VLAN configuration issue

I am running into an issue with my VLAN configuration. The VLAN20 devices can't send data, they only receive data. My goal is to put my 10GbE devices on their own subnet and VLAN. Eventually I want to do this with the Guest wifi and my IOT wifi, etc. But baby steps first.
I am not sure where the issue is. I am new to VLAN's and subnets so any guidance would be appreciated.

I am currently using swconfig.

Here is my topology -

Modem -> Netgear R7800 (OpenWRT) router --(4 Ports LACP BOND)->
Netgear GS724TP (smart switch)
-> 1GbE devices
-> MikroTik 10GbE switch -> 10GbE devices

Here is my config:

Netgear R7800 -

I have the 4 ports bonded together in a LAG. I then created VLAN20 with all ports TAGGED.
I gave VLAN20 an IP of 192.168.88.1/24 with DHCP. My 10GbE devices are being assigned IP's.

Network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        list ipaddr '192.168.1.1/24'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 4'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '6t 3'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '4'
        option ports '6t 2'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option ports '6t 1'
        option vid '5'

config switch_vlan
        option device 'switch0'
        option vlan '6'
        option vid '20'
        option ports '6t 4t 3t 2t 1t 5t'

config device
        option name 'eth0'

config device
        option name 'wlan0'

config device
        option name 'wlan1'

config device
        option name 'bond0'

config device
        option name 'bonding_masters'

config device
        option name 'bonding-LAGTest'

config device
        option name 'eth1'

config device
        option name 'eth1.1'
        option type '8021q'
        option ifname 'eth1'
        option vid '1'

config device
        option name 'eth1.3'
        option type '8021q'
        option ifname 'eth1'
        option vid '3'

config device
        option name 'eth1.4'
        option type '8021q'
        option ifname 'eth1'
        option vid '4'

config device
        option name 'eth1.5'
        option type '8021q'
        option ifname 'eth1'
        option vid '5'

config device
        option name 'eth1.20'
        option type '8021q'
        option ifname 'eth1'
        option vid '20'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'bonding-LAGTest'
        list ports 'eth1'

config device
        option name 'eth0.2'
        option type '8021q'
        option ifname 'eth0'
        option vid '2'

config interface 'LAGTest'
        option proto 'bonding'
        option netmask '255.255.255.0'
        option bonding_policy '802.3ad'
        option min_links '0'
        option ad_actor_sys_prio '1'
        option ad_select 'stable'
        option lacp_rate 'fast'
        option xmit_hash_policy 'layer2'
        option all_slaves_active '0'
        option link_monitoring 'mii'
        option miimon '100'
        option downdelay '0'
        option updelay '0'
        option use_carrier '1'
        option ipaddr '192.168.2.10'
        list slaves 'eth1.1'
        list slaves 'eth1.3'
        list slaves 'eth1.4'
        list slaves 'eth1.5'

config interface 'LANPORT1'
        option proto 'static'
        option device 'eth1.1'
        list ipaddr '192.168.2.6/24'

config interface 'LANPORT3'
        option proto 'static'
        option device 'eth1.3'
        list ipaddr '192.168.2.7/24'

config interface 'LANPORT4'
        option proto 'static'
        option device 'eth1.4'
        list ipaddr '192.168.2.8/24'

config interface 'LANPORT5'
        option proto 'static'
        option device 'eth1.5'
        list ipaddr '192.168.2.9/24'

config interface 'VLAN20'
        option proto 'static'
        option device 'eth1.20'
        list ipaddr '192.168.88.1/24'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

Firewall:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'LAGTest'
        list network 'LANPORT3'
        list network 'LANPORT4'
        list network 'LANPORT1'
        list network 'LANPORT5'
        list network 'VLAN20'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

Netgear GS724TP -

LAG3 is the LAG for the 4 router ports -

image752×191 8.07 KB

VLAN config:

image691×282 12.3 KB

PVID config:

image437×666 13.3 KB

MikroTik CRS305-1G-4S+ -

image1508×697 45.7 KB

I'm not sure how much you'll gain by using the LAG here, unless you expect to have a significant amount of inter-VLAN routing happening. You may want to simplify it to a single link between the router and the switch. This will be an easier configuration.

Also, I'm not sure if the R7800 has this issue, but some routers with lower-end switch chips have a maximum VLAN ID of 15 due to internal architectures.

The LAG is working fine so I think it is not contributing to the VLAN issue. I am not really looking to have an 'easier' configuration, but thanks for the suggestion.

Is it the VLAN ID is maxed or the maximum # of VLAN's is 15?
I don't know if it makes sense that the VLAN ID value could be maxed, do you have a link to a discussion thread about it?
In either case I haven't found anything in any of the tech specs that says there is a limit.

I’d have to look for specific examples and your device may not be limited, but here is a similar discussion where the vlan id limit is mentioned:

Ya, I am pretty sure that is talking about the number of VLANs being limited not the number used for the VLAN ID itself.

No, it is referring to the vlan ids. In affected devices, the vlan id is only allocated 4 bits. I helped someone recently with this issue - I’ll see if I can find that thread. But your device may not be affected.

EDIT: Here is the thread I was talking about:

After doing some more research I realized my Trunk ports PVID should be the default (VLAN 1).

So I made some changes and now it seems that the VLAN20 devices can't receive packets now.

I also realized I didn't enable VLAN's on my MikroTik switch.

Here is the updated config -

Netgear R7800 (OpenWRT) -

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        list ipaddr '192.168.1.1/24'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 4'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'
        option vid '2'

config device
        option name 'bond0'

config device
        option name 'bonding_masters'

config device
        option name 'eth1'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '6t 3'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '4'
        option ports '6t 2'

config device
        option name 'eth1.3'
        option type '8021q'
        option ifname 'eth1'
        option vid '3'

config device
        option name 'eth1.4'
        option type '8021q'
        option ifname 'eth1'
        option vid '4'

config device
        option name 'eth1.1'
        option type '8021q'
        option ifname 'eth1'
        option vid '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'bonding-LAGTest'
        list ports 'eth1'

config interface 'LAGTest'
        option proto 'bonding'
        option netmask '255.255.255.0'
        option bonding_policy '802.3ad'
        option min_links '0'
        option ad_actor_sys_prio '1'
        option ad_select 'stable'
        option lacp_rate 'fast'
        option xmit_hash_policy 'layer2'
        option all_slaves_active '0'
        option link_monitoring 'mii'
        option miimon '100'
        option downdelay '0'
        option updelay '0'
        option use_carrier '1'
        option ipaddr '192.168.2.10'
        list slaves 'eth1.1'
        list slaves 'eth1.3'
        list slaves 'eth1.4'
        list slaves 'eth1.5'

config interface 'LANPORT3'
        option proto 'static'
        option device 'eth1.3'
        list ipaddr '192.168.2.7/24'

config interface 'LANPORT4'
        option proto 'static'
        option device 'eth1.4'
        list ipaddr '192.168.2.8/24'

config interface 'LANPORT1'
        option proto 'static'
        option device 'eth1.1'
        list ipaddr '192.168.2.6/24'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option ports '6t 1'
        option vid '5'

config interface 'LANPORT5'
        option proto 'static'
        option device 'eth1.5'
        list ipaddr '192.168.2.9/24'

config device
        option name 'eth1.5'
        option type '8021q'
        option ifname 'eth1'
        option vid '5'

config switch_vlan
        option device 'switch0'
        option vlan '6'
        option vid '20'
        option ports '6t 4t 3t 2t 1t'

config interface 'VLAN20'
        option proto 'static'
        option device 'eth1.20'
        list ipaddr '192.168.88.1/24'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config device
        option name 'eth1.20'
        option type '8021q'
        option ifname 'eth1'
        option vid '20'

config device
        option name 'bonding-LAGTest'

config device
        option name 'eth0'

config device
        option name 'eth0.2'
        option type '8021q'
        option ifname 'eth0'
        option vid '2'

config device
        option name 'wlan0'

config device
        option name 'wlan1'

Netgear GS724TP -

image705×300 12.4 KB

image437×673 13.3 KB

MikroTik CRS305-1G-4S+ -

image1246×711 43.5 KB

You won't get any speed improvements, as you configure LAG on the same device (eth1 1Gbps).

Can we focus on the broken VLAN configuration and not the currently working LAG bonding config?

Also OpenWRT LuCI interface tells me otherwise:

image898×393 20.8 KB

I made a post about my LAG, you can give feedback and suggestions there.

Are you sure about that? I can see mixes of swconfig and DSA in your configuration.

As far as I can tell I haven't made the changes to switch to DSA. The latest build of OpenWRT for Netgear R7800 uses swconfig by default. Can you point out specifically what you think is DSA, maybe that is what's causing the issues.

I don't think it is up to you to decide if to use swconfig or DSA.
DSA is using the device instead of ifname.

Would you be able to show me what my config should look like in swconfig? I am still new to OpenWRT so I am not sure what is what.

If you run 21.02 you have DSA in OpenWRT it self but the devices without switch support still use swconf as a connection solution between the connector and cpu.

Is that causing my vlan issue? I am not super sure if my VLAN20 configuration is correct

For a start try to narrow down the suspect list, by limiting the vlan numbers.

A few quick questions;

1. How did you configure the device? Luci? Uci? Direct edit of config files?
2. Also did you upgrade the device to 21.02 or this was the first installation?
3. If you upgraded, did you keep the configurations or started from scratch?

This was all done with LUCI. I just installed the 21.02 firmware, replacing my stock firmware. So first install.

I change everything to VLAN id 10 and get the same issue. Do you have any other ideas?

Is the vlan set up at a member of the lag on the first switch? Try setting one port on the first switch as an untagged + pvid member of vlan 10 so that you can verify that the vlan is traversing the lag trunk.

I think I have a working theory about why I am having issues. My Netgear GS724TP expects to communicate over trunks (aka to the router) via the default VLAN (VLAN1). VLAN1 isn't exposed properly because of the LAG. I need to move things so VLAN1 is exposed properly on the LAN port.

Does that make any sense?