Tagging multiple vlans on physical AP ports

Hello,

I am running the latest build OpenWrt 23.05.5 r24106 on an archer c7 v2. I have vlans configured in my environment and I wanting to utilize the 4 ports on the back of the C7. I do not have an issue if I mark a port as untagged for a specific vlan, but if I want to use that same port and tag multiple vlans, it does not work.

Can you show the picture and/or cat /etc/config/network ?

You cannot have tagged+untagged on system ports, but works fine on external ports (checked on c7v5)

I understand that I cannot have untagged and tagged on the same port. What is happening is if I tag multiple vlans for that port, I lose connectivity. I am not being given an IP address from the dhcp server. If I change that port back to untagged for any given vlan, it works fine.

root@AP1:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd8f:cd02:5aea::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 5'
        option vid '1'
        option description 'LAN'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t'
        option vid '2'

config interface 'Admin'
        option proto 'dhcp'
        option device 'eth1.10'
        option ipaddr '10.0.0.80'
        option delegate '0'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 2 4t 1t'
        option vid '10'
        option description 'Admin'

config zone
        option name 'lan'
        list network 'lan'
        list network 'Admin'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '20'
        option description 'User'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '30'
        option ports '0t 1t'
        option description 'User_Wifi'

config switch_vlan
        option device 'switch0'
        option vlan '7'
        option vid '80'
        option ports '0t 3 1t'
        option description 'IOT'

config switch_vlan
        option device 'switch0'
        option vlan '8'
        option vid '192'
        option description 'Guest'

config interface 'GUEST'
        option proto 'static'
        option device 'br-GUEST'
        option auto '0'

config interface 'IOT'
        option proto 'static'
        option device 'br-IOT'

config interface 'USER'
        option proto 'static'
        option device 'br-USER'
        option auto '0'

config interface 'USER_WIFI'
        option proto 'static'
        option device 'br-USER_WIFI'

config device
        option type 'bridge'
        option name 'br-GUEST'
        list ports 'eth1.192'

config device
        option type 'bridge'
        option name 'br-IOT'
        list ports 'eth1.80'

config device
        option type 'bridge'
        option name 'br-USER'
        list ports 'eth1.20'

config device
        option type 'bridge'
        option name 'br-USER_WIFI'
        list ports 'eth1.30'

config switch_vlan
        option device 'switch0'
        option vlan '9'
        option ports '0t 4t 1t'
        option vid '90'
        option description 'LAB'

root@AP1:~#

Your client will not magically jump to tagged vlan

1 Like

This does not belong in this file.

Not sure if you understand what is happening.

The C7 has 4 ports in the back that I can use. Just as an example and not based off my current configuration, port 1 plugs into a laptop that for the Admin network on 192.168.1.0/24 which is vlan 1. That port is marked as untagged on vlan 1.

That laptop easily gets an IP address from the dhcp server (pfsense)

Lets say I am implementing an IOT network that will run on vlan 2 (192.168.2.0/24)

If I decide I want port 1 to serve both vlan 1 and 2, I mark that port as being tagged on vlan 1 and vlan 2.

If I again connect the laptop to port 1, I am not longer getting an IP address from the DHCP server. Even though vlan 1 is tagged.


(some hints, from another thread, maybe useful)

Simple rules:

  • T means VLAN is tagged on the wire

  • u* (in OpenWrt) or UP (in a network switch) means untagged on the wire.

  • If you Tag a VLAN on a port in OpenWRT, then cable that port to a switch, you should also Tag the VLAN on the switch port. And vice versa.

  • Local in OpenWRT means create a virtual device to access the VLAN.

    • You can create an Interface in OpenWRT on top of this virtual device.
    • You can select that Interface in wifi_xx -> Network. This will bridge the wifi network with the underlying virtual device for that Interface.
    • You can assign an IP address and subnet mask on that Interface. OpenWrt will then be able to act as a router in the VLAN.
    • Devices in the VLAN can (but doesn't have to) use that IP address as their gateway. If they do, you have what many call a "routed" rather than a "dumb ap" or "bridged" setup on the OpenWrt AP.
    • Once OpenWrt has an IP in the VLAN, you can also configure it to be a DHCP and/or DNS server there.
  • UP in switch also means making a physical port where you can attach a device which is not configured for VLANs into the VLAN (since frames are untagged on wire), for example a laptop.

  • Attaching a device such as a laptop into the VLAN can be useful to ping something on the other end / far side of the VLAN.

  • You can also test DHCP services in the VLAN with this method. Alternatively, you can just set a static IP on the attached device while testing.

  • Often it's a good idea to be connected to the management interface GUI / CLI via another VLAN than the one you are creating or modifying.

1 Like

Did you configure your laptop to deal with the VLAN

3 Likes

Or wifi or serial connection while eth ports flop around...

Yes, as indicated in my post. It works fine until I try tagging multiple vlans on that port.

Did you read hint #3 ?

Yes.

So, the Openwrt device connects to a manged switch via the WAN port. All the VLANs I need to serve are tagged on both ends. It works fine with WIFI and a single device physically connected. But I want multiple VLANs tagged on those physical ports.

Here is what I have done to test further.

I have set vlan 2 as untagged on port 3 and attached a device to it. I am able to get an IP within the appropriate range for this vlan.

Next, I removed the untagging for vlan 2 on port 3 and set vlan 1 as untagged. If I connect a device to it, again, I get an IP address that is appropriate for this vlan.

However, if I set vlan 1 and vlan 2 as tagged on port 3 and plug either of those devices into that port. I do not get any IP addresses.

And also tagged in the managed switch that sits between those two ends? (ie. hint #3)

Yes. That is what I just said. Switch port 16 connects to the OpenWRT device on the WAN port. On both of these ends, vlans 1 and 2 are tagged.

What is in the other end then?

OpenWRT ------- VID 1, 2 tagged ------------ [16] Switch [?] ------------- ?

A pfsense box.

the openwrt device also provides wifi on vlan 2. This works fine.

The laptop plugged into the port 3 on vlan 1 works fine.

It just doesn't do anything when I have two vlans tagged on port 3 or any of those ports for that matter.

Starting here… do you have multiple networks configured on the pfsense box already? Are they all assigned VLANs on a single trucked Ethernet port?

Did you say there is a managed switch connected between the pfsense box and your openwrt ap?

Have you verified that the switch is properly configured and used that to verify that all the VLANs are working properly??

Yes to all of these.

As mentioned previously, everything works as intended except when I attempt to tag multiple vlans on the physical ports on the back of the Archer c7.

Here is what I have done to test further.

I have set vlan 2 as untagged on port 3 and attached a device to it. I am able to get an IP within the appropriate range for this vlan.

Next, I removed the untagging for vlan 2 on port 3 and set vlan 1 as untagged. If I connect a device to it, again, I get an IP address that is appropriate for this vlan.

However, if I set vlan 1 and vlan 2 as tagged on port 3 and plug either of those devices into that port. I do not get any IP addresses.

Ok. Thanks. You have a switch connected between the router and the ap. On the port that connects to the ap:

  • what is the status of each vlan? Are they all tagged or is one untagged?
  • What vlan ids are being used?
  • what port on the ap is used for the uplink?
  • Which network is used for managing the ap? And does the ap get a dhcp supplied ip or is do you want it to be static? If static, what address do you want it to use?
  • Please post the current network config file.

When you say router and AP what are you referring to? Just so that we are on the same page.