Problem with VLANs

Hello folks, im looking for using VLANs on my network but im confuse about how to setup, so, i have a TL-Sg105E and a nanopi r2s in my network, i want to use vlans using this switch but its not working, i've setup correctly the switch and the VLANs but im stuck at trying to isolate completely my network, when i did a packet capture using port mirroring i saw that my trunk and the VLAN was working (the packet header was filled with VLAN info), i was able to get a valid ip from the interface that i setup for test using the br-lan VLAN filtering putting my LAN at VLAN ID 20 as primary and untagged and for the test VLAN ID 30 as untagged only, it worked but i can ping other ip addresses from different ranges at my network and can ping other VLANs, well, something is wrong but i dunno, im getting confuse as hell.

There is my TL-SG105E 802.1Q VLAN table:

1 Default Member Ports (1-5) Untagged (1-5);
20 VLAN 20 member ports (1,2) Untagged (2) tagged (1);
30 VLAN 30 member ports (1,3) Untagged (3)
tagged (1).

How can i setup to use VLANs with my Nanopi R2S that has only one LAN port and my switch that is managed and VLAN aware?

eth0, eth0.20, eth0.30.

Thanks for helping, but im a newbie at VLANs using openwrt i learned about but not had a good practice, can you help me explaining how i can setup that?

How were you testing? What was the source and destination IP address of your ping tests?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

Oh hey, i was testing pinging other ip ranges and pinging my other vlans ips, im getting responses from that ips, the source is my vlan id 30, i have captured some packets using wireshark on a mirroring port, the packets appear to have the vlan standard at the header, i've deactived the dhcp client from my managed switch tlsg105e, and there is the information that you requested for and more:

ubus call system board
{
	"kernel": "5.15.78",
	"hostname": "FriendlyWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "FriendlyElec NanoPi R2S",
	"board_name": "friendlyelec,nanopi-r2",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.5",
		"revision": "r20134-5f15225c1e",
		"target": "rockchip/armv8",
		"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd00:ab:cd::/48'

config device
	option name 'eth0'
	option macaddr 'redacted'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config device
	option name 'eth1'
	option macaddr 'redacted'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '30'
	option name 'br-lan.30'
	option ipv6 '0'

config interface 'vlan30'
	option proto 'static'
	option device 'br-lan.30'
	option ipaddr '187.234.24.4'
	option netmask '255.255.255.0'
cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option flow_offloading '1'
	option fullcone '0'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option fullcone4 '1'
	option fullcone6 '1'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'

config rule
	option name 'Reject-IPv6'
	option family 'ipv6'
	option src 'wan'
	option dest '*'
	option target 'REJECT'
	option enabled '0'


There is my tlsg105e config and a packet that i captured from the trunk port 1 that comes from my nanopi lan port:

The section below isn't entirely necessary... I'd recommend deleting it.

The IP address you've chosen for VLAN30 is not an RFC1918 address. You should stick to private addresses (anything in the 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 ranges; typically a /24 is used).

Maybe use 172.16.30.1 as your address (just an example)

You do not appear to have assigned the network vlan30 to a firewall zone. For now, let's do this:

config zone
	option name 'vlan30'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vlan30'

config forwarding
	option src 'vlan30'
	option dest 'wan'

The above will allow internet access from vlan30, but will not allow hosts on the lan to reach hosts on vlan30 and vice versa. Keep in mind that you will be able to reach the router itself at any of the addresses it holds (192.168.2.1 and whatever you set for vlan30). Also, because of th poor implementation of the firmware on the TL-SG1xxE series switches, all hosts on the network that are connected through that switch will be able to reach it.

Also, in the future, please don't use 3rd party image hosting websites... you can upload your images directly to this forum.

2 Likes

Oh thanks in advance, that helped, what model of switch do you recommend?

Take a look at this thread (from the entry point at comment 4 and down):

2 Likes

One issue you have here is that the global forward rule is set to ACCEPT, basicly this almost disables the firewall hence one of the reasons I see why it can ping everywhere, also every new zone you have created after this change is best to set on forward reject :+1:

Now for vlans:

It's a tedious work can be quite itimidating for a beginner, but I think best is to explain what tagged and untagged means.

untagged means destination port or maybe make it default vlan for that port (although you can have multiple untagged vlans only one gets choosen by the pvid the rest gets dropped, meaning after the port is reached the untagged packet doesn't traverse further).

Tagged means you sent multiple vlans over one port and can later be defined by a other router/switch as untagged traffic, this can be combinated with untagged ports and can even traverse past the destination port.

Now to your topology:

so in your router under bridge vlan filtering:

Lets say you want the default vlan on all ports then you use:

port 1, port 2, port 3, port 4, port 5 all untagged and you select the primary vlan checkbox on all ports, you can also unselect it but then you have to change interface device of lan to br-lan.1, done.

lets say you want vlan id 30 on port 3 and on the switch untagged on port 3?:

You add a new row and type vlan id 30, on port 3 you use tagged and on all others you ignore.

Now on the switch:

you create a new vlan with id 30, port 1 is tagged, port 3 untagged.

Now you wonder why is port 1 tagged ?, simply said:
the switch already untags 1 as primary vlan and you can basicly only have one untagged vlan, so to combine vlans you use tagged 30, and why port 3 untagged?, port 3 has now default vlan 30,now: you only have to set pvid still on the switch port.

if you even wish to add another switch you use again tagged vlans there in the same way, if that was vlan 2?, port 1 tagged, port 3 tagged etcetera and on switch 2 you choose a port to untag it with port 1 tagged, it becomes the same cycle :slight_smile:.

I hope this kinda makes sense :stuck_out_tongue: , it's hard to understand at first but it is really easy when you know it, then you can focus more on things like vlan hopping if that worries you.

Edit

I figured you only have one port, then just use untagged 1 primary on port 1 and vlan 30 as tagged on port 1 rather than port 3 on the router, then my example matches more to your topology :+1:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.