Tagging Each Radio with a .1q and Sending it Tagged to the Gateway

Greetings, I have the following setup:

1. 802.1q capable switch (ZYXEL GS1900-8):
> Ports
  - PORT1  : (pvid 1) Linux Router
  - PORT2  : (pvid 2) WAN
  - PORT3-8: (pvid 1) LAN

> 802.1q VLANs
  - VLAN1 (default)
    - port 1: tagged
    - port 2: excluded
    - port 3-8: untagged
  - VLAN2 (WAN002)
    - 1  : tagged
    - 2  : untagged
    - 3-8: excluded

2. X86 Bare Linux Router (Arch Linux)
- has one interface (eth0)
- two subinterfaces:
  - eth0.1 => LAN (10.13.37.1/24) <- ISC DHCPDv4 + BIND9 named
  - eth0.2 => WAN (pppd<-pppoe)

Handled by the LAN subinterface, there exists my Xiaomi MI4A Gigabit router OpenWRT 23.05. This device has:

lan1@eth0 <- 1st port on the back
lan2@eth0 <- 2nd port on the back
phy0-ap0  <- 2.4GHz radio
phy1-ap0  <- 5GHz radio
wan       <- CPU eth0

the /etc/config/network output is as follows:

config globals 'globals'
        option packet_steering '1'

config device
        option name 'wan'
        option ipv6 '0'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'dumb'
        option type 'bridge'
        option ipv6 '0'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'wan'

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option device 'dumb'
        option proto 'dhcp'
        option delegate '0'
        option force_link '1'

As you can see, the device currently set up as a dump AP (LAN1+LAN2+WAN+radios are all bridged as a DHCP client).

I want to have the ports on the back and the 2.4GHz radio to be tagged with VLAN ID 3 and the 5GHz radio to be tagged with VLAN ID 1 on its way out to the switch so i can create a eth0.3 on the Linux router and serve a guest network with both WiFi and the ports on the back.

To achieve this, what should the ZYXEL switch and the OpenWRT configuration look like?

Thank you.

You have dsa switch, while eth0.3 will work preferred way is to use br-lan.3 and keep tag/untag on ports as you like.
You can assign vlans to access points (not whole radios) to bridge vlans identically to untagged bridge.
though advice to keep backup and rwset pin in hand before 1st try.

# - - global - - #
config globals 'globals'
        option packet_steering '1'

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

# - - wan - - #
config interface 'wan'
        option device 'wan'
        option proto 'none'

config device
        option name 'wan.1'
        option type '8021q'
        option ifname 'wan'
        option vid '1'
        option ipv6 '0'

config device
        option name 'wan.3'
        option type '8021q'
        option ifname 'wan'
        option vid '3'
        option ipv6 '0'

# - - guest lan - - #
config device
        option name 'br-lan_guest'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan_guest'
        option vlan '3'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'wan:t'

config interface 'lan_guest'
        option device 'br-lan_guest.3'
        option proto 'dhcp'

# - - crib lan - - #
config device
        option name 'br-lan_crib'
        option type 'bridge'

config bridge-vlan
        option device 'br-lan_crib'
        option vlan '1'
        list ports 'wan:t'

config interface 'lan_crib'
        option device 'br-lan_crib.1'
        option proto 'dhcp'

I ended up doing this.

2.4GHz radio is a member of lan_guest alongside lan1+lan2 and 5GHz radio is the sole member of lan_crib.

If there is only the lan_guest is configured, it sends frames tagged with .1q id 3 out of WAN but if I bring up the br-lan_crib it only sends .1q id 1 out of WAN.

the switch is configured as such:

port 1: Linux Router
 - eth0.1 -> 10.13.37.1/24 <- main LAN
 - eth0.2 -> pppd
 - eth0.3 -> 10.13.36.1/24 <- guest LAN
port 2: ISP PPPoE
port 5: OpenWRT
port 3+4+6+7+8: LAN

VLAN1:
 - port 1          : tagged
 - port 2          : excluded
 - port 5          : tagged
 - port 3+4+6+7+8  : untagged
VLAN2
 - port 1          : tagged
 - port 2          : untagged
 - port 3+4+5+6+7+8: excluded
VLAN3
 - port 1          : tagged
 - port 5          : tagged
 - port 2+3+4+6+7+8: excluded

any help is welcome.

Thank you.

/etc/config/network

config interface 'loopback'
    option device 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config device
    option name 'br-lan'
    option type 'bridge'
    list ports 'lan1'
    list ports 'lan2'
    list ports 'wan'

config bridge-vlan
    option device 'br-lan'
    option vlan '1'
    list ports 'lan1:u'
    list ports 'wan:t'

config bridge-vlan
    option device 'br-lan'
    option vlan '3'
    list ports 'wan:t'
    list ports 'lan2:u'

config interface 'lan_crib'
    option device 'br-lan.1'
    option proto 'dhcp'

config interface 'lan_guest'
    option device 'br-lan.3'
    option proto 'dhcp'

/etc/config/wireless

config wifi-device 'radio0'
    option type 'mac80211'
    option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
    option channel 'auto'
    option band '2g'
    option htmode 'HT20'
    option cell_density '0'
    option txpower '20'

config wifi-device 'radio1'
    option type 'mac80211'
    option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
    option channel 'auto'
    option band '5g'
    option htmode 'VHT80'
    option cell_density '0'
    option txpower '20'

config wifi-iface 'wifinet0'
    option device 'radio0'
    option mode 'ap'
    option ssid 'ap_g'
    option encryption 'psk2+ccmp'
    option disassoc_low_ack '0'
    option key ''
    option wpa_disable_eapol_key_retries '1'
    option network 'lan_guest'

config wifi-iface 'wifinet1'
    option device 'radio1'
    option mode 'ap'
    option ssid 'ap_g'
    option encryption 'psk2+ccmp'
    option disassoc_low_ack '0'
    option key ''
    option wpa_disable_eapol_key_retries '1'
    option network 'lan_guest'

config wifi-iface 'wifinet2'
    option device 'radio0'
    option mode 'ap'
    option ssid 'ap'
    option encryption 'psk2+ccmp'
    option disassoc_low_ack '0'
    option key ''
    option wpa_disable_eapol_key_retries '1'
    option network 'lan_crib'

config wifi-iface 'wifinet3'
    option device 'radio1'
    option mode 'ap'
    option ssid 'ap'
    option encryption 'psk2+ccmp'
    option disassoc_low_ack '0'
    option key ''
    option wpa_disable_eapol_key_retries '1'
    option network 'lan_crib'

this seemed to work, leaving it here in case someone hits the same issue.
be ware that this is a custom openwrt build with nothing but wpad, hostapd and luci on a kernel with busybox so firewalling is not enabled.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.