Separate modem and router, can't pppoE

Thanks for bearing with me, @moeller0.

I must be doing something wrong, because rather than being the occasional annoyance, the trunked link just doesn't work at all: I always need an additional ethernet cable to be able to log into the modem's GUI.

In the following, when I say VLAN N, I always mean vid N. The internal VLAN numbering order in the config is never mentioned in this discussion.

What I meant to do (and thought I did):

  • VLAN 5 is bridged to dsl0 and travels on the WAN port, untagged
  • VLAN 1 is the main LAN for the modem, disconnected from the dsl0 bridge, travels on the LAN1-LAN4 ports. I use this for GUI logins.
  • Additionally (and here's the puzzle), I added VLAN 1 on the WAN port, tagged. This specific link doesn't seem to work. The main router has matching settings: VLAN 1 is the main one, with most home devices connected to it, and is untagged on all but trunk ports. The trunk port that gets connected to the modem has VLAN 5 untagged (for PPPoE) and VLAN 1 tagged (for GUI access/DHCP/DNS/NTP, since the modem's LAN side is just an ordinary DHCP client).

In short: Everything works fine as long as I keep an additional cable connected from one router-LAN port to one modem-LAN port. If I disconnect this "normal" connection and relay on the trunk from router-modemTRUNK port to modem-WAN, the music stops. The PPPoE session goes on undisturbed (so VLAN 5 keeps coming through), but I lose access to the GUI, no ping etc.

Could it be a firewall issue? On the modem, I disabled all firewall traffic rules and severed the connection between LAN and WAN zones; but eth0.1 is in the LAN zone, so that shouldn't block anything as I understand it.

I'm pasting the relevant part of the modem's /etc/config/network file in case I blundered on some obvious switch/interface setting.

root@modem:~# cat /etc/config/network

config interface 'lan'
        option ifname 'eth0.1'
        option proto 'dhcp'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr 'xx:xx:xx:xx:xx:dc'

config interface 'wan'
        option ifname 'dsl0'
        option proto 'pppoe'
        option ipv6 '1'
        option username 'XX'
        option password 'YY'
        option auto '0'

config device 'wan_dsl0_dev'
        option name 'dsl0'
        option macaddr 'xx:xx:xx:xx:xx:dd'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 1 2 4 5t 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'
        option vid '5'

config interface 'modem'
        option proto 'none'
        option ifname 'dsl0 eth0.5'
        option type 'bridge'
        option delegate '0'

How did you build your own LAN bridge? I don't understand the

option ifname 'eth0.1 eth0.2'

bit in the lan section. I'm just using eth0.1 as LAN, only it's tagged on one port and untagged on all the others, and it doesn't work (the port where VLAN1 is tagged won't actually carry it).

I'll post a solution if I find it.

The CPU ports should be tagged. The user ports (connected to devices that don't understand tagging) must be untagged, and only in one VLAN. Having any port set up as untagged and tagged at the same time generally will not work.

In your case since you want (I think) to emit packets with a tag of 5 on the Ethernet cable, that means the corresponding connection to the CPU will also be ethX.5 not ethX.2. The vlan 2 becomes only an internal number to the switch, the index into its table of VLANs. When you add a vid, that number is the one that will be placed in the packet tags. (In other words, if vid is not set, it defaults to vid = vlan).

1 Like

Well, I use both VLAN2 and VLAN7 on the cable between router and BTHH5A, the VLAN& traffic is bridged to dsl0.7, and VLAN2 is bridged to the BTHH5A's LAN, so I never send untagged traffic from the router to the HH. See

config interface 'WAN4BTHH5A'
	option proto 'static'
	option ipaddr '192.168.100.2'
	option netmask '255.255.255.0'
	option ifname 'eth1.2'

where I package data for the HH's LAN section into VLAN2 on the router's WAN interface.

This is why I bluntly created dummy VLANs, today I would just configure things without the GUI and would not need that clutch...

Here is how that looks in the GUI on the BTHH5A, again today I would not do it that way... but since it works I just do not see the need to change it....

Thanks again for all the info and the advice. I'm keeping up with experiments and research. That's my kind of study practice and your help/encouragement is important.

I think I solved at least half of the problem. Now I got to manage trunking VLAN5 (for PPPoE) and VLAN1 (for UI/ssh) on the same BTHH5 modem port - namely I'm using the WAN port.

What changes were necessary? I needed to have both VLANs tagged. As it was, with VLAN5 untagged, it never worked. Strange, as I've been able to mix tagged VLANs with one untagged VLAN on the same port in all other use cases. Well, whatever.

However, I'm still left with a small nagging issue. I think this is a trivial misunderstanding on my side. The problem is, the modem LAN interface and the router LAN interface are on the same subnet. This way, the modem is just an ordinary DHCP/DNS client as far as the router is concerned. But now, if I plug any LAN cable besides the WAN one, the modem becomes unreachable (I suspect a loop). I probably just can't have the modem LAN and the router LAN on the same subnet, can I?

@moeller0 I was confused by your /etc/config/network lines containing _orig_ifname and _orig_bridge, which made it look as if something different were happening. I later learned those lines are uneffective remnants of old LuCI configs. Those doubts are cleared now.

Ah, I think I tried that first also, unsuccessfully.

That is why I put the Modem on 192.168.100.1, and the router stays on 192.168.1.1, so that way the WAN4BTHH5A's 192.168.100.2 will not be confused with anything internal.
Note I do not use any of the BTHH5A's LAN ports at all, and it is also not connected to the internet (so to update I copy a firmware file to /tmp and sysupgrade vie ssh.)

I actually hoped I could use the modem's LAN ports as a switch for more LAN devices, but I think I'm better off forgetting about that. THANK YOU @moeller0!

EDIT More info for the active pursuers. Now that the plain LAN (on VLAN1) comes through the trunk link, DHCP works and the modem is able to get an IP address in the router's LAN subnet, but for some reason dns doesn't go through the router, so external addresses (like google.com) are resolved, but internal addresses (like nas01 or nas01.lan) aren't. Even finding out which dns server is actually answering the queries isn't trivial, since /etc/resolve.conf just points to 127.0.0.1.

Now that you have it set up correctly to bring the LAN to the modem via a separate VLAN, you could configure the modem's switch to switch that to the other Ethernet ports.

To have your OpenWrt lan device able to use a different DNS on the lan to find lan hosts, you need to modify the dhcp config, specifically turn off rebind protection and comment out option local '/lan/'

But it seems a bad idea to initiate a connection to anything from the modem's management interface. I agree with @moeller0 to put it on a special subnet and only access into it when needed to check status or upgrade.

As it is now, I can't actually. The same VLAN is present (alone and untagged) on the other modem Ethernet ports, but as soon as I plug anything in, the modem becomes unreachable, and the router soon becomes unreachable too. Things stay frozen until I disconnect the cable. I suspect a loop is formed and the feedback makes the two switches go mad. I tried to make a dummy bridge on the modem side, with only eth0.1 on it and STP enabled, but it isn't enough to avoid the freeze. I won't impose STP on the router side anyway: it seems too costly.

Following your advice worked nicely! Thanks @mk24 :slight_smile:
I had figured to remove the /lan/ reference, but rebind protection was still on.

Indeed. To my partial excuse, I only wanted to be able to ping local devices, or maybe backup stuff to the NAS without hardcoding name-IP translations in /etc/hosts.

But There must be a reason why all the experts advise to keep the modem's LAN subnetwork separated from the router's... maybe more than one reason, as I'm slowing finding out!

My practical problem is solved, but I always manage to find new related questions. The help I'm getting in this thread is a real teaching aid. This forum is amazing. Thank you.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.