Trouble with vlans

Vlan on Belkin rt3200 23.05

Hi all. Finding myself stuck trying to tinker with vlans for the first time on openwrt 23.05.

I’ve done the following.

Created a new 2.4 ghz ssid/ wireless network

Created a new vlan under devices and attached it to the aforementioned wireless network

Created an interface and attached the wireless network to the interface. The interface is set up as static address protocol. I have dhcp configured with an ip address and netmask.

I setup firewall rules/zones to allow forwarding to the wan zone for internet.

I am able to connect my devices to this wireless network. They receive ip addresses and are able to access the internet. However they cannot ping one another. For the life of me I cannot figure out what I’m doing wrong. Am I conceptually on the correct track here or is my logic flawed? Do vlans need to be configured with bridges and physical ports or is it ok to simply attach it to the ssid I created?Wrote this up quick and can add more detail as requested. Thanks for your help. I’m a totally new user with litte experience so appreciate the patience.

Is this your router/firewall or a dumb access point connected to a router/firewall? You need to be using DSA to define your VLANs.

See: https://youtu.be/qeuZqRqH-ug

So this is all on my main router. I only have 1 device. I took a look at his video yesterday. While I found it helpful , conceptually I’m still just not there. Can I creat an ssid and then add a vlan to that ssid or do I need to base the vlan off of a physical port like eth0 lan1 etc?

Just use DSA on your br-lan bridge to create the VLANs.
Network>Interfaces>Devices>br-lan>configure>Bridge VLAN Filtering
Example:

  • three VLANs (10, 3, and 4)
  • lan1-4 are on vlan 10
  • lan5 is on vlan 3

You setup your Interfaces on brlan.10 (main in my case) brlan.3 (guest) and brlan.4 (iot)
Might be more useful if you post your /etc/config/network
For reference here one of mine corresponding to the above:

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd99:97d2:a14e::/48'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan5:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config device
	option name 'br-lan.3'
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'
	option ipv6 '0'

config device
	option name 'br-lan.4'
	option type '8021q'
	option ifname 'br-lan'
	option vid '4'
	option ipv6 '0'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'eth1'
	option ipv6 '0'

config device
	option name 'lan1'
	option ipv6 '0'

config device
	option name 'lan2'
	option ipv6 '0'

config device
	option name 'lan3'
	option ipv6 '0'

config device
	option name 'lan4'
	option ipv6 '0'

config device
	option name 'lan5'
	option ipv6 '0'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'iot'
	option proto 'static'
	option device 'br-lan.4'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

1 Like

I see this is helpful thanks for taking the time . So my approach and understanding was incorrect it seems I have to create vlans under br-lan in devices and then I create one interface per vlan under the interfaces tab. How does this correlate with adding a new ssid for each vlan? If I were to plug a device into lan1 port and I had multiple vlans associated with lan1 which vlan would the device be connected to?

Once I create the vlans on br-lan and then create the interfaces I’m assuming I would create firewall zones per interface to manage the traffic between the vlans ? Does it sound like I’m on the right track?

Yes, you got it.

No, only one VLAN per port as I showed.

Yes, I thought that video I linked covered that setup.

1 Like

Actually you’re correct the video did cover that.

So generally speaking vlans are tied to physical ports so you can really only have as many vlans as you do ports. That is to say if I have 4 Ethernet ports on my device I can only support 4 vlans and each port should only support 1 vlan?

Vlans should be attached to the main br-lan device. Once you create a vlan you then create an interface for it. You can then manage traffic with firewall zones and attach wireless ssids to it as well.

1 Like

I see that vlan 4 isn’t associated with any physical ports. Is that because iot devices are presumed to be wifi only and won’t be physically connected to the port via Ethernet?

Yep, no physical connection needed for that setup.

Thanks so to confirm my reasoning. Theoretically I can have an infinite number of wireless vlans because they do not consume physical ports?

Correct, you just need to define them in the DSA section (the rows).

1 Like

Thanks for taking the time . This was extremely helpful . Much appreciated.

1 Like

Actually, for a wifi only network, these are not required. If the network in question will use only a single radio, no bridge is necessary at all. But if that network uses two or more radios, a bridge is required... however, that bridge can be defined independently of br-lan and it doesn't need to be a bridge-vlan. Instead, it could look like this:

config device
	option name 'br-guest'
	option type 'bridge'
	option bridge_empty '1'

The guest network would then use br-guest instead of br-lan.3.

I also recommend removing all the 802.1q stanzas... they are not necessary and are actually created under the hood automatically by the bridge-vlan statements. So delete these:

And these are not necessary, either, and can be deleted:

Thanks @psherman. I will keep it as-is in case I move this to a dumb AP and use a more powerful router.

Thanks for the input @psherman . Would you mind walking me through setting up the wireless vlan without the br-lan? So if it’s only one radio I.e 2.4 ghz I could create a vlan under devices and tie it to the ssid?

The recommendations apply regardless of how powerful the device is. The equation changes if you make this a dumb AP with VLANs in which case the bridge-vlans are necessary to connect the VLANs on ethernet with the wifi SSID.

A pedantic note on the technical term "VLAN" -- VLANs are only relevant on ethernet. Normal wifi doesn't have the concept of VLANs when on the airwaves, and VLANs are not required to setup an additional network that is only using wifi. That said, we do often use the term VLAN loosely, when really we mean additional subnets.

If you're only using a single radio, your network can look like this:

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

Then, in the wifi SSID configuration, you'll bind the SSID against the network guest.

If you want to be able to use 2 or more radios (or to have the flexibility to do so later), you'd do it like this:

config device
	option name 'br-guest'
	option type 'bridge'
	option bridge_empty '1'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

The wifi SSID network association would still be against the network guest

Thanks this is helping me resolve a lot of confusion. So the bridge would simple create a layer 2 data link connection between the 2 wifi networks presumably 2.4 and 5 ghz. Since both would be part of the same interface, they would be part of the same subnet .

And moreover to your point, a vlan is terminology reserved for physical ports on the device.

Do I have this correct ?

Correct. A bridge is a software equivalent of a normal unmanaged switch. It is an L2 device.

Wifi radios are often considered physical interfaces, so let's clarify ethernet vs wifi. 802.1q (VLANs) apply to ethernet connections only and not normal wifi.

For completeness, there are special case wireless connections that actually can carry VLANs, but those are not 'normal' wifi. They are special point-to-point or point-to-multipoint links that can use the same radios but entirely different protocol details so your phone or laptop cannot connect.

Gotcha . This was really helpful . Thanks for taking the time . Out of curiosity do you do this professionally? I just recently started to learn some networking and this whole experience has me feeling totally incompetent. Thanks again

I forgot to ask. Are there any security tradeoffs between vlan and just separate wifi networks?