OpenWRT vlan tagging

So I am trying to make a OpenWRT device behave like a layer 2 managed switch but I am having trouble getting it to work. I have successfully put all ports into a bridge and it is working fine as a "unmanaged" switch.

However, I am trying to add a vlan 802.11q tag to one of the ports so that it is in a separate lan. I have a 802.11q interface on the upstream router but I am struggling to set one of the ports on the downstream device to tag traffic. Here is what Luci looks like:

How would I set this up so that traffic coming in on lan2 gets tagged before getting sent out? I am a bit confused. I tried setting the port as a tagged vlan but that just broke my connection. I next tried setting it as tagged and then setting the wan port as untagged. That preserved my connection but the port didn't work, I feel like I am missing something obvious but I do not know what it is.

I think the biggest issue for me is that a lot of the online documentation is pre DSA.

This is DSA, so you'll use bridge VLANs.

Let's see your network config file:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network

It's best to be connected to the router by wifi instead of Ethernet so you don't get disconnected while configuring Ethernet ports.

When you check the box at the top of that page you will have options to add VLANs by clicking a button that will appear at the bottom. Each VLAN needs a unique number that matches the number configured in devices that the trunk ports (see below) will connect to.

The rest of the page allows you to designate each vlan as untagged, tagged, or off on each port. A port that connects to an ordinary non-VLAN-aware device such as a desktop computer will be untagged in exactly one VLAN and off in the others. This is called an "access" port. A port that is connected to another switch or router and will transport several VLANs on one cable will be tagged in all the VLANs that you want to transport. This is called a trunk port. The "internal" box should generally be checked on all VLANs unless it is a network that you want to purely hardware switch between two ports without any interaction with the router OS.

Set up a VLAN for the lan and wan as well. They can have any number (conventionally 1 and 2) as they won't be appearing on tags outside the box. Then go back to the lan and wan interfaces and change the Device to br-lan.X where X is the new VLAN number. Do this before applying changes or the LAN ethernet will stop working.

In my configuration I don't have a wan or a lan as I want the device to behave like a simple switch. I put all devices in the same interface so that traffic can pass through and there is not a separate lan as it is using the upstream dhcp server and NAT.

However, I am trying to assign a port to a vlan so that it is in a separate lan. I want the packets from that port to get tagged before they go upstream. However, I can not have a wan as it would break the local wan. All devices need to be on the same lan except for the port tagging the packets.

For reference, I am wanting OpenWRT to take the place of a managed switch

That is all possible. We need to see your network config as requested earlier.

Also, please indicate the desired port vlan membership on a per port basis.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd34:9995:715a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'

config interface 'shared'
	option proto 'dhcp'
	option device 'br-lan'

I am looking to put lan 2 in vlan 669. I have also tried putting lan2 in its own bridge with br-lan.669 but that didn't work.

Please post this, too.

If you want this to be a managed switch, there must be 2 ports or more per vlan, otherwise it isn’t acting as a switch, just a dead end. Can you give us all the port vlan assignments?

I was looking for more generic information that is why I didn't specify a device. However, I can post the output of the board.

It isn't going to be a dead end because I am looking to only tag one of the ports. The rest of the ports are in the main lan which has no vlan and I am looking to isolate the single port in its own lan along with the same port on different devices.

{
	"kernel": "5.15.162",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "Aruba AP-303H",
	"board_name": "aruba,ap-303h",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.4",
		"revision": "r24012-d8dd03c46f",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
	}
}

The reason I ask for the device info is two fold:

  1. There are some devices that can be setup with dotted notation or DSA/bridge vlans, whereas others are only DSA, and some targets haven't yet migrated from swconfig. Knowing what device we're talking about can make all the difference.
  2. In certain cases, users may have a device that is either not supported at all by official OpenWrt or their device may be on a vendor fork of OpenWrt. In these situations, the suggestions and syntax normally used for OpenWrt could severely break the configuration of system, so it is important to know that we are not going to make a mess of things because of bad assumptions.

This doesn't really explain what you're trying to do. If you can simply provide a port-by-port description of what VLANs should be on each port (and tagged/untagged status), I can show you a complete working configuration. Without this detail, what I give you may not actually result in anything functional. There is nothing sensitive about the port-VLAN assignments, so I'm a bit confused why you appear to be unwilling to share this.

So I think I am on the right track. Here is what I have so far:
Router:

Switch:

I am still playing around but I think I am making progress. Righ now I am trying to get the ports on the switch to work. I am trying to put all but one of the ports into vlan 1 and one of the ports in vlan 667. I think I am getting close.

Post your network config file and we can take a look to make sure it is configured properly.

cat /etc/config/network

Give me a bit. I think I can get it working though trial and error

My new config:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd34:9995:715a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'shared'
	option proto 'none'
	option device 'br-lan'

config device
	option type '8021q'
	option ifname 'wan'
	option vid '1'
	option name 'wan.1'

config interface 'main'
	option proto 'dhcp'
	option device 'wan.1'

For now I just want all ports to be tagged with vlan 1. In the future I want to put the ports in different vlans

All ports including the wan?? And all tagged? (with tagged VLANs, the connected devices must be VLAN aware and set to expect VLAN 1 tagged; traditional/normal end devices like your computer, game console, etc., do not usually understand VLANs by default or at all, therefore the ports will appear dead).

Delete this:

and this:

Add wan to the bridge:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'

Create a bridge VLAN:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'wan:t'

Create a new lan interface with br-lan.1:

config interface 'lan'
	option proto 'dhcp'
	option device 'br-lan.1'

post your config file after you make the edits and I'll review.

I did what you said

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd34:9995:715a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'

config interface 'shared'
	option proto 'dhcp'
	option device 'br-lan'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'
	option name 'br-lan.1'

I did change the upstream port the device is connected to from tagged to untagged as I would of lost access with this config. I am really just trying to make OpenWRT a layer 2 switch with vlan support. That is all I am aiming for. Maybe I am overcomplicating the setup.

Thanks

Not everything, though, based on your configuration. Please re-read my last post and make sure you take all the steps I specified.

No, you're not over-complicating the setup, but you are making the discussion more complex than it needs to be.

VLAN aware implies that you have VLANs on your network already (or will be doing that soon). What I need Is a port level description of what each port should do. For example (just making this up):

  • Port wan: VLAN 1, 23, 172; all tagged (uplink to router)
  • Port lan1: VLAN 1; untagged + PVID (access port)
  • Port lan2: VLAN 172: untagged + PVID (access port)
  • Port lan3: VLAN 1, 23, 172; VLAN 1 untagged, others tagged (downlink to AP)
  • Device administration on VLAN 1 with address via dhcp client

You will probably have different specifics, but the example above is the descriptoin I am looking for in order to help you with a configuration.

Right now I have the main lan on vlan 1 and a secondary lan on vlan 667. I originally was going to just have a single vlan with everything else untagged but that ended up being more complicated.

  • Port wan: connected to upstream (all tagged)
  • Port lan1: VLAN 1 untagged
  • Port lan2: VLAN 667 untagged
  • Port lan3: VLAN 1 untagged

What I would like to see happen is that I can plug into lan 1 or 3 and be in vlan 1 but if I plug into lan 2 I should be in vlan 667. lan 1,2 and 3 should not accept tagged packets from connected devices.

When you say this, what exactly do you mean? Do you mean one tagged network and one untagged?

Where is VLAN 667 in all of this?