[Solved] WRT3200ACM VLAN multiroom

Hello everyone,
I have just moved in and I have an electrical panel with rj45 plugs connecting the house.
My internet box is in the entrance hall, next to the electric board. My openwrt router (dhcp, dns, guest wifi, logs, vpn...) is my office with several equipments connected to the LAN of the router.
My question is about the equipments in the living room (PS3, raspberry...): how to connect them to my router so that they are in the LAN?
I suppose that VLANs are the solution but I would like your opinion on this question. Is it possible with a single cable to pass traffic coming from my living room equipment to the WAN port of the router and have it go out through the same port?
Here is a diagram to be more explicit (I hope it will...):

The player is an equipment supplied by my french operator (Free) and is currently operated by CPL, so its integration is not mandatory in the diagram.
I've added 2 manageable switches (not purchased yet) on what I think is correct:

• SWITCH 1
  • PORT 1...: VLAN1
  • PORT 5: trunk
  • PORT 4: VLAN2
• SWITCH 2
  • PORT 1: VLAN 1/2
  • PORT 2: VLAN 1/2
  • PORT 3: trunk
• OpenWRT:
  • WAN PORT: VLAN 1/2

Is my understanding good ? I am of course open to any other configuration or suggestions

Thank you !

I think there can be a bit of confusion when you express how you want to configure each switch (like tagging / untagging), but I think your idea is rock solid.

Yes with that setup you can do about anything. Put the raw Internet from the ISP onto a third VLAN from the switchboard to the office. The OpenWrt router would take this Internet in then route it out to networks on different VLANs, for LAN, IOT or TV as needed then send it back to the switchboard on the same cable. There it would be trunked over to the living room then switched out to the matching device.

Thanks for your quick replies !

@eduperez: what do you mean by a bit of confusion ? If I not mistaken, I'd like to tag on switch1, vlan1 on port 1-2-3, vlan2 on port 4 and untag (or trunk?) on port 5, right ? I have to admit that I'm not very comfortable with VLAN, which is why I'm asking...

@mk24: why do you propose a third vlan ? My box and my player are in the same LAN throught the CPL. They have to be like this (same LAN) to work (the player is, obviously, for watching TV and belong to my provider).
I also don't understand the second sentence: why do say trunked over to the livingroom ? Again, I'm not very comfortable with VLAN. I just know the basics, that's all...

Anyway, if I understand well, on my OpenWRT, all I have to do is to tag my WAN port with VLAN2 and.... that's all ?

Just to be sure, here is my actual configuration (installation setup):

Screenshot from 2020-03-10 23-47-051470×255 18.1 KB

When you pass more than 1 VLAN, this is called trunk.
So in your case, if vlan1 is LAN and vlan2 is WAN (including the player) you'll need:
Switch 1: Ports 1-3 access (or untag) on vlan1 , Port 4 access on vlan2, Port 5 trunk (or tagged) with both vlans.
Switch 2: Ports 1-2 trunk with both vlans, Port 3 access on vlan 2.
On OpenWrt: Lan ports access on vlan1, Wan port trunk on both vlans.
Don't touch the CPU ports, they should stay tagged,
Make sure that logical interface wan is using eth1.2 physical interface and logical interface lan is using eth0.1 (this should be the case by default judging by the switch configuration).
As a sidenote you might want to assign the native vlan on the switches to some vlan not used, to avoid leaking from one vlan to the other.

Thank you for the explanations, it's clearer. It was pretty clear to me with the switches, not so much with the OpenWRT...

Just a couple of questions thought:

On OpenWrt: Lan ports access on vlan1, Wan port trunk on both vlans.

If I understand well, I just have to mark the WAN port as tagged for 1 and 2 ?

Don't touch the CPU ports, they should stay tagged,

I'm glad you said that because I think it's part of my confusion. Why is there two CPU's ports ? According to the following picture (found somewhere in this forum and corresponding to my WTR3200ACM), they are connected to the respective ports, but why ? To my knowledge, a typical linux distribution with N ports, when you want to act as a router, you bridge N-1 ports, and NAT to the output and, that's it. Why is there VLAN in this case ?

Make sure that logical interface wan is using eth1.2 physical interface and logical interface lan is using eth0.1 (this should be the case by default judging by the switch configuration).

That's right:

14: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
16: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000

As a sidenote you might want to assign the native vlan on the switches to some vlan not used, to avoid leaking from one vlan to the other.

I'm a bit confused again... What are native vlan ? The actual ones in my picture ? Do I have to create 2 new VLAN besides the old ones ? And why would there be leaking between them ?

Thanks !

There are two CPU ports to increase potential performance by dedicating one to WAN and one to LAN traffic. This is only an issue should the ISP speed be faster than half of the Ethernet link speed, there a shared single port could be a bottleneck.

Since there is only one switch, this requires the default config to set up two VLANs in the switch to keep the networks separate.

If you make a port tagged in both VLANs then both networks can go in or out that port (which is very useful when you only have one Ethernet cable to the other room), but the device on the other end of the cable must understand tagging and be configured with the same VLANs.

Yes

@mk24 answered to you on that.

You'll have to do some studying on this, but in a nutshell when a trunk port receives an untagged frame it will assign it to the native vlan. In most switches this is vlan1, which you will be using for the lan. So to avoid leaks it is common practice to assign an unused vlan for the native vlan, like 999, or not to use vlan 1 for traffic.

Thanks the three of you for your explanations.
I will continue to read the openwrt wiki for a better understanding and keep you informed once I buy the switches !

You do not explain which ports have tagged or untagged traffic. But I'm pretty sure you know what you are doing.

Hello,

@eduperez: quite sure what I'm doing, not totally...

Anyway, I ordered 2 Netgear GS105Ev2, and after configuration, everything seems to work

After going through the menus, I discovered a PVID menu, which adds to my confusion, and which is perhaps the cause of my last concern: getting an IP from the switches.
For switch 2, as port 3 is untagged on VLAN 2000 (yes, I went from 1 to 1000 and 2 to 2000 according to @trendy security concerns), I think that's why it's able to get an IP from my Freebox, but switch 1 not.
Here are the configurations:

• OpenWRT:
  

  

  linksys1473×263 17.8 KB

• Switch 1
  
  
  
  
  

• Switch 2
  
  
  
  
  

I put port 5 on switch 1 to PVID 2000 to get an IP from my Freebox's DHCP and of course, it's not working. Ideally I'd like my switches to get an IP from my OpenWRT but I'm not sure if it's possible. If not, from my Freebox would be fine (for switch 1 only as switch 2 is ok).

Thanks again for your explanations !

If the switch doesn't have a management interface that can be assigned to a specific VLAN it is random from which DHCP server will get the IP. Better assign it static.
One last thing for the trunk ports (SW1 P5 and SW2 P1-2), assign PVID 1 as you shouldn't be receiving any untagged frames there.

That is indeed my concern, I'd like to be sure of what they do and I finally agree for static IP but how can I be sure that switch 2 will be reachable with an IP on LAN's range from a LAN computer?

I observed a strange behavior: switch 1 can have DHCP from my OpenWRT and switch 2 from my Freebox. I think I know why for switch 2 (vlan 2000 untagged on port 3), but what about switch 1? Because of the three untagged vlan 1000 on port 1-3? If so, one should add another cable from switchboard to office on vlan 1000 ? It's not possible to do otherwise ? Like with trunk ?

About VLAN1, I removed every port from that one. Should I add them again ? Because since they're gone, I can't set the PVID to 1.

I realized that I made a mistake about the player and the freebox: they communicate by default on vlan 100 and you can't change that. So if I understand well, I have to:
switch 1: port 4-5 tagged on vlan100
switch 2: port 2-3 tagged on vlan100
Am I right ?
EDIT: I was right, it works !

I know all these questions are not fully OpenWRT related, but you guys seems so rock solid on the VLAN subject that I can't avoid asking you the question... But if it's too off topic, I understand, and I'll ask these questions elsewhere

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

You can't be. As long as there is no specific management vlan or management interface those cheapish switches will accept connections from everywhere, as long as they see their IP. Not perfect, not terrible for a home installation. Just make sure you secure them with a user/pass.

It's just a matter of which DHCP server replied first.

In SW2 you have ports 4 and 5 with PVID 1, so what I asked you to do is not a problem.

You're probably right but for my home installation, I'll stick with it.

@tmomas: done !

Thanks again for your time !

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.