Split LAN ports to 2 different VLAN

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi, I'm trying to follow this tutorial
http://coderazzi.net/howto/openwrt/tl841n/vlans.htm

My goal is to have the 4th port of my router able to access the router's gateway with my computer (I already sat up the firewall rules) and the other 3 ports to get ip via DHCP in a different subnet not able to access the router's subnet.

This is the output of
swconfig dev switch0 show

Global attributes:
	enable_vlan: 1
	mirror_monitor_port: 15
Port 0:
	enable_mirror_rx: 0
	enable_mirror_tx: 0
	pvid: 0
	link: port:0 link:up speed:1000baseT full-duplex txflow rxflow 
Port 1:
	enable_mirror_rx: 0
	enable_mirror_tx: 0
	pvid: 1
	link: port:1 link:down
Port 2:
	enable_mirror_rx: 0
	enable_mirror_tx: 0
	pvid: 1
	link: port:2 link:down
Port 3:
	enable_mirror_rx: 0
	enable_mirror_tx: 0
	pvid: 1
	link: port:3 link:down
Port 4:
	enable_mirror_rx: 0
	enable_mirror_tx: 0
	pvid: 1
	link: port:4 link:up speed:100baseT full-duplex auto
VLAN 0:
	vid: 0
	ports: 0t 
VLAN 1:
	vid: 1
	ports: 0t 1 2 3 4

This is how I would set the /etc/config/network configuration following the tutorial:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipaddr 'lansubnet'

config interface 'lan1'
        option type 'bridge' 
        option ifname 'eth1.1'
        option proto 'static'                    
        option netmask '255.255.255.0'  
        option delegate '0'        
        option ipaddr 'guestlan'

config interface 'wan'
        option ifname 'eth1'
        option proto 'pppoe'
        option username ''
        option password ''
        option peerdns '0'
        option dns '208.67.222.222'     
                                        
config interface 'guest'                
        option proto 'static'           
        option netmask '255.255.255.0'  
        option delegate '0'             
        option ipaddr 'guestsubnet'    
        option type 'bridge'            
                                        
config interface 'guest1'               
        option proto 'static'         
        option delegate '0'           
        option ipaddr 'guest1subnet'  
        option netmask '255.255.255.0'
        option type 'bridge'            

config switch                           
        option name 'switch0'           
        option reset '1'                
        option enable_vlan '1'          
                                        
config switch_vlan 'eth0_1'
        option device 'switch0'         
        option vlan '1'                 
        option ports '4t 0t'

config switch_vlan 'eth1_1'
        option device 'switch0'
        option vlan '2'
        option ports '1t 2t 3t 0t'

I have 2 questions:
is the syntax correct?
config switch_vlan 'eth1_1'

config interface 'lan1'
        option type 'bridge' 
        option ifname 'eth1.1'

or does it have to be like this?
config switch_vlan 'eth1.1'

Next question is if the WAN port (port 0) has to appear in the cofiguration of both switches?

config switch_vlan 'eth0_1'           
        option ports '4t 0t'

config switch_vlan 'eth0_1'
        option ports '1t 2t 3t 0t'
2

If you're not familiar with VLAN configuration and have LuCI installed, that would be the easiest way to configure what you want.

If you're trying to do it through /etc/config/network you'll need to configure both the interfaces as well as the switch. The switch_vlan config section needs device, vlan, and ports options, as well as a vid option if the VLAN tag is not the index that the vlan option specifies. Each of the ports will also require a pvid option, even if you do not allow untagged packets. Documentation at https://openwrt.org/docs/guide-user/base-system/basic-networking

In your example config switch_vlan 'eth0_1', as far as I know eth0_1 is simple a symbolic name for the config section used by UCI and does not impact the configuration of the switch itself. As I hand-edit my config, I personally don't have names on my switch_vlan or switch_port sections. (Symbolic names are required for interfaces that are referred to by other config, such as wireless.)

1 Like
3

The ports that go to ordinary (not VLAN capable) external devices must be untagged in one VLAN and off in the others. The CPU port should be tagged in both VLANs.

The only time to tag an external port is to set up a "trunk" cable to another managed switch or router that can parse the VLAN tags on the cable.

1 Like
4
1 Like