I have OpenWrt installed on a Ubiqiuti EdgeRouter X and I have Several VLANs configured on my Firewall (1, 10, 20, 100), These VLANs work as expected.
I have created a new VLAN (30). This new VLAN is not functioning at all it seems even though I have Configured VLAN Identically to the other VLANs (Other than the IP Scheme)
My Primary Switch is a TP-Link TL-SG1016PE, and the Vlans are Tagged on this VLAN Identically to the other VLANs, Each port on the switch that has a WAP or Managed switch connected to it is tagged with every VLAN, and Port 16 (Uplink) is also tagged with all the VLANS.
On Port 2 I have attached a TL-SG105E 5 Port Managed Switch, Port 5 is the Uplink Port and the Required VLANS are configured on this switch, Configuring PVID of 20 on Port 4 Works as Expected but when Configuring PVID of 30 on Port 4 We get no communication with that VLAN, I have even tried configuring PVID of port 2 of the Primary switch to 30 and We get no communication, But Setting PVID to 10, or 20 works as expected. This tells me that the issue somehow lies in the configuration of VLAN 30 on the firewall.
On port 3 of the Primary switch is connected a UAP-AC-PRO that I have flashed OpenWrt on, it appears that we are getting no Communication on any VLAN other than VLAN 1, but I want to focus on the firewall side if things at the moment, once Switch configuration for VLAN 30 is working as expected we can focus on the AP.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
I don't see any problems here, but a few comments...
DNS entries in local network interface stanzas don't do anything... you can remove them. (they only have an effect for the upstream/wan network stanza).
If you want those DNS values advertised by the DHCP server, you do this by setting option 6 in the dhcp server settings with these dns severs.
I recommend removing them from all of your local networks -- it will clean up the network file.
Next...
I don't think the above will be a problem, but since you are using bridge-vlans and have br-lan.1 assigned to the Private network and this is untagged on all 4 ports, it is probably best if you remove the device from the above lan network interface stanza.
Next:
All of your networks are assigned to the lan firewall zone and forwarding is allowed on the zone-level rule. Therefore, these networks are not actually isolated from each other. They also all have access to the router itself. I don't know if you intended this, or if you want to prevent this access from some or all of the networks. This isn't a problem at this point, but just something you might want to consider.
Now... let's look at one of your switches... can you make one of the switches have a dedicated 'access' port for the new VLAN30 (untagged + PVID). You'll want the trunk/uplink port to have VLAN30 tagged on that port. Let's see what you have there.
nothing, no communication. Which is Odd, I have a TP-Link AP, an Aruba AP, and an Engenius AP that all function with the tagged VLANS, They are connected to the 16 Port Switch.
Before going further -- have you restarted your router since making these changes? Or restarted the individual services (network, dhcp, firewall)? If not, please do that and test... if that doesn' fix the problems...
Can we disconnect the TL-SG105E from the ER-X port 2 and use it as an access port for VLAN 30? If so... we'll make the following changes:
Temporarily, make VLAN1 tagged on port eth2:
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth1:u*'
list ports 'eth2t'
list ports 'eth3:u*'
list ports 'eth4:u*'
Then make port eth2 untagged+PVID for VLAN30:
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'eth1:t'
list ports 'eth2:u*'
list ports 'eth3:t'
list ports 'eth4:t'
Try that? Does a computer directly connected to port eth2 get an IP?
The router Hasn't been rebooted, but I can restart services, there are users actively using the network, I have made Port 2 an access port and we are getting IP addressing, I'm going to reboot the 5 port switch and test it again.
