Tagging multiple vlans on physical AP ports

Router is pfsense, AP is openwrt.

This is my configuration:

Pfsense -> managed cisco switch -> AP (openwrt)

pfsense connects to the managed switch on port GE1. Vlans 1 and 2 are tagged on this port.

AP (openwrt) connects via the WAN port to GE16 on the managed switch.

Within openwrt, under Network -> Switch, I have those Vlans tagged on the WAN and CPU. These vlans are also tagged on GE16.

I am using the 10.0.0.0/24 network for Administration. This is a static address and it is supplied by pfsense.

root@AP1:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd8f:cd02:5aea::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 5'
        option vid '1'
        option description 'LAN'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t'
        option vid '2'

config interface 'Admin'
        option proto 'dhcp'
        option device 'eth1.10'
        option ipaddr '10.0.0.80'
        option delegate '0'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 2 4 1t'
        option vid '10'
        option description 'Admin'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '20'
        option description 'User'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '30'
        option ports '0t 1t'
        option description 'User_Wifi'

config switch_vlan
        option device 'switch0'
        option vlan '7'
        option vid '80'
        option ports '0t 3 1t'
        option description 'IOT'

config switch_vlan
        option device 'switch0'
        option vlan '8'
        option vid '192'
        option description 'Guest'

config interface 'GUEST'
        option proto 'static'
        option device 'br-GUEST'
        option auto '0'

config interface 'IOT'
        option proto 'static'
        option device 'br-IOT'

config interface 'USER'
        option proto 'static'
        option device 'br-USER'
        option auto '0'

config interface 'USER_WIFI'
        option proto 'static'
        option device 'br-USER_WIFI'

config device
        option type 'bridge'
        option name 'br-GUEST'
        list ports 'eth1.192'

config device
        option type 'bridge'
        option name 'br-IOT'
        list ports 'eth1.80'

config device
        option type 'bridge'
        option name 'br-USER'
        list ports 'eth1.20'

config device
        option type 'bridge'
        option name 'br-USER_WIFI'
        list ports 'eth1.30'

config switch_vlan
        option device 'switch0'
        option vlan '9'
        option ports '0t 1t'
        option vid '90'
        option description 'LAB'

config device
        option type 'bridge'
        option name 'br-LAB'
        list ports 'eth1.90'

config interface 'LAB'
        option proto 'static'
        option device 'br-LAB'

dunno, I don't have experience with this device
so there's 2 x cpu ports 0 and 6

maybe 0t should be 6t but I doubt it i'm probably just talking nonsense and I assume if it works untagged then the appropriate cpu port has been configured correctly

What about VLAN 10? You seem to be using VLAN 10 on your AP, but if it’s not on the switch and the pfsense router, it won’t work properly.

Please config that by this you mean you have a DHCP reservation/static map (or whatever pfsense calls it) so that your AP uses DHCP to obtain the address. Is that correct?

Are VLANs 1 and 2 tagged here? What about VLAN 10?

I am using vlan 1 and vlan 2 as examples.

Vlan 1 is vlan 10 and vlan 2 is vlan 90

Yes, this is correct

Please don’t use ‘examples’ — provide the real values. Otherwise, we’ll end up with problems. These values don’t affect your security — they’re not sensitive or private information.

So lets start over:

  • What VLAN IDs are being used?
  • What is each VLAN for (admin, lan, guest, etc.)?
  • Are they all tagged on port 16 of the switch?

That sounds so strange to me. You are running OpenWrt 23.05.5 on a Qualcomm platform, and that means DSA switching.

In other words, one hits "Configure" button on the "br-lan" device on the Network -> Interfaces -> [Devices] screen. Then in the [Bridge VLAN filtering] tab, you pop in your VLAN IDs.

Finally if one wants a virtual interface in a particular VLAN, one ticks the "Local" checkbox (see also hints above)

The days are long gone when there was a "CPU" column in LUCI's interface for VLANs. That was way back in the swconfig days, and you are running 23.05.5 on a DSA supported platform.

I can't even find the "Network -> Switch" screen you are talking about in my own 23.05.5 installation.

My apologies for the use of examples.

I am using 5 vlans currently.

vlan 10 - Admin
vlan 30 - User (wifi)
vlan 60 - work
vlan 80 - IOT
vlan 90 - Lab

These are all tagged GE1 which connects pfsense to the managed switch.

Vlans 10, 30, 80 and 90 are tagged on the WAN and CPU port of Openwrt. I am not using vlan 60 here.

GE16 connects the managed switch to openwrt and vlans 10, 30, 80, and 90 are tagged here.

The c7 is ath79. It is not DSA.

No, bridge VLANs will not work here. The device is swconfig.

Still there on this platform.

1 Like

The archer c7 doesnt use DSA, its an ath79 device

Ok… please reset your C7 to defaults and then post the network config file. We’ll be best starting from scratch.

Aren't there any other steps to try before resetting things? This is a functional device that is supplying network access for at least a dozen devices. Can't really afford to start all over.

Thanks!

(And apologies for the confusion.)

It will be faster and easier to setup from scratch than it will be to fix the existing problems.

Makes perfect sense.

Yes, VLAN 10 does look tagged on both CPU and swconfig port 1.

(I'm new to swconfig, how does it work?: Is port 1 in the above config also "1" on the router front panel? Or is it "5" on the front panel? If anyone knows)

Same, looks good.

This software bridge is maybe slightly pointless, since it has just two ports:

  • host virtual interface "br-LAN"
  • virtual interface into VLAN 90

But shouldn't be a problem.

Now there is an IP interface on the br-LAB host interface.

Might it help to actually give this interface an IP address, so one can ping it from pfsense for test purposes?

Now there is also an IP interface on the vlan interface into vlan 10.

It has a static IP address, but I don't see a subnet mask. Is it supposed to be a /32 ?

Question #2, how come this interface has both "proto dhcp" and a static IP ?

To be clear, bridges are necessary, but not bridge-VLANs.

You’ll see how it comes together when I see the default config and then make recommendations from there.

just to be sure and to test i'd change just one of those '0t' to '6t' and see what happens

eg for this 'LAB' vlan
change

option ports '0t 1t'

to

option ports '6t 1t'

Reboot then hook up a device to port 1 make sure it is set to test traffic on vlan 90 and see what happens. Should be safe enough to test and won't brick block your way back in.

Your laptop is not configured to connect to a vlan.
Either move the laptop to a port that has no tagged vlans or setup your laptop to use tagged vlans

this is expected behavior. You are confused because you are expecting your laptop to get served IP addresses from both vlans 1 and 2 after tagging both on the single port on the back of your C7 but your laptop ethernet port is not configured correctly to be able to read the 802.1q frames coming out of that C7 port.

Not all windows NIC drivers support VLAN tagging on their ethernet ports and if they do they usually only support tagging for no more than 1 vlan so if your laptop is running windows you're out of luck on this one i.e. you will never get 2 DHCP IP addresses on vlans 1 and 2. If you happen to be using linux you're in luck and just need to configure your NIC on your laptop correctly and also enable the 8021q module on boot.

With regards to other comments: you can configure tagged + untagged on the same port. However, that just doesn't mean your laptop will be able to read the tagged frame if it is not properly configured. Your laptop is able to read the untagged frame because essentially untagged frames are non-8021q by default.

1 Like