Setting up VLANs - how to add wan to a tagged port

xxy · January 15, 2024, 3:06am

Hello together,

I use a TL-WDR4900v1 with up-to-date openwrt and DSA.

My setup: I have a default wan port and 4 lan ports and wifi. The wan port connects to another router and network, untagged, so not vlan-aware, classic wan situation, and openwrt is configured to get a DHCP address. The 4 lan ports are all bridged together by default in br-lan, as it should be, so L2 communication works, and openwrt is their router, provides DHCP etc. Wifi is also using lan interface.

What I want: I want a vlan-aware system connected to a specific lan port, let's say lan4, to have direct access to the wan network via a tagged vlan. So I want in a most basic form:

  vlan \ port | lan1 | lan2 | lan3 | lan4 | wan
 -------------+------+------+------+------+-----
     1        |      |      |      |  t   |  u
     2        |  u   |  u   |  u   |  t   |   
 ... potentially more vlans

As an optional bonus, but not the main point of this question: I'd be happy to be able to configure a vlan for Wifi to directly access wan upstream, too ("untagged"), like a dump AP for upstream net, as well as a separate vlan internally only for wifi.

What I think I should do: Can I add wan to the br-lan, use vlan filtering and declare it as, e.g., 1u, without interfering with upstream dhcp? Can I then set lan1-3 to 2u, so they are correctly separated from wan? Then add lan4 as tagged to both vlans, so the connected machine has direct access to upstream wan via vlan 2, so it could get, e.g., a DHCP address from upstream DHCP? How to do this in openwrt?

In configs:

add list ports 'wan' to br-lan config device in /etc/config/network.
add the following to /etc/config/network

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'wan:u'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan1:u'
	list ports 'lan2:u'
	list ports 'lan3:u'
	list ports 'lan4:t'

My question: Is this correct? How can I achieve this in openwrt? Is it doable via LuCI (I am by no means afraid of CLI, just want to know)?

My config files: should be pretty defaulty, I just disabled IPv6 downstream lan (can I safely delete option ip6assign in config interface 'lan'?) and undid all unneeded changes for this test.

#/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxxx'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'

config device
	option name 'wan'
	option macaddr 'xxxxx'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option name 'phy0-ap0'
	option ipv6 '0'

#/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'ffe09000.pcie/pci9000:00/9000:00:00.0/9000:01:00.0'
	option channel 'xxx'
	option band '5g'
	option htmode 'HT40'
	option cell_density '0'
	option country 'xx'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'ffe0a000.pcie/pcia000:02/a000:02:00.0/a000:03:00.0'
	option channel 'x'
	option band '2g'
	option htmode 'HT40'
	option country 'xx'
	option cell_density '0'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'xxxxx'
	option encryption 'psk2'
	option key 'xxxxx'
	option network 'lan'
	option wpa_disable_eapol_key_retries '1'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'xxxxx'
	option encryption 'psk2'
	option key 'xxxxx'
	option wpa_disable_eapol_key_retries '1'
	option network 'lan'

#/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '100'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

#/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Thanks in advance

pavelgl · January 15, 2024, 11:50am

You don't need a tagged VLAN to do this.
Assuming wan has already been added to br-lan:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	
config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'wan'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'br-lan.2'
	option proto 'dhcp'

Yes, it is.

Just create a new wireless interface and attach it to the wan network.

xxy · January 15, 2024, 7:13pm

Thanks for your reply. I didn't use the br-lan.1 device for the wan interface, doing that works like a charm (although I am wondering, why I can't use wan directly anymore). I also needed to create a new config for br-lan.1 to properly set the MAC to the same as wan. After that, and with tagging, everything runs smoothly as it should.

I do need tagging as I have a vlan-aware system on lan4 which should have access to multiple vlans.

My final /etc/config/network for future reference:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxxx'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config interface 'lan'
	option device 'br-lan.2'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'

config device
	option name 'wan'
	option macaddr 'xxxxx'

config interface 'wan'
	option device 'br-lan.1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option name 'phy0-ap0'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan4:t'
	list ports 'wan'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4:t*'

config device
	option name 'br-lan.1'
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'
	option macaddr 'xxxxx'

system · January 25, 2024, 7:14pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.