Tagging of VLAN interfaces questions

ivanmlerner · March 20, 2019, 8:08pm

My questions are about the bold topics on the configuration bellow.

Is setting the pvid necessary on the wan port of the router so that wan traffic goes only to the modem (through the switch)?
When configuring the other bold points: since the lan signal that is coming from the switch is tagged on the router port, should I use a bridge to join the other router interfaces and untag them, so that they use pvid 1 when connecting to the vlan1 through the router?

I have the following configuration:

SWITCH:
Port 5 on switch getting signal from modem (untagged vlan2)
Port 2 on switch sending wan signal to router (tagged vlan2)
Port 2 on switch getting lan signal from router (tagged vlan1)
Ports 1, 3, and 4 on switch connected to LAN devices (untagged vlan1)

ROUTER:
WAN port on router used for wan (tagged vlan2) (untagged pvid is 2 for outgoing packets)
WAN port on router used for lan (switch) (tagged vlan1)
LAN ports on router to LAN devices
TUN on router for VPN
WLAN0/1 on router for wireless devices

trendy · March 20, 2019, 8:26pm

Must be untagged vlan2, unless the modem expects vlan encapsulation.

For the Openwrt router better post the configuration in /etc/config/network and wireless.
Usually wan port is not part of the switch that lan ports are, so creating a dot1q subinterface is enough to tag vlans and terminate.
If the router has LAN ports it may not make sense to do what you are doing with using WAN port for both WAN and LAN.

ivanmlerner · March 20, 2019, 8:32pm

Yeah, that was a typo, I corrected it, thanks.

Do you mean I can use the pvid of the wan port to set pvid 1 to signal comming from all the other LAN interfaces, and all packets that must go to the modem will be automatically tagged?

I don't think I get your last point, I'm kind of a newbie in qVLAN.

EDIT: I'll post /etc/config/network here in a moment

ivanmlerner · March 20, 2019, 8:40pm

/etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd54:fc8f:6fae::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option dns '8.8.8.8 8.8.4.4'
	option ipaddr '192.168.0.1'
	option gateway '192.168.0.1'
	option ifname 'eth0.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option auto '0'

config 'switch' 'eth0'
	option 'reset' '1'
	option 'enable_vlan' '1'

config 'switch_vlan' 'eth0_1'
	option 'device' 'eth0'
	option 'vlan' '1'
	option 'ports' '0t'

config 'switch_vlan' 'eth0_2'
	option 'device' 'eth0'
	option 'vlan' '2'
	option 'ports' '0t'

config 'switch_port'
	option 'device' 'eth0.2'
	option 'port' '0'
	option 'pvid' '2'

/etc/config/wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'VHT80'
	option country 'BR'
	option legacy_rates '1'
	option channel 'auto'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option encryption 'psk2+ccmp'
	option key '******************'
	option ssid '******************'
	option network 'lan'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/qca956x_wmac'
	option htmode 'HT20'
	option legacy_rates '1'
	option channel 'auto'
	option country 'BR'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid '*******************'
	option encryption 'psk2+ccmp'
	option key '*******************'
	option network 'lan'

mk24 · March 20, 2019, 8:48pm

When you say switch, is that the router's internal switch, or a separate managed switch box?

When you use an external managed switch you should set the port and switch on the router to send all the VLANs (that you want) tagged over the cable to the switch (this mode of operation is called a trunk cable), and nothing untagged. The switch will be configured to separate the VLANs out and remove tags before sending to ordinary devices that don't understand tags.

ivanmlerner · March 20, 2019, 9:02pm

It's a separate switch. The trunk is tagged, what I wanted to know was if I should set all the lan interfaces on the router as untagged and set the pvid to 1, so that everything that enters the trunk is tagged (by using a bridge or something else).

mk24 · March 20, 2019, 9:07pm

You don't need to set pvid for a port that is already completely untagged. Just set them as untagged in VLAN 1, which is the default configuration. All that you're changing is setting up the 'WAN' port to be the trunk to the other switch, by changing it from untagged in 2 to tagged in both 1 and 2.

If the destination MAC is something attached to the other switch, they will automatically get tagged 1 and sent over the trunk cable. This is done in the switch hardware so it is very fast.

trendy · March 20, 2019, 9:10pm

It looks like you have only one wired interface on the router. Can you confirm it? Which model is it?
The pvid must match the vlan on the switch.
In your case here I see that you tag only vlan2 and vlan1 goes untagged from the router. So you might want to adjust that on the switch.

ivanmlerner · March 20, 2019, 9:19pm

I have two, but I only configured 1 (the wan one) with the trunk to test it, since I didn't know how I should procede with integrating the other lan interfaces (wired, wireless, and vpn tunnel).
I don't have nothing connecting to vlan1 except for the router itself, this is exactly whant to know: how do I tag everything lan on the router with vlan1?
The model is an Archer C25 V1

trendy · March 20, 2019, 9:24pm

This has 5 ethernet ports. 1 must be wan and the other 4 are lan. So there is no reason to pass LAN and WAN through a trunk port.

ivanmlerner · March 20, 2019, 9:25pm

I'll say what you said again to see if I understood you correctly:
eth0.1 and eth0.2 are tagged. Since WAN traffic that is to go to the modem is originated on the router itself, I dont need to tag it, and it will already be tagged with vlan2. The traffic related to lan (wlan0/1, tun0, eth1, eth0.1) doesn't need to be tagged because the default behavior for untagged traffic is to use vlan1.

Is that correct?

ivanmlerner · March 20, 2019, 9:27pm

I know that, I need this because the modem is in a different room, and I only have one cable going through the wall. I can't add another cable, and I need the router where it is because of the wifi, and I don't want to buy another router/AP if possible. Also, all the connections originate where the modem is, so I need to get the signal back to that room where the switch is to distribute it to the rest of the house.

mk24 · March 20, 2019, 9:38pm

Reset to default configuration.

You should have something like:
VLAN1
ports '0t 1 2 3 4'

VLAN 2
ports '0t 5'

Here port 0 is the CPU, it is always tagged, so you have eth0.1 attached to the logical lan and eth0.2 attached to the logical wan.

Ports 1 2 3 and 4 are the LAN ports they are untagged.
Port 5 is the WAN port it goes in / out on the cable untagged, but since it is in VLAN 2 as soon as a packet comes in it gets a tag of 2 and goes through the switch fabric ending up at eth0.2

What you want to do is edit so that there is a '5t' in both VLANs, so that tagged packets both 1 and 2 go out on the cable plugged into the WAN port. The switch in the other room is configured to expect that, and do the same thing in reverse.

That is all that needs to be done. You are just changing the operation of that one port.

This may be easier to understand on the LuCI switch configuration page.

ivanmlerner · March 20, 2019, 9:52pm

There were no VLANs set up in the default configuration.

Good to know port 0 is for the CPU.

This router has eth0 for WAN with only 1 port, so the number should be 1 instead of 0, correct? Or is it 5 as you mentioned?
It has eth1 for LAN (4 ports untagged, so the numbering should go from 1 to 4, correct?)
If I bridge eth0 and eth1 together, do I get the numbering scheme you provided?

EDIT: I didn't have the switch configuration in LuCI, but it is there now, don't know how it appeared or why, but looks easier, that doesn't change the questions though.

mk24 · March 20, 2019, 9:57pm

That type of router has two CPU ports, and a switch chip with 7 ports. Five of the ports are the external Ethernet jacks, and two of them, usually 0 and 6, are internal connections from the switch chip to the CPU chip. This is very common on Atheros gigabit models. But the exact port numbers can vary from model to model.

Since everything goes through the switch "fabric" or "jungle" which can switch any port to any other port, based on VLAN numbers, VLAN tagging is still used inside the switch, but in the default configuration the CPU ports as well as all the Ethernet ports are untagged. Since there are two CPU ports and two VLANs it is possible to dedicate one CPU port to each VLAN.

So the principle is the same, you need to set one of the external ports to tagged in both VLANs.

If you wanted to set up more than two VLANs you would have to start tagging one or both CPU ports. But that's not the case for you yet.

ivanmlerner · March 20, 2019, 10:04pm

Oh now things are starting to make a lot of sense. So eth0/1 are just virtual interfaces to the internal switch? How do I configure the switch as a whole, without it providing both eth0 and eth1?

EDIT: Oh, you already answered that, right? LuCI switch page...

mk24 · March 20, 2019, 10:08pm

eth0 and eth1 are CPU ports. They are on the CPU chip. The feed into ports 0 and 6 on the switch chip. You don't have to change anything with them as long as you only have two VLANs.

Yes on the LuCI switch page just be sure which port is the WAN (usually 1 or 5)-- this can be done by plugging in a cable to see which status changes to connected. Change its role in the two VLANs from "off", "untagged" to "tagged", "tagged".

ivanmlerner · March 20, 2019, 10:37pm

I made another switch in the configuration using eth1, and I am clueless as to what to do now, it looks like I can set up everything on the eth0 switch, on the eth0 CPU, but adding the other switch also seems to use eth0 for cpu, and seems to be better recognized as a switch.

This confused me, which eth do I need to set up the switch in the configurations? Sorry, but I never messed with OWRT or vlans before.

mk24 · March 20, 2019, 11:00pm

What does the LuCI switch page and /etc/config/network look like under a default configuration?

You do not need to add another switch. There is only one switch chip in the router. Unless they are doing something strange like using an internal CPU / SOC switch as well as an additional gigabit switch chip.

Edit: ok wikidevi says this is a 10/100 model using the internal switch on the SOC.
If that has two CPU ports one of them is wired directly to the "WAN" Ethernet plug with no switch.

ivanmlerner · March 20, 2019, 11:08pm

I know I didn't need to, I just did to test it out, since I didn't know if I should use eth0 or eth1. I'll test the default in a moment, but using the reset button changes nothing, is there a way to revert this to default without reseting the whole router configuration?
EDIT: How does your edit changes things? Do I use eth0 or eth1 if I want to use the WAN port for vlan?