SOLVED - LEDE and VLAN Tagging

mongoload · June 30, 2018, 2:39pm

Hello,

I have been bumping my head around lately due to LEDE not allowing me to access my tagged VLAN. I want my router to only have the ports WAN and PORT1 as the main use for this router. PORT 3,4 and 5 will be used by my PFSENSE firewall. So my current switch config is this:

my PFSENSE wall is configured to spit from LAN the VLAN I will use in the LEDE router (port2). Now, the untagged port 2&4 works, I can use the port 4 and it is not tagged and PFSENSE can be accessed by the device that connects to it.

The problem is with the LEDE's PORT3 (VLAN200), I could not ping PFSENSE box. Note that PFSENSE box has VLAN ID200 as DHCP server.

The weird thing is VLAN200 does work with LEDE's interface bridge to a WLAN, devices connected to this WLAN can have the VLAN200 IP range provided by the PFSENSE. Only the port3 wont work with VLAN200!!

I can assure that the port3 is not damaged and I'm sure most of you will say that I should buy a dedicated managed switch for this, but I still hope someone could help me and maybe point me in a possible solution.

If I miss anything I should mention to clearly understand my setup, please do let me know, thank you!

thank you in advance experts!

by the way, my LEDE router is a trusty old Buffalo WZR-g300nh on a 17.01.4 r3560

#sorryformybadenglish!

jeff · June 30, 2018, 3:47pm

option vid 200

since most switches have a limit on the poorly named vlan UCI option, which works like a table index that happens to default the VLAN tag to the same value.

lleachii · June 30, 2018, 3:52pm

The CPU must be tagged on all VLANs for it to handle traffic from them.

mongoload · June 30, 2018, 3:59pm

Thanks for your feedback, i have set the CPU to all ID as tagged and tried again. Unfortunately, the issue is still the same.

I am able to access the VLAN200 using a new interface that is bridge in eth0.200 and WLAN, PFSENSE is serving IP's to connected WiFi devices, but when I connect to PORT3 (VLAN200), no connection, no IP even with static addressing, still cant seem to reach PFSENSE.

juppin · June 30, 2018, 4:02pm

As @jeff said, there is a maximum for the table index (option vlan xx)...

You should sed vlan to < 16 for your integrated ar7240 switch and set option vid 200

If you do not set vid, the vlan value will be also the vid value.

From the reference manual of AR7240:
The AR7240 supports a maximum of 16 entries in the VLAN table.

mk24 · June 30, 2018, 5:55pm

Since you have control of the other end of the link, it may be simpler to set up your network to have all the VLAN numbers less than 16.

If you really need VLAN 200 on the cable, you will need to edit /etc/config/network directly (not the GUI) and in the section for VLAN 200, have something like

...
option vlan 3 #Internal table reference, must be unique and < 16 for AR7240
option vid 200 # Tag number for the packets

If a section contains only a vlan option, that number will also be used for vid. If a section contains an option vlan that is > 15, that VLAN will not be set up.

mongoload · June 30, 2018, 11:45pm

Thank you for your feedback, unfortunately, still the same!

I change the VLANID200 to VLANID2 and re-do the whole thing. WLAN still getting to VLANID2 but the physical port3 still cannot although it is tagged in the switch config.

here is my /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fddc:80a2:c588::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.10.10.1'
        option dns '1.1.1.1'
        option ifname 'eth0.1'

config interface 'wan'                         
        option ifname 'eth1'                   
        option _orig_ifname 'eth1'             
        option _orig_bridge 'false'            
        option proto 'static'                  
        option netmask '255.255.255.0'         
        option type 'bridge'                   
        option ipaddr '192.168.15.10'          
        option gateway '192.168.15.1'          
        option dns '192.168.15.1'     
                                      
config interface 'wan6'               
        option ifname 'eth1'          
        option proto 'dhcpv6'         
                                      
config switch                         
        option name 'switch0'         
        option reset '1'              
        option enable_vlan '1'        
        option enable_vlan4k '1'      
        option enable_learning '0'    
                                      
config switch_vlan                              
        option device 'switch0'                 
        option vlan '1'                         
        option ports '0 5t'                     
                                                
config interface 'WFR'                          
        option _orig_ifname 'eth0'              
        option _orig_bridge 'false'             
        option proto 'dhcp'                     
        option hostname 'CERBERUS.mongoload.loc'
        option type 'bridge'                    
        option delegate '0'                     
        option defaultroute '0'                 
        option ifname 'eth0.2'                  
                                                
                      
config switch_vlan                              
        option device 'switch0'                 
        option ports '1t 2t 5t'                 
        option vlan '2'                         
                                                
config switch_vlan                              
        option device 'switch0'                 
        option vlan '3'                         
        option ports '2 3 5t'

mongoload · July 1, 2018, 2:47am

Pls. someone, badly need help

psherman · July 1, 2018, 3:54am

What is physically connected to port 2 (that will use VLAN2 or VLAN200)? Is it VLAN aware and is it configured properly?

mongoload · July 1, 2018, 4:17am

Hi psherman, yes, it is the LAN interface of my PFSENSE box. untagged and VLANID2.

What drives me nuts is that the newly created interface(named WFR) in LEDE, bridge WLAN and eth0.2, the interface gets DHCP from my PFSENSE box(VLANID2) and wifi devices connect to WLAN can get IP addresses as well.

here is the current switch config:

#this is working, device in port1 can get IP from LEDE
VLAN ID1 = CPU-tagged | PORT1-untagged | OTHERPORTS-off

#this is half working, port3 doesnt get IP from PFSENSE but the new interface (WFR) in LEDE received DHCP address from PFSENSE, when WFR bridged WLAN, WLAN devices can get IP as well. BUT STILL NOT PORT 3
VLAN ID2 = CPU-tagged | PORT2&3-tagged | OTHERPORTS-off

#this is working, device in port4 can get untagged IP from PORT2 (from PFSENSE as well)
VLAN ID3 = CPU-tagged | PORT2&4-untagged | OTHERPORTS-off

psherman · July 1, 2018, 4:29am

I'll now ask the same question about the device plugged into port 3 -- what is it? Is it VLAN aware and expecting tagged frames? And is it configured properly? If you unplug both devices from the LEDE device ports 2 and 3 and plug them directly together, does the device that was plugged into port 3 work as expected?

mongoload · July 1, 2018, 4:34am

HI phserman, the device plugged in port3 is my PC, from what I understand, my PC should be able to get IP from PFSENSE, since the PORT3 is tagged in LEDE as VLANID2, am I right?

WOW, this strikes me so hard! PORT3 should be untagged!!! thank you phserman!

psherman · July 1, 2018, 4:43am

@mongoload - no, you cannot assume that your PC will get an IP under these circumstances. Most of the time, a standard computer is not configured to be VLAN aware, meaning that if the incoming ethernet frames are tagged, they may be ignored. This is true for most computers (Mac, Windows, Linux) unless they have both VLAN aware hardware and OS's, and are configured to listen for tagged frames from a particular VLAN.

Therefore, try connecting the PFSense box directly to your PC... if it doesn't get an IP address, the problem is not LEDE, but rather your PC.

However, you can address this with your LEDE configuration by assigning port 3 to VLAN 2 as untagged.

Report back on the direct connection experiment and we'll go from there.

psherman · July 1, 2018, 5:43am

@mongoload - sounds like it's working now with port 3 untagged. That's great!

Please mark this issue as solved if all is working now.

tmomas · July 7, 2018, 5:43am

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.