Pass VLAN tag over wlan0?

I'd like to hook up the sole 4k IPTV box provided by my ISP to the TV in the living room of a house of two-decade old construction, which means the closest RJ-45 wall jack is unfortunately on the opposite side of the living room, away from the coax outlet & co. for the TV stuff. Even that RJ-45 is of questionable availability, because the wall plate is actually covered and the actual wiring might not be in there at all (the construction plan marks this as one of the two "ADSL" outlets, but with X marks, unlike the only one readily usable in the study, which is marked with a check mark.)

For practical reasons, I don't want to run cables from the FTTH modem, or my only openwrt device (a wndr3800, with separate 5GHz and 2.4GHz radios) to the living room TV.

IPTV setup via Powerline devices are reportedly susceptible to interference from large electric appliances.

Apparently for the IPTV box to register on the ISP's dedicated IPTV network, it needs to be connected to a few select LAN ports on the FTTH modem tagged as VLAN 55. I have reconfigured the FTTH modem from router mode to bridge mode. So now my openwrt AP/router is the gateway, where I've configured VLAN 55 and assigned it to both CPU (eth0) and LAN2 (port 2).

An older revision of the IPTV box is rumored to have built-in Wifi (allegedly accessible via the companion remote control). However the local ISP technician vehemently denies this revision of the box has Wifi capability. So forget about setting the box as a regulard AP or WDS client to the openwrt router.

I don't have another openwrt-capable Wifi device. So I set up a spare non-openwrt Wifi router (cheapo 2.4GHz-only TP-link) next to the livingroom TV as AP (WDS) client to the wndr3800 running openwrt, with the IPTV box connected into one of TP-link's LAN ports. The WDS works great.

The only remaining issue seems to be the pesky VLAN-tagging. I've tried creating a new interface named iptv2wlan0, bridging wlan0 (there's also a wlan0.sta1 according to ifconfig, presumably for the WDS) and eth0.55. I'm not sure what Protocol this interface is supposed to have, so I chose "unmanaged". However, that caused all the clients hanging off wlan0 (in WDS mode) and I assume any wired hosts connected via the TP-link's LAN ports to lose connectivity.

Is there a workaround? Is it just a matter of picking the correct Protocol for the bridged interface (currently bridging eth0.55 and wlan0, but I had tried eth0 and wlan0, to the same debilitating effect)? Even if the VLAN tagging issue gets resolved, I wonder if the non-VLAN capable TP-link would be able to pass along the VLAN info to the hosts connected via its wired LAN ports such as the IPTV box. That's the whole point of the exercise.

AP-STA links whether WDS or not, are a single network. They can't carry or support VLAN tags.

You will need to regenerate the tags in the living room as packets enter the Ethernet cable to the TV box. That is trivial on an OpenWrt router, it is the reverse of what you are doing on the other side to remove them after they leave the ONT.

You could place a managed switch inbetween the non-OpenWrt client you have and the TV box. Set the box port to tagged and the client port to untagged. But it would be most direct to run OpenWrt on both ends of the wireless link.

2 Likes

I'm regretting the other perfectly good wndr3800 I threw away in a haste due to a move a few months ago.

Just for future references, how does one go about regenerating the VLAN tags on the second openwrt (serving in WDS client mode, in lieu of the TP-link in my case) for consumption by the wired IPTV box? Is it just a matter of creating and assigning VLAN 55 to a LAN port on that second openwrt locally, even though it had received the traffic via the WDS-bridged traffic that carries no VLAN info from the AP (WDS) master openwrt?

Set up VLAN 55 in the switch, tagged on both the CPU and an external port. Create a bridge interface of proto none (e.g. br-iptv) containing eth0.55. In wifi configuration attach the wifi STA(WDS) to this bridge.

This is as I said the exact reverse of what happens at the main router. So end to end you have packets tagged 55 on both cables, and the ONT and the TV box work like they are directly connected.

If it is possible to configure the IPTV box to use untagged packets, that would also solve your problem.

1 Like

I don't see "none" being an option for Protocol in the Luci GUI (network -> interfaces). Is manually editing in "proto none" in /etc/config/network the only available option?

I also haven't found wlan0.sta1 so far in Luci (only place I noticed it is in the "ifconfig -a" output when I ssh in). How would one go about attaching "the wifi STA(WDS) to this bridge"? Is it also via CLI, by editing /etc/config/wireless perhaps?

In LuCI, proto none is called "Unmanaged."

On an AP(WDS), as WDS clients connect, wlanX.staY interfaces are automatically created one for each client and added to the same bridge as the original AP. There is no way to control these child interfaces, nor any need to. It's just a measure to match how the kernel works internally.

I've been assuming the main router is the AP(WDS) and the router next to the TV is a STA(WDS). In a two-point scenario it would also work reversing those roles but the description I've been using wouldn't match. Keeping the main router the AP makes sense if there's ever going to be more than one IPTV linked wirelessly.

1 Like

You cannot use VLANs over a wireless connection; but you can create a GRE tunnel over a wireless connection, and use VLANs on the tunnel.

The solution proposed by @mk24 is probably simpler.

1 Like

About WDS, I was under the impression it is supposed to be point-to-point, with the wireless bandwidth cut in half. I was surprised to see the options "AP (WDS)" and "Client (WDS)" when changing wlan0 (2.4GHz radio) from AP to WDS mode. I actually intermittently brought up a second (even older) 2.4GHz-only TP-link as a WDS partner, kinda like a test on the side, during the IPTV trial. Apple's CLI wifi-scanning utility "airport" show all three (the openwrt wndr3800 and both TP-links) on the same 2.4GHz channel, presumably with the TP-links joining whichever channel the openwrt AP chooses (channel selection: auto). The two TP-links also become DHCP clients of the openwrt.

So am I misremembering what "WDS" is (was), or has it evolved to support point-to-multipoint setups? In my original plan, it is indeed just "the main router is the AP(WDS) and the router next to the TV is a STA(WDS)". However, I thought the two routers would be of equal status (not "AP (WDS)" and "Client (WDS)", emphasis on "AP" and "Client", but rather WDS STA 1 and WDS STA 2) until I saw the actual available options in openwrt.

"Keeping the main router the AP makes sense if there's ever going to be more than one IPTV linked wirelessly." makes me think WDS might still be a point-to-point technology, and me bringing up a second "Client (WDS)" makes it something other than WDS in the traditional sense that I understood it.

Very interesting. I assume it'd require having a second openwrt, or at least a far more capable Wifi device than the low-end dumbed-down TP-links I have, to set up the GRE tunnel? Or, is it possible to initiate the GRE tunnel from the openwrt end, without requiring much (if any) setup nor support on the barebone TP-link or the wired-only 4k IPTV box?

I am afraid that you need a capable router on both ends.

I just finished setting up a newly-acquired second Openwrt device. But each of my Openwrt devices has some quirks that make me unsure how to configure VLANs and get it working on either end of the WDS bridge (AtherosWDS):


Openwrt 1:

Xiaomi AC2100 (Mediatek 7621), currently the WDS AP over wlan1 (5GHz) radio

quirk: It has no Network -> Switch section. (I'm using the latest openwrt.org snapshot build, yet @scp07 posted a screenshot of his own build showing the MT7630 switch: New Xiaomi Router AC2100 - #561 by scp07).

In /etc/config/network, it has:

config interface 'loopback'
option ifname 'lo'
option proto 'static'

config globals 'globals'
option packet_steering '1'

config interface 'lan'
option type 'bridge'
option ifname 'lan1 lan2 lan3'

config interface 'wan'
option ifname 'wan'
option proto 'dhcp'

config interface 'wan6'
option ifname 'wan'
option proto 'dhcpv6'

When creating a new bridged "IPTV" interface, under Network -> Interface, it has:

  • Bridge: br-lan (lan)
  • Ethernet Adapter: "eth0"
  • Ethernet Adapter: lan1 (lan)
  • Ethernet Adapter: lan2 (lan)
  • Ethernet Adapter: lan3 (lan)
  • Tunnel interface: "pppoe-pppoewan" (pppoewan)
  • Ethernet Adapter: "wan" (pppoewan, wan, wan6)
  • Wireless Adapter: Master "2.4Ghz SSID" (lan)
  • Wireless Adapter:Master "5Ghz SSID" (lan)
  • Alias interface: @lan
  • Alias interface: @pppoewan
  • Alias interface: @wan
  • Alias interface: @wan6

I suppose I could write in "eth0.55" and the wlan1 (5GHz) Wireless Adapters? Would I need "lan1.55" "lan2.55" etc., as well?
OTOH, how do I tag and include the WAN interface when there's no separate physical interface (e.g. eth1, so eth1.55) for that? Do I write in "wan.55" because there is "wan" as an Ethernet Adapter, or even "pppoewan.55"?


Openwrt 2:

Netgear WNDR3800 (RealTek 8366S), currently the WDS Client over wlan1 (5GHz) radio

quirk: under Network -> Switch "switch0" (RTL8366S) it has
CPU (eth0), LAN 1, LAN 2, LAN 3, LAN 4, but no WAN port (eth1)

When creating a new bridged "IPTV" interface, under Network -> Interface, it has:

  • Bridge: br-lan (lan)
  • Ethernet Switch: "eth0"
  • Switch VLAN: eth0.1 (lan)
  • Ethernet Adapter: eth1 (wan, wan6)
  • Wireless Adapter: Master "2.4Ghz SSID" (lan)
  • Wireless Adapter: Master "5Ghz SSID" (lan) - it's currently shut down
  • Wireless Adapter: Client "5Ghz SSID" (lan)
  • Alias interface: @lan
  • Alias interface: @wan
  • Alias interface: @wan6

Do I just enter "eth1.55 eth0.55" plus the wlan1 (5GHz) adapter when creating a new bridged "IPTV" interface, under Network -> Interface? What Physical Interface should this IPTV (br-iptv) interface include?


I could switch WDS roles of these two, but I'd like to understand if there're solutions as the two are currently positioned.


Given the quirks above, would it better off to use alternate (but more complex) approaches such as some combination of GRE tunneling, vxlan, 802.11s mesh + B.A.T.M.A.N.Adv?

Update: Apparently MT7621+snapshot means the newer Distributed Switch Architecture instead of swconfig, per @slh (New Xiaomi Router AC2100 - #1150 by slh)

So I installed "ip-bridge" (because I can't find the full iproute2 pkg @quarky mentioned in Mt7621 DSA switch VLAN configuration - #5 by bmork), and there's no "wan" in "bridge v" output:

#bridge v
port vlan-id
lan1 1 PVID Egress Untagged
lan2 1 PVID Egress Untagged
lan3 1 PVID Egress Untagged
br-lan 1 PVID Egress Untagged
wlan1 1 PVID Egress Untagged
wlan0 1 PVID Egress Untagged
wlan1.sta1 1 PVID Egress Untagged

On the Xiaomi that's to be expected because you don't have the wan port in any bridge.

Make up a bridge for example wan.55 and lan1.55 to test if VLANs work. You should be able to plug the TV box into lan1 and have it switch wired back to the ONT. If that works then you can place a wifi AP(WDS) in this bridge and link wirelessly to the other router, and tag the packets 55 on the way out of that router to the TV box.

The WNDR3800 has a dedicated CPU port for the "WAN" plug on the back, bypassing the switch chip entirely. This means you can use eth1.55 and not use the switch at all.

1 Like

Finally found out that "ip-full" is the current incarnation of the former "iproute2".

Still stuck on trying to get IPTV traffic through any of the wired LAN ports on the Xiaomi AC2100 that's using DSA:

I have added all of wan.55 / lan1.55 / lan2.55 / lan3.55 (all "Software VLAN" apparently) to interface "iptv", which is an unmanaged bridge. I have tried turning STP on or off. I have tried setting up a new "iptv" firewall zone that allows Input/Output/Forward, or shut down and disable the firewall completely. But, no dice. The IPTV box cannot complete the dual-side (A/B) setup, failing on getting DHCP lease on the B-side (the ISP's dedicated network for IPTV). Supposedly this A/B config is called IPOE or DHCP+.

Comparing the difference of the DHCP traffic between direct modem-IPTV and modem-OpenwrtXiaomi-IPTV, I see the modem sending two consecutive DHCP ACKs, with the first one marked 802.1Q VLAN 55. In contrast, Openwrt/Xiaomi only sends the second one. This reminded me to try the " ip link set br-iptv type bridge vlan_default_pvid [iptv-vlan-ID]" command mentioned in Mt7621 DSA switch VLAN configuration - #2 by quarky

That has the effect of changing the output of "bridge vlan" on the Xiaomi to:
port vlan-id
br-iptv 55 PVID Egress Untagged
wan.55 55 PVID Egress Untagged
lan1.55 55 PVID Egress Untagged
lan2.55 55 PVID Egress Untagged
lan3.55 55 PVID Egress Untagged

instead of the original "1 PVID Egress Untagged". However, it also stopped Openwrt/Xiaomi from responding to DHCP request on any of the three wired LAN ports. So I have unset the vlan_default_pvid.

wan.55
...
RX packets:19282 errors:0 dropped:0 overruns:0 frame:0
TX packets:19181 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1117573 (1.0 MiB) TX bytes:1307737 (1.2 MiB)

lan#.55
...
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

br-iptv
...
RX packets:20266 errors:0 dropped:18396 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1466630 (1.3 MiB) TX bytes:1176 (1.1 KiB)

Any ideas what I'm missing? I'd love to learn the DSA way of configuration on this Xiaomi, rather than resorting to switching to the swconfig-based WNDR3800.

I finally got gretal tunnel working over non-WDS AP-STA crosslink between the two Openwrt devcies, using https://github.com/oofnikj/openwrt-gretap as reference.

Now the MT7621(MT7530 switch) is the AP, and the STA. has RTL8366S switch.

I've tagged the CPU (eth0) port and all the LAN ports of RTL8366S in Luci for VLAN 55, since the WAN port (eth1, or switch port4) is not exposed by the switch to Openwrt, per https://openwrt.org/toh/netgear/wndr3800#ethernet_switch_configuration_vlan :

config switch_vlan
	option device 'switch0'
	option vlan '55'
	option ports '0t 1t 2t 3t 5t'

I've created an "iptv" interface:

config interface 'iptv'
	option proto 'none'
	option ifname 'eth0.55'
	option type 'bridge'
	option igmp_snooping '1'
	option delegate '0'
	option stp '1'

The IPTV box still fails the B-side of the DHCP+ authentication/authorization over this wifi backhaul. So I'm probably missing the "In wifi configuration attach the wifi STA(WDS) to this bridge." piece. Can you elaborate on how to do that?

I had an epiphany: since I never got the WNDR3800 to work as the AP just having the IPTV box directly hanging off of one of its wired LAN ports, mostly because the RTL8366S switch doesn't expose the WAN port to swconfig, with or without tagged CPU(eth0) with the IPTV's required VLAN, or with soft VLAN (eth1.55), why not turn any one of the LAN ports (which are exposed to swconfig in Luci) into another WAN port, solving the problem of not being unable to tag the "WAN" port in swconfig?

Well, it worked. Turning VLAN55 "off" on CPU(eth0) in Luci swconfig, turning LAN port 1 into WAN2 in /etc/config/network, while keeping all four LAN ports (1-4) tagged for VLAN55 in Luci, the IPTV finally worked when plugged into any one of the remaining three LAN ports.

That might or might not help resolve my original goal of casting IPTV VLAN-tagged traffic over the Wifi trunk (first gretap, now vxlan tunnel), but at least I gain the flexibility of havin either the WNDR3800 or the MT7621-based Openwrt as AP or STA over this Wifi bridge. At least, I can now eliminate any doubt that it's the swconfig's VLAN tagging that's causing the requisite DHCP+ B-side authentication/authorization failure over the Wifi trunk. The only remaining reasons it still won't work should be not tagging the VLAN (55) correctly over vxlan, or some sort of firewall config issue (LAN-to-LAN, as I've found out that I needed to allow the UDP port for vxlan on both AP and STA, in order for the vxlan tunnel to come up).