Setting up VLAN's on pi CM4 Router and a managed switch

melissa · May 10, 2022, 6:01pm

I have been using openwrt on my Pi CM4 with the dfrobot iot router board, it has two Ethernet ports, the built in CM4 one, and a RTL8111, using the router normally works fine however I have not been able to figure out how to set up VLAN's to have separate firwall rules on the different ports of my managed switch.

I am using an Aruba HP-2530-8G-PoEP, I have tried following multiple guides and I am not sure if I am either configuring openwrt incorrectly, or if I am failing to configure the VLANs on the router.

ETH0 is my WAN port which is connected to my main home router, and ETH1 is where I am trying to set up VLAN's and it is connected to my switch.

I am trying to have VLAN 1 be my generic LAN on all the untagged ports with an ip of 192.168.2.1 and I would like to set up VLAN 10 to be running on 192.168.3.1 on one of the switches ports, I set up port 7 on the switch to be VLAN 10, and tried putting at as tagged and untagged but no matter what I do I instantly lose connection as if the ethernet cable is unplugged.

I have tried so many things at this point and am now even more confused about configuring VLAN's than I previously was.

Can anyone offer a guidance on where to look next? Thanks

psherman · May 10, 2022, 9:28pm

you'll setup your Pi's network config such that you have

lan: eth1 192.168.2.1/24
lan10: eth1.10 192.168.3.1/24

Then on the switch port to which you are connecting the physical eth1 from the router, you'll set it as a trunk with VLAN1 as untagged/default/PVID/native, and then tagged VLAN10.

On the other switch ports, you'll set the appropriate ports as access ports - that is to say PVID/default/untagged/native for the VLAN you want on a given port.

melissa · May 14, 2022, 12:08am

Yes I tried doing this, however I am still getting no connection, I am wondering if I am making the mistake on the switch side of things.

This is what the settings on my switch look like, I couldn't find any decent guides online for this particular switch

psherman · May 14, 2022, 2:50am

Can you describe the following:

What port connects to the router?
What port(s) should be using vlan 1?
Which ports should be using vlan 10?
What type of devices are connected? Are they typical end devices (computers, set top boxes, game consoles, etc)?

Currently vlan 10 only on port 7 and this doesn’t connect anywhere else. It is also tagged there, and vlan 1 is not present on that port. So there is literally no connectivity expected from that port to anywhere else.

melissa · May 14, 2022, 4:17pm

I will try to describe my set up as thoroughly as possible.

My openwrt router is behind my primary router, my openwrt router has two ports, eth0 and eth1

eth0 is connected to the primary router through the WAN interface,
eth1 connects to a network switch on port 1

I have a LAN interface with an ip of 192.168.2.1
and I want a second LAN2 interface with an ip of 192.168.3.1

I want port 2,3,4,5,6,8 to belong to the LAN interface
and port 7 to belong to the LAN2 interface.

I have my computer connected to port 3 (192.168.2.1) and I want to connect another computer to port 7 (192.168.3.1)

I want LAN to use vlan 1
LAN2 to use vlan 10

now I am assuming my mistake is that port 7 has no access to port 1 (the openwrt router)?

I am thoroughly confused, thanks for the help

psherman · May 14, 2022, 4:19pm

On port 1, you want vlan 1 untagged + vlan 10 tagged.

On ports 2-8 (except 7) you want vlan 1 untagged, nothing tagged

On port 7, you want vlan 10 untagged. Nothing tagged.

melissa · May 14, 2022, 4:25pm

Thanks for the fast reply, I'm not exactly sure how to do that with my switch interface

it lets me add a vlan and select which ports should be tagged/untagged,

melissa · May 14, 2022, 4:28pm

Is this the same as

VLAN1 : tagged: untagged: port 1 ,2 , 3, 4, 5, 6, 8
VLAN10: tagged: port1 untagged: 7

psherman · May 14, 2022, 4:32pm

Yea, I would think so.

melissa · May 14, 2022, 5:07pm

Ok I have locked myself out numerous times.

Assuming the settings on the switch are correct, to add VLANs on the openwrt router, would I simply add a new device configuration for eth1 of type 802.1q for both vlan 10 and 1

Meaning I have two devices eth1.1 and eth1.10

I don’t see any options to do tagging etc, or am I just confused here

psherman · May 14, 2022, 6:19pm

eth1 will be untagged. eth1.10 will be tagged as vlan 10. Simple as that.

kramsac · August 17, 2022, 6:12pm

Very late to the party, but I think the advice given so far may have been incorrect.

VLAN1: Tagged: Port 1. Untagged: All the other ports EXCEPT port 7.
VLAN10: Tagged: Port 1. Untagged: Port 7.