cameras via web browser. OpenWRT is showing barely any traffic on the interface, too.

Is the problem on my Netgear switch end? I've got all 6 ports as untagged on VLAN 10, and with a PVID of 10. Port 10 is the trunk, tagged VLAN 1 and 10.

It is entirely possible that the web server on the cameras won't respond to requests coming from a different subnet, although usually the pings wouldn't work either. But that entirely depends on how the cameras are setup from the vendor.

Let's take a look at your configs:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Just thinking it can also be just a traffic forward rule you are missing.

Can you also tell us from which network/interface you tried to connect to the camera web interface?

I'm not sure I covered everything properly in terms of redaction, so I sent you a private message first.

I tried to connect from my 'lan' interface on VLAN1. My firewall rules have the 'cctv' interface to accept.

And cctv is the firewall zone or have you defined a traffic rule ?

In case its not a traffic rule you need to add one which looks like:

src zone: lan
dst zone: iot-network (cctv in your case)
dst ip: <your camera ip> (optional, you can leave this blank if you dont want to limit the rule to one device)
dst port: also optional
target:Accept

You can find it in luci->firewall->traffic rules (tab)

CCTV is in the firewall zone, yes.

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config forwarding
        option src 'lan'
        option dest 'cctv'

That should allow traffic to flow.

Two tests to run

1. connect a computer to the cctv network and see if it can reach the camera web servers.
2. connect a device like a pi or any other device running mac is or linux to the cctv network and see if you can reach it from your lan.

My device on the CCTV end has not managed to get an IPv4 address via DHCP, but somehow has an IPv6 address. I don't see the cameras on my network, but of all the things...

My five IPTV boxes appear. They're not even on that VLAN. In fact, they're on VLAN1, because I couldn't manage to get them configured on the special VLAN I had for them.

The plot thickens.

EDIT: If it makes any difference, those IPTV boxes appear to have a 169.x.x.x loopback address. They work perfectly fine.

I reviewed what you sent via PM -- it is properly redacted. You can safely post that here.
I see a few issues, and once posted, I'll make suggestions (it's helpful for the complete config to be posted first so that there is context for you and for future readers).

Yes, this suggests some significant issues. It may also be related to your switch config, too... but first we'll fix the router's config.

Behold!

        "kernel": "5.15.108",
        "hostname": "xxxxxxx",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT3200ACM",
        "board_name": "linksys,wrt3200acm",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r22651-8f427f1a05",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt SNAPSHOT r22651-8f427f1a05"
        }
}
root@xxxxx:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxxxxxxxxxxxx'

config device
        option name 'br-lan'
        option type 'bridge'
        option bridge_empty '1'
        option ipv6 '0'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan.1'
        option ipaddr '192.168.0.10'
        option delegate '0'

config device
        option name 'wan'
        option macaddr 'xxxxxxxxxx'
        option ipv6 '0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:t*'
        list ports 'lan2:t*'
        list ports 'lan3:t*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan4'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan1:t'
        list ports 'lan2:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '40'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan4'

config interface 'cctv'
        option proto 'static'
        option device 'br-lan.10'
        option ipaddr '192.168.10.0'
        option netmask '255.255.255.0'

config interface 'guest'
        option proto 'static'
        option device 'br-lan.40'
        option ipaddr '192.168.40.0'
        option netmask '255.255.255.0'

config interface 'offline'
        option proto 'static'
        option device 'br-lan.30'
        option ipaddr '192.168.30.0'
        option netmask '255.255.255.0'

config interface 'main'
        option proto 'static'
        option device 'br-lan.20'
        option ipaddr '192.168.20.0'
        option netmask '255.255.255.0'

root@xxxxx:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv4 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option start '16'
        option limit '200'
        option dns_service '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'office'
        option dns '1'
        option mac 'xxxxxxxxxxxx'
        option ip '192.168.0.11'

config host
        option name 'switch2'
        option dns '1'
        option mac 'xxxxxxxxxxxx'
        option ip '192.168.0.12'

config host
        option name 'switch3'
        option dns '1'
        option mac 'xxxxxxxxxxxx'
        option ip '192.168.0.13'

config host
        option name 'switch4'
        option dns '1'
        option mac 'xxxxxxxxxxxx'
        option ip '192.168.0.14'

config dhcp 'guest'
        option interface 'guest'
        option start '1'
        option limit '25'
        option leasetime '12h'

config dhcp 'main'
        option interface 'main'
        option start '1'
        option limit '20'
        option leasetime '12h'

config dhcp 'offline'
        option interface 'offline'
        option start '1'
        option limit '10'
        option leasetime '12h'

config host
        option name 'ap'
        option dns '1'
        option mac 'xxxxxxxxxxxx'
        option ip '192.168.0.200'

config dhcp 'cctv'
        option interface 'cctv'
        option start '10'
        option limit '5'
        option leasetime '12h'

config host
        option name 'cctv-poe-switch'
        option dns '1'
        option mac 'xxxxxxxxxxxx'
        option ip '192.168.0.100'

config host
        option name 'camera1'
        option dns '1'
        option mac 'xxxxxxxxxxxx'
        option ip '192.168.10.10'

config host
        option name 'camera2'
        option dns '1'
        option mac 'xxxxxxxxxxxx'
        option ip '192.168.10.11'

config host
        option name 'camera3'
        option dns '1'
        option mac 'xxxxxxxxxxxx'
        option ip '192.168.10.12'

config host
        option name 'camera4'
        option dns '1'
        option mac 'xxxxxxxxxxxx'
        option ip '192.168.10.13'

config host
        option name 'camera5'
        option dns '1'
        option mac 'xxxxxxxxxxxx'
        option ip '192.168.10.14'

config host
        option name 'camera6'
        option dns '1'
        option mac 'xxxxxxxxxxxx'
        option ip '192.168.10.15'

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'DROP'
        list icmp_type 'echo-request'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'main'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'main'

config zone
        option name 'guest'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'lan'
        option dest 'guest'

config forwarding
        option src 'lan'
        option dest 'offline'

config forwarding
        option src 'lan'
        option dest 'main'

config rule
        option name 'main-dhcp-and-dns'
        option src 'main'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config rule
        option name 'guest-dhcp-and-dns'
        option src 'guest'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config rule
        option name 'offline-dhcp-and-dns'
        option src 'offline'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config forwarding
        option src 'guest'
        option dest 'wan'

config forwarding
        option src 'main'
        option dest 'wan'

config zone
        option name 'cctv'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'cctv'

config zone
        option name 'offline'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        list network 'offline'

config forwarding
        option src 'lan'
        option dest 'cctv'

config rule
        option name 'cctv-dhcp-and-dns'
        option src 'cctv'
        option dest_port '53 67 68'
        option target 'ACCEPT'

Thanks. I’ll comment on that on a moment.

But a question I should have asked earlier - what is the use of each port - which ones are trunks and what are the access ports?

LAN1 goes to a switch in one room. LAN2 goes to a switch in another room. LAN3 belongs to the PoE switch that the CCTV cameras are connected to. LAN4 is for a router configured as an Access Point. Of course, they're tagged on the LAN side and the trunk port on the switch side. Then, the device ports are untagged.

All switches are Netgear G308E. I haven't had issues with them since moving to the OpenWRT Snapshot that someone recommended, resolving a kernel issue.

The PoE Switch, on the other hand, is involved with this mess. It's a Netgear GC110P. Port 10 is a trunk, running to a SFP to RJ45 media converter. That shouldn't be a problem, right? If the router sends tagged packets over fibre, it should still be carried through copper. It's not like the media converter is adding/removing tags? I have also tried a RJ45 to RJ45 trunk connection instead on Port 8, and the issues persist.

Ok... thanks. So it sounds like all ports should have the same VLAN memberships?

I see VLANs 1, 10, 20, 30, and 40. Should they all be tagged on all ports?

Currently you have the following (although there are some issues, especially on port lan4):

Port lan1: 1t, 10t, 20t, 30t, 40t
Port lan2: 1t, 10t, 20t, 30t, 40t
Port lan3: 1t, 10t
Port lan4: 1u, 20u, 40u   

What VLAN membership arrangement do you want. Note that port lan4 is invalid because you have 3 untagged networks. There are other things, too, but they are less of an issue.

Hmm and how is the switch configuration defined?

If the camera are not vlan aware the switch should sent traffic to the device as untagged with pvid of 10 and tagged on port 0 (aka cpu port) as vlan 10.

To explain what it does:

the default vlan for a port should always be untagged, untagged means it removes the tag to the device connected on the port.

having it tagged as vlan 10 on port 0 means the packet gets tagged again for upstream like your router or modem.

now if you want multiple vlans on one port and you had already done as above, the rest should be always considered tagged, tagged to the device on the port and tagged on the cpu, why? Because you can only have one vlan untagged.

All addresses set in the dhcp pool for the cctv network are already taken by static leases.

You could enable masquerading in the cctv zone to check if this is the case.

LAN1-2 should be tagged with every VLAN because I have devices belonging to various VLANs downstream. LAN3 should only be carrying the CCTV VLAN (10) and I assume VLAN1 for management.

LAN4 is me still trying to figure out how to use a Netgear router as an AP with two SSIDs on their own VLAN. (Guest on 40 and main SSID on 1). I definitely need to clean that up.

This is interesting. I couldn't find anything about them being VLAN aware, but I assumed untagged packets should be carried without issue. They are Axis P3225 LVE network cameras.

Could you draw a quick diagram of your topology (a photo of a sketch on paper is sufficient).

Depending on what is immeditely connected to LAN3, maybe there should only be a single network (untagged), or maybe it should have both. The diagram can be helpful here.

What firmware is running on this netgear device, and what model is it?

I'll whip up a diagram, for sure. In the meantime, here's the Netgear router.