[Solved] VLAN Tagging - ar71xx vs ath79

Good morning.

I'm running OpenWRT on an Archer C7 V2 as an AP (with OpnSense as my router/firewall). On my 2.4G band, I have 2 SSIDs: one for regular LAN without a VLAN, and one for my IoT devices with a VLAN tag (to keep my IoT devices separate from the rest of the network). I have set up the switch where both eth0 and LAN1 (the feed to my OpnSense box) have a VLAN tag of 50.

When I ran 18.06.4, my setup worked just fine: devices looking to my IoT SSID were on the separate VLAN. However, when I use the new 19.07-RC1 or even build my own firmware from Master, I'm noticing that the IoT devices are starting to have IP addresses on my regular LAN, even though the devices say they're connected to my IoT SSID.

I've even done a factory reset, reinstalled and set up again from scratch but it seemed to continue to be an issue. For now, I've forced my IoT devices to have a Static IP address to stay on the separate VLAN and it seems to be working.

Is anyone else running into issues with VLANs with the new 19.07 release?

Thanks.

Post your current config files.

Tagged and untagged packets on the same port is tricky and not recommended. Tag each network with its own unique VLAN number.

Running swconfig dev switch0 show can be helpful as it will show the configuration actually loaded into the switch chip.

/etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc1:5a24:b1c4::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.2'
        list dns '192.168.1.1'
        option gateway '192.168.1.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4 5'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 1'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 2t'
        option vid '50'

config interface 'VLAN_50'
        option proto 'static'
        option ifname 'eth1.50'
        option type 'bridge'

/etc/config/wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'
        option channel '161'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option key '<redacted>'
        option ssid 'Mustang_5G'
        option encryption 'psk2'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option htmode 'HT20'
        option channel '6'
        option path 'platform/ahb/18100000.wmac'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'Mustang'
        option encryption 'psk2'
        option key '<redacted>'

config wifi-iface 'wifinet2'
        option ssid 'Mustang_IoT'
        option encryption 'psk2'
        option device 'radio1'
        option mode 'ap'
        option key '<Redacted>'
        option network 'VLAN_50'

swconfig dev switch0 show:

Global attributes:
	enable_vlan: 1
	ar8xxx_mib_poll_interval: 0
	ar8xxx_mib_type: 0
	enable_mirror_rx: 0
	enable_mirror_tx: 0
	mirror_monitor_port: 0
	mirror_source_port: 0
	arl_age_time: 300
	arl_table: address resolution table
Port 0: MAC f8:59:71:62:55:34
Port 0: MAC a4:2b:b0:a5:1b:55
Port 0: MAC dc:a2:66:60:72:9b
Port 0: MAC 78:fd:94:17:c7:0d
Port 0: MAC 74:40:bb:c9:b9:1f
Port 0: MAC 84:0d:8e:5d:93:c9
Port 0: MAC 80:7d:3a:36:99:8c
Port 0: MAC 80:7d:3a:70:12:23
Port 0: MAC 14:c2:13:1c:68:6e
Port 0: MAC 54:9f:13:df:e2:fa
Port 0: MAC c8:85:50:0d:04:19
Port 0: MAC b8:2c:a0:07:bf:8c
Port 0: MAC b8:2c:a0:07:bf:81
Port 0: MAC b8:e8:56:39:45:82
Port 2: MAC 00:0a:cd:2b:6f:1e
Port 3: MAC 68:5b:35:8e:18:6d
Port 6: MAC a4:2b:b0:a5:1b:56

	igmp_snooping: 0
	igmp_v3: 0
Port 0:
	mib: ???
	enable_eee: ???
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 0
	link: port:0 link:up speed:1000baseT full-duplex txflow rxflow 
Port 1:
	mib: ???
	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 2
	link: port:1 link:down
Port 2:
	mib: ???
	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 1
	link: port:2 link:up speed:1000baseT full-duplex txflow rxflow auto
Port 3:
	mib: ???
	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 1
	link: port:3 link:up speed:1000baseT full-duplex txflow rxflow eee100 eee1000 auto
Port 4:
	mib: ???
	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 1
	link: port:4 link:down
Port 5:
	mib: ???
	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 1
	link: port:5 link:down
Port 6:
	mib: ???
	enable_eee: ???
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 0
	link: port:6 link:up speed:1000baseT full-duplex txflow rxflow 
VLAN 1:
	vid: 1
	ports: 0t 2 3 4 5 
VLAN 2:
	vid: 2
	ports: 1 6t 
VLAN 3:
	vid: 50
	ports: 0t 2t 

To be honest, I haven't touched the VLAN setup on the switch other than to add the one VLAN. If I were to tag my regular LAN traffic, would I just need to add a tag to each of the ports as well as eth0 and eth1?

Sorry for the noob questions. Thanks.

• You have no IPs configured on VLAN 50.
• And you have VLAN 1 untagged and VLAN 50 tagged on port 2 (I think that was already noted)

Each port can be changed independently on openwrt. You need to add "t" to the port option. And then change OpnSense to use vlan 1 tagged.

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2t 3 4 5'
        option vid '1'

I think I get it. By tagging ports 0 and 2 with VLAN1, we're saying the main 2.4G will be tagged with VLAN 1 tag and the tagged VLAN traffic will flow to my OpnSense box because port 2 is the connection between OpenWRT and OpnSense. Is that correct?.

Not exactly, "0t" means VLAN1 is tagged on eth1, i.e. eth1.1. (With wifi you use multiple SSIDs instead of tags.)

Just trying to understand why we need a tag on port 2 as well. Port 2 is my first switch port which feeds back into OpnSense. I'm guessing tagging port 2 is to tell OpenWRT to tag the traffic to the box with VLAN1? That way, I can set my LAN to VLAN1 and separate it from my IoT network (VLAN50).

What is the purpose of VLAN 2 for the other radio? Do I need to set up a VLAN tag for that radio as well? Only complication I have is that Google Fiber wants WAN traffic tagged as VLAN2 and I don't want any issues to occur.

Thanks for your help and for putting up with my noob questions.

The IoT network bridge (now "VLAN_50", but it is conventional and highly recommended to use only lowercase names) should be configured with proto none since it is a dumb bridge from ethernet to wifi.

Right now VLAN 2 is '6t 1' which means it is eth0.2 (port 6 of the switch is eth0 on the CPU) but untagged to the fiber ONT modem on Ethernet cable 1.

It's to avoid tagged an untagged packets on the same port, and might solve your problems. (Though I don't have any problems with using tagged and untagged packets on the same port on my tl-wdr4300 with ath79 anyway.)

It's already using VLAN 1 since it's bridged with your lan.

Understood. I tagged the ports as suggested and it’s now working as expected.

Thank you for your help.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.