Tagg/Untagg vlan's help

menomenic · February 7, 2022, 9:33am

Need some help.

I have a linksys wrt3200acm with a zyxel NWA110AX accespoint.

As a example on the router in openwrt i make 2 vlans in in br-lan called
br-lan0.1 home
br-lan0.2 maint.

I setup the zyxel with 2 SSID's 1 called "home" 2nd "maint"

SSID home is on vlan 1
SSID maint. is on vlan 2

on the wrt3200acm router i have 2 vlan in br-lan, I use one cable to the zyxel.
The port i use on the router is lan 1 there is a cable runing from lan 1 of the router to the zyxel, and on port 4 "lan4' i use one cable straight from the router to a computer for maintenance

If i use this setup i don't have internet acces and cannot acces my openwrt with a cable on lan 4
lan 1 lan 2 lan3 lan 4
vlan 1: T - - -
vlan 2: T - - U

if I use this i can acces the zyxel and have wireless acces
lan 1 lan 2 lan3 lan 4
vlan 1: T - - -
vlan 2: U - - U

so wich one is good i thought you need to tagg every vlan on lan 1 for the cable to the accespoint?

flygarn12 · February 7, 2022, 10:32am

You probably need to share the network config file at least for the router if we are going to solve this.

trendy · February 7, 2022, 11:03am

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

grrr2 · February 7, 2022, 11:39am

check this video: https://www.youtube.com/watch?v=qeuZqRqH-ug

menomenic · February 7, 2022, 2:08pm

I followed that video he is talking about tagged/trunk the lan port where the cable is from. But I set one for untagged.

I will send my network file

menomenic · February 7, 2022, 3:05pm

Firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'home'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 
	option dest_ip 
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config zone
	option name 'secure'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'secure'

config forwarding
	option src 'secure'
	option dest 'wan'

DHCP


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'home'
	option interface 'home'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config dhcp 'secure'
	option interface 'secure'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

NETWORK


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'wan'
	option macaddr 

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'lan1'
	list ports 'lan4'

config interface 'home'
	option proto 'static'
	option device 'br-lan.2'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'secure'
	option proto 'static'
	option device 'br-lan.4'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

Thought that you needed to tagg everything on lan 1, because this is the lan with a cable running to the accespoint where the vlan's going threw?

mk24 · February 7, 2022, 3:16pm

Most likely your accesspoint is improperly configured and is sending untagged packets to the secure network instead of tagged 4.

What you set up on port 1 should only affect the AP. Make sure the logical numbers agree with what you think are the physical ports-- when you plug and unplug the cable to the PC, 'lan4' should be shown as going up and down in the log.

menomenic · February 7, 2022, 3:27pm

Normally i am using more vlan but to make things easier and doing some trouble shooting i removed some.

so i need to look at the accespoint config if it everything there's tagged and openwrt is all good, except tagging lan4?

Any one experience wit the zyxel nebula center how and where to find this option for tagging/untagging?

mk24 · February 7, 2022, 3:41pm

The accesspoint should be configured to accept all VLANs as tagged on the trunk cable, then you would set up the 3200 to tag them all on the trunk cable.

menomenic · February 7, 2022, 4:41pm

I think it's not possible to tag on the accespoint side.
The only option to tag or untag is in the device administrator but this is only to admin in the device.

As i read some articles from zyxel and sone guides of how-to i can make up you can't tagg ports at the wireless accesport.
But you need to add the vlan nummer to the pvid section.
Also i now have a tagged port 1 with vlan2 to the acces point and have a connection.

Update from zyxel: all the vlan's are tagged except the administrator you can set this to tag or untag and that is for that whole vlan.

now i tag everything in openwrt on lan port 1 everything works accept if i tagg vlan4 my managed vlan i don't get a connection if i untag in openwrt it works