VLAN configuration on Archer C7

uweklatt · December 31, 2017, 10:44am

Hello,

I try to use my Archer C7 with LEDE 17.01.4 to connect two VLANs (normal + guest wifi) over one ethernet cable to another router (Mikrotik) and split both VLANs to different LAN interfaces on the Mikrotik router.

Without VLAN and only one wifi this setup works.
The actual configuration of the "switch" is this:
Bild3

Is it ok to change VLAN1/LAN2 to "tagged" for VLAN1 activation?

Off course I need to change settings on the Mikrotik...

Uwe

mikma · December 31, 2017, 12:09pm

VLAN2 is apparently used as WAN. If you don't need WAN I guess it's OK to use it as you describe.

trismo · December 31, 2017, 2:01pm

You can use VLAN 1 for simple installations where there is no VLAN trunking, but good practice is to not put user data on VLAN 1 in a multi-VLAN environment. VLAN 1 tag is primarily used for management

mk24 · December 31, 2017, 2:13pm

In the C7 and other typical gigabit routers, two CPU ports and all 5 of the Ethernet ports go into a single 7-port switch chip-- a "jungle" of possible connections from anywhere to anywhere. The default configuration sets up two VLANs to send WAN and LAN traffic through to one CPU port each. In this simple setup, the VLANs are only used internally in the switch, everything entering or leaving is untagged.

Expanding to more than 2 VLANs while having only two CPU ports, it becomes necessary to abandon this simplified setup and tag packets on a CPU port. So change to tagging on the eth1 CPU port so it can handle both LAN and guests. First change eth1 in VLAN1 from untagged to tagged. Also have the switch tag it on your trunk cable. The ports connected to regular LAN devices remain untagged. Then in the LAN network interface physical settings, change from eth1 to eth1.1. It is best to do this while logged in to the router by wifi, in case something gets messed up and Ethernet stops working.

Then you can create a new VLAN for guests. Make it tagged in both the CPU and the trunk port. Create a guest network bridge and attach eth1.3 (if your guest VLAN is 3) to it.

uweklatt · December 31, 2017, 2:57pm

Hi,

is this correct?

VLAN1 = LAN + Wifi
VLAN2 = WAN (not used)
VLAN3 = Guest-Wifi

vlan1

interfaces
interfaces_lan
interfaces_guest

Is this all I need to use VLAN1 + VLAN3 with trunk port LAN2?

Uwe

mk24 · December 31, 2017, 4:15pm

Yes, that will work. It's not exactly what I was thinking of, but it will work.

geertjan · December 31, 2017, 4:48pm

I wonder why you put your guest-network on eth0 (also used for WAN) instead of using eth1 (eth1.3) instead?

JW0914 · December 31, 2017, 5:02pm

Just an FYI, if you're not using the C7 as a WAN gateway, you can use the WAN sw.port for LAN or other vLANs, removing WAN's network, DHCP, and firewall sections from each respective config. This would essentially make your C7 a managed/smart switch, and is how I have my WRT1900ACS configured since I utilize a Sophos UTM VM as my WAN gateway.

uweklatt · December 31, 2017, 7:00pm

Hi geertjan,

does it make a difference?

Uwe

uweklatt · December 31, 2017, 7:03pm

Hi JW0914,

I have used WAN as an additional port for LAN without problems. But with VLAN I want to start as easy as possible...

Uwe

JW0914 · December 31, 2017, 7:18pm

Using WAN for LAN with vLANs isn't any more, or less, complicated than using it without vLANs.

For example, here's my network config, utilizing my WRT1900ACS as a smart switch

#

  ##::[[---  LEDE LAN Network Config  ---]]::##

####################################################
               ##----- Global -----##
####################################################

    # Globals #
#---------------------------------------------------
config globals 'globals'
    option  ula_prefix     'fde4:c25d:b20a::/48'

####################################################
        ##----- Active Networks w/ LAN-----##
####################################################

    # Loopback #
#---------------------------------------------------
config interface 'loopback'
    option  ifname          'lo'
    option  proto           'static'
    option  ipaddr          127.0.0.1
    option  netmask         255.0.0.0

    # LAN: Home Network #
#---------------------------------------------------
config interface 'lan'
    option  ifname          'eth0.1 eth1.2'
    option  type            'bridge'
    option  proto           'static'
    option  ip6assign       60
    option  ipaddr          192.168.0.6
    option  netmask         255.255.255.192
    option  broadcast       192.168.0.63
    option  dns             192.168.0.1
    option  gateway         192.168.0.1
    option  force_link      1

    # LAN: Management #
#---------------------------------------------------
config interface 'admin'
    option  ifname          'admin'
    option  proto           'static'
    option  ipaddr          192.168.2.14
    option  netmask         255.255.255.240
    option  broadcast       192.168.2.15
    option  delegate        0

    # LAN: Home Entertainment #
#---------------------------------------------------
config interface 'media'
   option  ifname          'eth0.4'
   option  proto           'static'
   option  ipaddr          192.168.255.30
   option  netmask         255.255.255.224
   option  broadcast       192.168.255.31
   option  gateway         192.168.0.1
   option  delegate        0

    # Guest #
#---------------------------------------------------
config interface 'guest'
    option  ifname          'guest'
    option  type            'bridge'
    option  proto           'static'
    option  ipaddr          192.168.250.1
    option  netmask         255.255.255.240
    option  broadcast       192.168.250.15
    option  dns             '208.67.222.222 208.67.220.220'
    option  delegate        0

    # Isolated #
#---------------------------------------------------
config interface 'isolated'
    option  ifname          'isolated'
    option  type            'bridge'
    option  proto           'static'
    option  ipaddr          192.168.6.1
    option  netmask         255.255.255.240
    option  broadcast       192.168.6.15
    option  dns             '208.67.222.222 208.67.220.220'
    option  delegate        0
    option  force_link      1

    # OpenVPN #
#---------------------------------------------------
config interface 'openvpn'
    option  ifname          'tun0'
    option  proto           'static'
    option  ipaddr          10.1.0.1
    option  netmask         255.255.255.240
    option  broadcast       10.1.0.15
    option  dns             '192.168.20.1 192.168.0.60 208.67.222.222 208.67.220.220'
    option  delegate        0

    # Printers #
#---------------------------------------------------
config interface 'printers'
    option  ifname          'printers'
    option  proto           'static'
    option  ipaddr          192.168.8.1
    option  netmask         255.255.255.252
    option  broadcast       192.168.8.3
    option  delegate        0

    # Tor #
#---------------------------------------------------
config interface 'tor'
    option  ifname          'tor0'
    option  proto           'static'
    option  ipaddr          10.0.0.1
    option  netmask         255.255.255.240
    option  broadcast       10.0.0.15
    option  dns             '208.67.222.222 208.67.220.220'
    option  delegate        0

####################################################
          ##----- Virtual Switches -----##
####################################################

    # vSwitches #
#---------------------------------------------------

  # Switch 0:
config switch
    option  name            'switch0'
    option  reset           1
    option  enable_vlan     1

    # vLANs #
#---------------------------------------------------

  # 1: LAN
config switch_vlan
    option  device          'switch0'
    option  vlan            1
    option  ports           '0t 1 4 5t 6t'

  # 3: Admin
    option  device          'switch0'
    option  vlan            3
    option  ports           '2 3 5t'

  # 4: Media
config switch_vlan
    option  device          'switch0'
    option  vlan            4
    option  ports           '0t 5t'
    option  pvid            '4'

If you configure two separate vLANs for one physical ethernet port (like LAN & Media above), you're likely going to want to add under switch_vlan the option to push the vlan id (pvid) to the network containing the most number of devices.
- This enables one of those vLANs to auto route traffic transparently to the vLAN devices of that network (Media above), while the network without that option (LAN above) would need to have all it's devices configured manually with the vLAN tag of the network (1 above)

geertjan · January 1, 2018, 6:48pm

For one, it allows you to measure all downlink traffic (sum of LAN and GUEST) by looking at the traffic counters of eth1.

uweklatt · January 1, 2018, 7:48pm

Hi geertjan,

this makes sense. Thank you for your comment.

Uwe