[solved] VLANs on ipq40xx alternative config (for Fritzbox 4040)

aboaboit · August 4, 2019, 2:54pm

Jeff, I think our definitions of "straightforward" are quite different and you're way ahead of me.

Intent is:

two internal firewall zones "lan" and "guest"
"lan" firewall zone includes 3 ports of the switch and the "home" SSID on both wifi bands
"guest" zone includes 1 port and the "guest" SSID
traffic is allowed from guest to wan, from lan to guest but not from guest to lan

This way I can segregate a fussy wired client in the guest segment when needed.

I gave your settings a spin and, touch wood, it looks like what I wanted: the key insight is "away from vid 1 and 2". Other than that, even configuring via LUCI gives the expected result. Thanks

EDIT, adding key parts of the config to help others:

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '101'
        option vid '101'
        option ports '0t 1 2 3'

config switch_vlan
        option device 'switch0'
        option vlan '102'
        option vid '102'
        option ports '0t 4'

config interface 'lan'
        option ifname 'eth0.101'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option stp '1'

config interface 'guest'                                                     
        option type 'bridge'                                                 
        option proto 'static'                                                
        option ifname 'eth0.102'                                             
        option ipaddr '192.168.3.1'                                          
        option netmask '255.255.255.0'                                       
        option stp '1'

sammo · August 4, 2019, 3:23pm

@aboaboit, exactly what i was looking for. In my case passthrough/vpn lan.
Why would you need stp (spanning tree protocol)?

aboaboit · August 4, 2019, 3:28pm

I don't need it, strictly speaking, but it's nice to have. It will work just fine without it, unless you create loops.

inanedirk · August 9, 2019, 8:35pm

Good evening everyone, I was wondering if you could help me with a problem very similar to the one discussed here? I've read through the thread but still can't quite grasp what I'm doing wrong.
What I'm trying to do:
PPPoE on eth1
VLAN 42: 0 tagged. 1, 2, 3 untagged (lan)
VLAN 99: 0 tagged. 4 untagged (guest - I wanna run an old OpenWRT router for guest wifi here).

Should look like this:

Now as soon as I Save & Apply this, my PPPoE on eth1 stops working.
The error said something along the lines
Timeout waiting for PADO packets
Unable to complete PPPoE Discovery
I don't get how changing anything on eth0 would effect eth1?

Any help would be greatly appreciated

[EDIT fixed screenshot as error pointed out by @aboaboit]

aboaboit · August 10, 2019, 7:13am

port 4 should be untagged, just as you wrote earlier: I see it as tagged in the screenshot.

inanedirk · August 10, 2019, 8:24am

Dammit, you're right, I staged this to make a screenshot and made this mistake - in my actual attempt lan4 was set untagged.

aboaboit · August 10, 2019, 8:28am

so it still does not work even with untagged ports? that's interesting

can you show the relevant portions of /etc/config/network ?

Pilot6 · August 10, 2019, 8:52am

Never use Luci for vlan setup on ipq40xx. It removes port5 setting on save.
But you need 5t to have tagged vlan on wan.

aboaboit · August 10, 2019, 9:07am

I don't have a port 5 and it works.
Is this issue device-related?
Does it happen only if you want to use VLAN on wan?

Pilot6 · August 10, 2019, 9:22am

What "it" works? Router works on default settings.
But is you need to do something with vlans, you'll need port 5. But Luci will remove this setting.

aboaboit · August 10, 2019, 10:07am

"it" in the context of this last few posts in this discussion means "pppoe" wan.
Again, I have two VLANs numbered 101 and 102, no port 5 and I'm obviously online.

Pilot6 · August 10, 2019, 10:08am

This means that it is a one mac device. Then it may work.

aboaboit · August 10, 2019, 10:16am

I think the 4040 does indeed have a separate eth device for wan, while the local ports are part of the switch.
Unlike my older devices, which used a switch port for wan.

inanedirk · August 11, 2019, 9:11am

Hi, I've just recreated the config that doesn't work for me. Here's the switch settings in LuCI:

As soon as I commit this, PPPoE on WAN dies with "PEER DEAD" followed by "Connection attempt failed"

This is from syslog at that moment:

Sun Aug 11 10:58:55 2019 daemon.notice netifd: Interface 'wan' is now down
Sun Aug 11 10:58:55 2019 daemon.notice netifd: Interface 'wan' is setting up now
Sun Aug 11 10:58:55 2019 daemon.err insmod: module is already loaded - slhc
Sun Aug 11 10:58:55 2019 daemon.err insmod: module is already loaded - ppp_generic
Sun Aug 11 10:58:55 2019 daemon.err insmod: module is already loaded - pppox
Sun Aug 11 10:58:55 2019 daemon.err insmod: module is already loaded - pppoe
Sun Aug 11 10:58:56 2019 daemon.info pppd[6192]: Plugin rp-pppoe.so loaded.
Sun Aug 11 10:58:56 2019 daemon.info pppd[6192]: RP-PPPoE plugin version 3.8p compiled against pppd 2.4.7
Sun Aug 11 10:58:56 2019 daemon.notice pppd[6192]: pppd 2.4.7 started by root, uid 0
Sun Aug 11 10:59:11 2019 daemon.warn pppd[6192]: Timeout waiting for PADO packets
Sun Aug 11 10:59:11 2019 daemon.err pppd[6192]: Unable to complete PPPoE Discovery

And here's /etc/config/network

config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.42.1'
option dns '1.1.1.1'
option ifname 'eth0.42'

config interface 'wan'
option ifname 'eth1'
option proto 'pppoe'
option username 'someuser'
option password 'somepass'
option ipv6 'auto'
option peerdns '0'
option dns '1.1.1.1 8.8.8.8 8.8.4.4'

config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 1 2 3'
option vid '42'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 4'
option vid '99'

PPPoE pretty much immediately reconnects as soon as I reset the VLAN settings to defaults in LuCI.

aboaboit · August 11, 2019, 9:18am

vlan 1 and 2 are special on the ipq40xx, better not use them.

this is my switch config section:

config switch_vlan
        option device 'switch0'
        option vlan '101'
        option vid '101'
        option ports '0t 1 2 3'

config switch_vlan
        option device 'switch0'
        option vlan '102'
        option vid '102'
        option ports '0t 4'

(incidentally, try using the "preformatted text" button instead of "blockquote" when pasting text here)

inanedirk · August 11, 2019, 9:24am

Thanks. I'm not entirely sure why you'd even have both vlan and vid. It sounds to me like one's the actual VLAN and the other is a name, a label for it?
Anyway, I'm seeing the config for the first time, didn't realize LuCI only sets vid, not vlan. I'll try changing vlan next.

aboaboit · August 11, 2019, 9:45am

See comment no.4

inanedirk · August 11, 2019, 9:47am

Yeah, thing is it's not obvious in LuCI that this is what's happening

inanedirk · August 11, 2019, 10:48am

Hey @aboaboit, thanks to your suggestions I've managed to successfully set up my guest WiFi.
Thank you!

system · August 21, 2019, 10:48am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.