VLAN best practices for hardware without hardware switch

My router is a X86 mini-pc with 4 physical i225 NIC (no hardware switch) on OpenWrt 22.03.0-rc6
I uses vlans (very common use case : untagged for my LAN, tagged for IOT/Guest only for dedicated WLANs on my APs)

All the tutos/wikis I can read about DSA talk about AP/routers with integrated HW switches with the use of vlan filtering.

What is the correct way to use vlans on OpenWrt 22:

  1. simply create the new devices/interfaces (e.g lan10 and lan20) with the vlan ID in the device name (it is what I do actually, but I have a problem with this config, I will elaborate later if needed):
config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '10'
        option name 'br-lan.10'

config interface 'lan10'
        option proto 'static'
        option device 'br-lan.10'
        option ipaddr ''
        option netmask ''

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '20'
        option name 'br-lan.20'

config interface 'lan20'
        option proto 'static'
        option device 'br-lan.20'
        option ipaddr ''
        option netmask ''
  1. Use vlan filtering on br-lan (like in all the tuto/wiki)

  2. any other solution


Since you are using a device without a hardware switch, DSA does not apply to your situation at all.

Instead, it is quite simple:
Presumably, your 4 ports show up as eth0 - eth3.

Defining an untagged network is as simple as using eth0 (or whichever port).
A tagged network (VLAN) is eth0.x where x is the VLAN ID. So eth0.10 would be VLAN 10 tagged on eth0.

That's it.

It goes without saying, though, that you must have a smart/managed switch connected to those ports in order to properly handle the VLANs and to 'break them out' for devices to use -- usually in the form of an access port for each of the end devices.

Thanks @psherman ,
I simply did the same with br-lan.xx instead of eth0.xx

I don't have enough managed switches (only one) to do that everywhere in my home (I don't talk about my OpenWRT devices that are smart devices by nature :wink: ).
I expected I could be able to have on the same "network cable":

  • the LAN untagged
  • a trunk with any vlans I need for IOT/Guest/whatever

And so all my unmanaged equipment (printers, PC, etc ...) will be on the LAN segment
All my OpenWRT APs will be configured to intercepte the VLANs to create IOT/Guest WLANs with them. And I can say it works fine.

Unfortunatly I have a kind of bug (that's why I asked if I made a mistake in my configuration), if I reboot the OpenWRT gateway some of my equipments have troubles, they get an IPv6 on a scope that is on a tagged VLAN.
I suscpect the router to let at least a ipv6 RA packet from that scope to be sent untagged BEFORE the VLAN tagging was set on the interfaces.

Almost each time I reboot the router I have this problem


Make a separate bridge for each VLAN

br-vlan10 contains eth0.10 eth1.10 and eth3
br-vlan20 contains eth0.20 eth1.20 and eth2

Then eth0 and eth1 are trunk ports and eth2 and eth3 are access ports.
Each bridge must be attached to a network interface, there is where you would apply its IP address. If you need a bridge only to link external ports (simulating a hardware switch) it still needs to be attached to an interface of proto none or the bridge will not be created at all.

The DHCP servers have to be explicitly disabled for every new network. If you don't have a section in /etc/config/dhcp disabling it, it will be served.

I want the DHCP server to be avaiable on my vlan interfaces.

I'm now trying with :
br-lan contains eth1 eth2 and eth3
br-vlan10 contains eth1.10 eth2.10 and eth3.10
br-vlan20 contains eth1.20 eth2.20 and eth3.20

Ok, test done.
Same bug with the 2 solutions (solution 1: br-lan.10 - solution 2: br-lan10 with eth[1-3].10 as members)
When I restart the router my workstation receives an IPv6 RA from the 2 networks:

if I disable/enable my NIC after the gw reboot all is fine:

The problem only occurs during OpenWRT boot like if no vlan was configured on my .10 vlan LAN (of like if odhcpd didn't care about configured interface name)

It is not recommended to mix untagged and tagged frames on one port/ cable, while it 'should' work, quite a few devices don't like that mixture and may cause trouble. Keep in mind, whenever you are dealing with VLAN tagging, all devices involved in this cable segment must be VLAN aware (managed switches, OpenWrt devices, etc.) and smart enough to deal with them, there mustn't be any unmanaged switches on this cable segment carrying tagged frames. The behaviour of unmanaged switches in the presence of VLANs is undefined and a cause for real problems, which may be hard to diagnose (especially if it appears to work at first, but then fails utterly after adding more VLANs or when encountering less clear cut situations).


Thanks @slh
I can't afford 2.5Gb managed switches :money_mouth_face:
So I have to re-think my network wiring, thanks for the advice

I will make few tests with my managed switch to try to understand if it is an OpenWRT bug or not


A network cable/ethernet cable only has two ends so you can only connect two devices with one cable.

The whole idea of building network is to run tagged trunk data as far as possible between managed switches with one ethernet cable or opto fiber and as close to the end devices as possible distribute the tagged trunk data to untagged ports on the switch where you connect your “ IOT/Guest/whatever”.

A unmanaged switch is all or nothing, what gets in also gets out on all other ports.

So you did afford to buy 2,5Gbps service from your ISP but you can’t afford to buy the hardware to actually use it?

no, why ?
I didn't know that WAN,LAN and WLAN must all have the same throughput !
my ISP give me 300/300Mbps and I'm very happy with that.
And I'm also happy to have a fast LAN for my most commonly used equipments at home thanks to a 5 ports 2.5Gb unmanaged switch

All the devices on the unmanaged switch need to be in the same single VLAN, and all packets untagged. That is what an unmanged switch does.

You could use multiple switches to expand the network. If the router minipc has USB3 ports you can add additional Ethernet with USB3 adapters.

1 Like

It is you that has got stuck with one really expensive 2,5Gbps unmanaged switch that is worthless for your multi vlan setup.

You will get a lot higher performance and cheaper network with managed Gbit equipment if you want to use vlan.

And 1Gbps duplex hardware will swallow in both directions simultaneously a 300/300 line without problem.

I don't know your use cases.
In the same maner you don't know my use cases.
But I think you probably generalize your use cases to everyone else.

Nobody have to be a genius to know that 1Gbps can saturate a 0.3Gbps line.
But nobody have to be a genius to understand thtat 1Gbps equipment can't achieve more than that

My digital life is not "online only", I have many needs inside my LAN at home.
I know that many guys don't have any NAS or any other equipment at all, many of them only use internet (from laptops, tablets, TVs, car, mower, fridge ....) and its fine ... but that's simply not my case, and you probably generalize that it was

My use case is 90% LAN and 10% internet, for my wife it's the opposite.
So I wanted a fast wired LAN (and WLAN if possible) ... and I have it with my really expensive (did you see the bill I paid to say that ???) "2,5Gbps unmanaged switch" and my affordable unmanaged POE switches because I wasn't able to pay more at that time and its fine... it is (as always) a tradeoff, no need to repeat in an unpleasant way that this was not the way to do it.

I equipped myself with these different materials gradually, as is often the case, and I don't want to replace everything at the same time (and I can't), I have other priorities than my small local network (3 PCs, 4 laptops, 2 network printers, one server with few VMs/containers, some smartphones and tablets and some IOTs)

I'm not there to start an unpleasant post.
I therefore thank those who gave me useful answers (you are in that list) and will still try to understand if OpenWRT might not have a bug on this point (letting untagged frames pass when they should be tagged, when the router or the network is restarted) by using my small web managed TL-SG1005P to troubleshoot that

I have found the reason elsewhere:

I made some testing (and I will continue) and I can confirm that.
So ok, I understand better the 'best practice' to have a trunk (without a untagged vlan) and to split the vlan near the client

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.