Trunked VLAN doesn't seem to make it to router

jquagga · October 7, 2019, 1:58pm

Good day OpenWRT folks,

I am attempting to set up a Guest VLAN on my edge router so that I can have a Guest WLAN for visitors in a few weeks. At the moment I'm just trying to get VLAN 20 up and running on the router.

I've created eth0.20, added it to the guest zone, enabled dhcp on the interface, and used the switch config to mark 20 as "tagged" on the CPU and port connected to the rest of the network. I've set up two linux boxes on the wired network and created 8021q vlan interfaces on those machine. They can ping each other happily on VLAN 20, however there is no response trying to ping .1 (which is the static address of the router). Maybe this is a firewall setting I'm missing? Presently I have things pretty open there to just try and get connectivity. I'm open to any suggestions!

I will note that Guest is presently not a bridge while LAN is. I'm not sure if Guest needs to be a bridge but when I flip that option on in Luci, I lose the Wan connection. So I'm assuming that should be off?

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXX'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '10.0.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option dns '10.0.1.1'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr 'XXX'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	option dns '127.0.0.1'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr 'XXX'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option peerdns '0'
	option dns '0::1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 6t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
	option vid '2'

config interface 'Guest'
	option proto 'static'
	option ifname 'eth0.20'
	option ipaddr '172.16.3.1'
	option netmask '255.255.255.0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '20'
	option ports '1t 2t 3t 4t 6t'

/etc/config/firewall (default plus this):

config zone
	option name 'Guest'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'Guest'

config forwarding
	option dest 'wan'
	option src 'Guest'

eduperez · October 7, 2019, 2:33pm

Shouldn't VLAN 3 include ports 0 to 4 (like VLAN 1)?

jquagga · October 7, 2019, 7:40pm

Yes, that actually appeared to solve the problem. I created the VLAN setup in Luci and it seems to have shifted everything over an interface. So when I changed the line to,

option ports '0t 1t 2t 3t 6t'

for the guest VLAN it sprang to life. I got the AP's up and running as well so you connect to the guest SSID, it puts the device on the vlan 20 network and everything seems to work. The only part I don't have down is that if I don't configure an interface address on the AP on the VLAN the routing tables don't populate so it doesn't transmit the packets over vlan 20. The APs are in "dumb AP" mode so I don't have a firewall there to isolate them. However for the short term, this works. Thank you!

system · October 17, 2019, 7:40pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.