Solved: Vlan tagging for ISP

That is precisely what I mean by multiplexing, this is what vlans are for, but when there is only one network, tags provide no real value.

I suspect if the ISP equipment has vlan turned on and tag 7 selected it will work, but again has no value compared to untagged in this application

First of all, thank you all for your useful comments, by them I did learn a lot. And I have found the underlying reason, why it did not work.

In Germany, vlan tagging was announced some years ago in connection with the "new" internet access, i.e. mandatory VoIP. On the website of the largest ISP, which is also mine, they talk a lot about vlan tagging and that it should be '7'.

Few of weeks ago I was forced to switch to 'new internet access'. My assumption was that vlan tagging is from then an essential requirement. The ISP offers two types of accesses, with and without IPTV. About one year ago they decided to abandon the requirement for different vlan tags for with and without IPTV. As @dlakelan pointed out, tagging provides no real value since.

It took me a couple of hours to find out that vlan-tag requirement for internet access is by default turned off by the ISP. The only "benefit" of using vlan is to bypass the need for entering your credentials to log in on their web site, i.e. none.

Apparantly, setting vlan when it is not activated is counter productive :face_with_raised_eyebrow:


I will try out on Monday to activate vlan, just in order to see whether it works. This ISP does not require it, others make it essential for connection. Better be prepared ....

By the way, what is the purpose of the vlan-2 setting in LEDE/OpenWRT? Apparently it is kind of useless, but a default.

The typical gigabit router like the C7 has two CPU ports, with a separate switch chip driving all the Ethernet ports. The main CPU chip lacks the hardware to drive Ethernet cables directly, its two ports are connected to the switch chip through a local interface called GMII which is designed to only travel a few inches on a circuit board.

The switch can switch anything between its 7 ports, so internally two VLANs are set up to isolate the WAN from the LAN inside the switch. In the default configuration it does not affect anything outside the switch.

1 Like

The vlan 2 setting is because many routers only have 1 connection between the switch and the cpu (ie. eth0) so in order to have a wan separate from the lan you need to multiplex them through the switch, that means tagging wan 2 and lan 1

glad you figured out your scenario, and your explanation makes a lot of sense now.

Hello, after a couple of days testing I am back again to report.

In view of the specification of my ISP, that currently no vlan-tagging seems to be not required, I ticked off the corresponding entry in the modem, with internet being cut instantaneously.

I am completely lost. The information policy of the ISP is grotty, as is the training of the 'service' people there. In short, I don't know whether or not vlan tagging is required. Will take a while to find this out, but it is the first step to take.


when you say "ticked off" do you mean put a check-mark in the box or not? It's a quirk of english that in this case it's not entirely clear.

It looks like putting a check mark in the "active" box will cause vlan 7 tagging to appear ON THE WAN side. If you already have internet with it turned off, there is literally NO reason to turn it on. and turning it on it seems causes your internet to cut out. So I think this confirms that you should simply leave this box unchecked and turn off tagging on the WAN.

If the zyxel supports tagging on the LAN side, you could turn this on, but it again has absolutely NO advantage to you unless you have more than one separate "channel" such as for example an IPTV connection that operates independent of the main internet connection, or a VOIP service or the like.

So, if I were you, and I had internet already, and there was no extra service I was trying to enable like a separate IPTV or VOIP service... I'd stop right there and move on.

Oh sorry, I thought I had posted a different picture from the Zyxel modem above. With 'ticking off' I refer to this one: Screenshot_20180630_192941
I tried

  1. on Zyxel modem: vlan active, 802.1q set to 7 (never touched 802.1p). LEDE router with default vlans. Connected to internet
  2. vlan ticked off on Zyxel modem, i.e. inactive (my assumption, the manual does not say anything about it). On the LEDE router, vlan set a discussed above, i.e. ports 1 and 6 tagged with vid 7, replacing default vlan 2. Alternatively, only port 1 tagged. WAN was linked to eth0.7. No connection to the internet
  3. as 2), but added vid 7 to the two existing vlans with the above settings. No connection to the internet

Bottom Line: vlan tagging is required, but works only when done on the Zyxel modem, but not when set on LEDE router.

I could strip off the access data from my router. As far as I know, these are no longer required within vlans.
I will let you know.

Vlan tagging is a property of a given link, tags are not end to end. So if the ISP wants to receive tags it is the modem that MUST put them there, or at least not strip them. When you turn off the vlan tagging on the modem it is probably stripping them.

It seems you must retain this modem and keep vlan tagging turned on.

If you had an Ethernet link you might be able to bypass the modem entirely, but if it's DSL then obviously it needs to remain in the circuit

Thank you for the advice. This was the point I wished to learn from the Zyxel User Manual. I spent couple of days searching the internet on this point, without finding any information.

I think this thread is now over and done, marked as solved. Thank you all, dlakelan in particular, for your patience and support.



I use tp-link Archer C7 V4. This device can handle non-consecutive numbered VLANs only via special tricks. In order to correctly tag high VLAN number I had to create empty consecutive VLANs. This was the only method to correctly tag high number VLANs.
This problem was already described inn LEDE previously and I myself described my experience with Archer C7 VLANs tagging problems.

Hello, would you mind to provide me with a link? I have searched and except for your contribution in this thread I did not find anything. I remember having seen something similar described for a wdr-something, same problem, vlan did not work if only the one needed is added. But can't find it any more...

I described my experience with lack of non-consecutive VLAN support in tp-link Archer C7 V4 here: