Question about vlan hopping in OpenWrt


I have a question about vlan hopping and how to prevent such misconfiguration.

So im using a switch a tp-link sg1016de, the default vlan ids is 1 on the switch, and on the access port I have a OpenWrt router being setup as dumbap.

Vlan 50 is tagged and is for wlan0.

So basically I have 1 as untagged traffic, and 50 as tagged from the switch.

Now my questions:

From what I can find also on the tp-link forums they say I can better set vlan 1 as not a member in the switch, but if I do that the dumbap have no managed internet for opkg etcetera, is this the good way to work around the hopping ?, Or can I tag vlan 1 instead of untagged on that port?, Or should I make a complete new tagged vlan for management?

Note I have not put the wan port of the router in the br-lan bridge because I want it for management purpose, does that mean the switch in the router isolates vlan 1 from vlan 50?

And if I use the untagged ports in a switch to another switch, like trunking 3 vlans with one default untagged vlan id 1, to a other switch does it make it still vulnerable to the clients behind the second switch if the second switch does not untag the default id?

Im trying to understand this correctly I think im making it more complicated than it is.


Ideally you should avoid native vlans and set any access ports accordingly to not expect tagged frames.
Avoid using vlan1 and if there is some native vlan, make it something bogus, like 999 and not assign that anywhere.

1 Like

So if I want to use vlan 50, 51, 52 from the switch to the dumbap router, I could better use the dumb ap routers lan ports to for each use a cable in a untagged port in the switch considering I also should break up the bridge in the dumbap?

And basicly avoid any trunks or did I misunderstood?

Misunderstanding, use a trunk with all the vlans and not use native vlan. If you must use a native vlan, assign something not used anywhere else.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.