Very simple VLAN setup

Hi everyone,

this is mostly a follow up of my last post (Connecting to VLAN on trunked VLAN - #3 by fb96).

I am trying to figure out how to configure VLANs and am tragically failing at it.
I know VLAN is asked about a lot in this forum but often times the questions start with "I have 3 working VLANs and want to bridge them properly". I am stuck before that. If this is a duplicate, please redirect me.

My setup:

Internet
    /\
    || WAN
OpenWRT (2Ports)
    || LAN (eth0 on OpenWRT / port 1 on switch)
    \/
Managed Switch
    | -- ethernet port 2 --> dumb Wifi-AP
    | -- ethernet port 3--> more stuff
    | -- ethernet port 4--> TV

My understanding is, that I can assign VLAN tags to specific ports on the switch to have all devices behind it be on a VLAN without ever knowing about it.

My initial least impact attempt was to just put my TV on a separate VLAN from the rest to understand how it works and how it needs to be configured.

I would like everything to use VLAN1 except my TV which would be VLAN2 (not very practical right now, but I want the TV to be accessible from home and guest VLAN in the end for example.

The OpenWRT default config came with my WAN on eth1 and my LAN on eth0 as a bridge device called br-lan.

This is my /etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdef:a79f:a7db::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'
	option name 'br-lan.1'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '2'
	option name 'br-lan.2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config rule
	option in 'lan'
	option src '192.168.1.0/24'
	option out 'wan'

config interface 'HOME_VLAN'
	option proto 'static'
	option device 'br-lan.1'
	option ipaddr '10.0.1.1'
	option netmask '255.255.255.0'

config interface 'TV_VLAN'
	option proto 'static'
	option device 'br-lan.2'
	option ipaddr '10.0.2.1'
	option netmask '255.255.255.0'

config interface 'tailscale'
	option proto 'none'
	option device 'tailscale0'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

Both VLANs just use the same firewall zone as the original bl-lan. I didn't want my attempts to be failing because I set up the firewall poorly. That means they all should have the same communication rules, am I right?

The default network without any VLAN attempts just sent everything over br-lan.

According to this tutorial from TP-link, the switch vendor, I set the switch config like this:

image696×481 33.4 KB

image704×366 20.4 KB

To my understanding, everything going port 4 gets tagged as VLAN2. On any other port it incoming packets will be tagged as VLAN1.
Anything going out port 1 to the router will get the tag removed again?
This would separate the two networks (TV on port 4 and anything else) but wouldn't forward the tags to my router on port 1, am I right?
After this, all devices are still connected and get their addresses from the 192.168.1.xx pool. Which makes sense to me that packets without VLAN tag from the switch would be treated just like before on the router.

That's why I thought, I would need to set port 1 as tagged on the switch for all VLANs so that VLAN tags are actually sent out to the router.
That's however, when I lose connection to the router and need to reset the switch (or plug my machine directly into the router, I guess).

Thanks in advance

Just as additional info, if that helps:

image963×824 116 KB

image966×369 45.8 KB

Delete these:

Delete this:

and you don't need this (you've already got the lan interface above), so this can be deleted (if you want to use this addressing scheme, better to modify the predefined lan):

Edit the TV_VLAN to use eth0.2, like this:

config interface 'TV_VLAN'
	option proto 'static'
	option device 'eth0.2'
	option ipaddr '10.0.2.1'
	option netmask '255.255.255.0'

You didn't show us the contents of /etc/config/dhcp or /etc/config/firewall... so:
Make sure that TV_VLAN is associated with the lan firewall zone, and make sure there is a DHCP server configured for the TV_VLAN network.

Next, on your TP-Link switch, make VLAN 2 tagged on port 1.
Then set the PVID for port 4 to VLAN 2.

Plug your TV into port 4 (if it's already plugged in, unplug it and plug it back in again), and it should get an address in the 10.0.2.0/24 network.

Hi,

Thanks for the quick response.
I edited my /etc/config/network like this:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdef:a79f:a7db::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'tailscale'
	option proto 'none'
	option device 'tailscale0'

config interface 'TV_VLAN'
	option proto 'static'
	option device 'eth0.2'
	option ipaddr '10.0.2.1'
	option netmask '255.255.255.0'

I set the VLAN config on the switch like so:

image717×375 20.5 KB

I tried this both with untagged port 4 and port 4 not member:

image728×493 33.6 KB

I think I have a DHCP on TV_VLAN - /etc/config/dhcp:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list interface 'lan'
	list interface 'tailscale'
	list notinterface 'wan'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'TV_VLAN'
	option interface 'TV_VLAN'
	option start '100'
	option limit '150'
	option leasetime '12h'

Both interfaces, lan and TV_VLAN are associated with the same firewall zone - /etc/config/firewall:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'TV_VLAN'
	list network 'HOME_VLAN'

config zone
	option name 'tailscale'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'tailscale'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'tailscale'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'tailscale'

config forwarding
	option src 'tailscale'
	option dest 'wan'

When reconnecting the TV, it fails to connect. (Showing 0.0.0.0 in status and loading endlessly during connection establishment.

I think I am doing fundamentally wrong, that's both simple and maybe obvious. I feel like I mostly understand what I am doing ... it's just that I am apparently not.

Thanks again for the help.

Your switch is missing VLAN 2 untagged on port 4.

image710×483 34.6 KB

image700×363 20.6 KB

I added port 3 to VLAN2 as well because there is a dumb switch with an RPi attached and I wanted to check if this is an issue with my TV.

Both my TV and my RPi cannot connect to the network anymore as soon as I set the PVID to 2 instead of 1. As soon as I switch back from PVID 2 to 1, both devices connect again.

I thought it might have to do with the DHCP server on that VLAN, so I reconfigured it but I imagine the devices would have gotten an IP still, it would have just been arbitrary.

To verify... the router's eth0 port is directly connected to the managed switch's port 1, correct?

I think your dnsmasq isn't working because of this:

try removing these 3 lines and then restart your router.

Yes.
It's
P1 --> Router
P2 --> Wifi AP
P3 --> Dumb switch --> RPi, and some more
P4 --> TV
P5 --X

I just removed those three lines and restarted the router. Seems to work fine now, thanks!

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'TV_VLAN'
	option interface 'TV_VLAN'
	option start '10'
	option limit '150'
	option leasetime '12h'

This is all just for me as a hobby but I would still like to understand what I am doing. What do the list entries in dnsmasq do? Why did I have to remove them?

Basically they were restricting the interfaces upon which dnsmasq was operating. By removing this, it works on all interfaces (but it is still subject to the firewall rules, so the wan, for example, cannot reach your local dnsmasq interface unless you allow it).

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.