Vlan (DSA) on dump ap how to setup?

Installing and Using OpenWrt
1

Hi i’ve got an Linksys mx5500 running on snapshot

(OpenWrt SNAPSHOT, r32308-ff4546093e)

At this moment i’ve got a bridge with al lan ports (including wan) in it.

config device
 option name 'br-lan'
 option type 'bridge'
 list ports 'lan1'
 list ports 'lan2'
 list ports 'lan3'
 list ports 'wan'

This is connected to a managed switch. I want to remove the switch out of the network. (the switch is there because the original Linksys software did not allow me to use vlan)

What I want to achieve is the following;

A trunk lan to port 1

vlan 3 on port 2

vlan 2 on port 3, 4 and wan

What is the right way to go forward?

My /etc/config/network file

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        list ipaddr '127.0.0.1/8'

config globals 'globals'
        option dhcp_default_duid '000471322910f9a545079d7b7b1d96784bb5'
        option ula_prefix 'fdf2:e0e9:50af::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'wan'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.5'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option dns '192.168.1.1'

config interface 'lan6'
        option proto 'dhcpv6'
        option device '@lan'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'
        option type 'bridge'
2

I’m not sure if the snapshoot should be used with vlans. If you can use stable version or wait for stable one.

I can post you my config from one of my dumb ap in batman-adv network.

cat network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3b:5a38:9dfd::/48'
	option packet_steering '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'bat0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config device
	option name 'lan1'
	option macaddr 'd8:ec:5e:94:a3:84'

config device
	option name 'lan2'
	option macaddr 'd8:ec:5e:94:a3:84'

config device
	option name 'lan3'
	option macaddr 'd8:ec:5e:94:a3:84'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.8.10'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.8.1'
	list dns '192.168.8.40'

config interface 'bat0'
	option proto 'batadv'
	option routing_algo 'BATMAN_V'
	option bridge_loop_avoidance '1'
	option gw_mode 'off'
	option hop_penalty '15'

config interface 'batmesh0'
	option proto 'batadv_hardif'
	option master 'bat0'
	option mtu '1536'

config interface 'IOT'
	option proto 'none'
	option device 'br-iot'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'bat0.10'
	option bridge_empty '1'

config interface 'ESP'
	option proto 'none'
	option device 'br-esp'

config device
	option type 'bridge'
	option name 'br-esp'
	list ports 'bat0.20'
	option bridge_empty '1'

config interface 'GUEST'
	option proto 'none'
	option device 'br-guest'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'bat0.30'
	option bridge_empty '1'

Now only batman is connected to bridge lan. All vlans are unmanaged interfaces across all batman network. And i connected wifi ap to every vlan. I’m using wifi for mesh backhaull.

When you create vlan interface hit save and apply. Then in devices setion create bridge like br-iot and for port enter custom bat0.10 and it will create bridge with that port. 10 means it will be using vlan id 10 that will later be setup on server or gateway node.

On batman server node i use two lan cables, one is used for tagged and another for untagged traffic, connected to my opnsense gateway. I have set up on gateway vlan id, dhcp, ip ranges for all vlans and firewall rules.

Now this is my setup. In case you are using openwrt router as a gateway some things might be different.

3

Maybe this can share some light on it?

4

Thanks for the reply’s.
I can not run a stable version (yet) on my mx5500

I did read the mini tutorial, but didn’t make sense to me after the first read :wink:

I will give the tutorial another go, maybe i makes sense the second time..I’ll keep you posted.

5

This is the switch and it’s settings I want to remove from the network, I don’t get my head around the translation from this switch settings to my opemwrt ap config.

(My ap has only 4 ports offcourse so VLAN 3 only goes to port 4. :wink: )

VLAN 20

Schermafbeelding 2025-12-22 212049
Schermafbeelding 2025-12-22 2120491095×880 55.7 KB

VLAN 30

Schermafbeelding 2025-12-22 212058
Schermafbeelding 2025-12-22 2120581158×941 57.1 KB

PVID settings

Schermafbeelding 2025-12-22 212111
Schermafbeelding 2025-12-22 2121111113×675 29.6 KB

6

You will have to play a bit.

Since you have two routers set up network connection for them over ie. lan1. Lets call them main and slave router.

Connect slave router with lan cable to comp. Set up static ip on slave router from dhcp pool of main router, for gateway use ip on main router and for dns 8.8.8.8. Save and apply. If it come back with new ip disable dhcp, firewall and dnmasq in services. In lan config of slave router disable dhcp, RA-Service and DHCPv6-Service. You should now get router with static ip that you can access over static ip.

If this is working connect lan cable between them and test if connection works ie ping main router, ping host on net. If this is working then you can proceed with vlans setup.

7

Hmm I having some issues to understand where wan originates from your config :slight_smile:

it should not be wan in the br-lan bridge, but the underlying DSA device wan holds, eth0 or eth1 it's device specific that device needs to be there.

What I often do is prefer to connect to the last lan port i.e lan2.

Then add wan dsa device to br-lan to avoid any issues with applying the config.

From there I can go different ways:

I can choose to remove lan2 and create that port fully as maintainance port, or I keep it on the bridge and tag a maintainance vlan to that port.

Now that everything is in the bridge, I go to bridge vlan filtering, and tag all my vlans.

This is how I tag them in my dumbap lan5 is maintenance port:

1000013365
10000133651220×1472 134 KB

I tagged everything, but if needed you can do the same principe what you did with the switch, tag the wan/trunk port, and untag the final port.

Then I create new unmanaged interfaces with the vlans.

And of course to keep the wan behaviour intact for management from the wan port directly this interface needs to have this set:

1000013368
10000133681220×1530 151 KB

This ensures that the default route is still your managed vlan network, other interfaces need to have this unchecked.

Sorry my painting skills are not so good with phone :grinning_face_with_smiling_eyes:

8

My WAN port is just added to my LAN ports, as they are accesspoints, so no need for the wan port. This way I’ve got an extra lan port.

So, wan in my config is no wan but lan.

Sorry for not telling :wink:

9

Are you still having issues? If so, let's make sure we have all the information to actually solve your issue.

  • What port is physically used as the uplink?
  • What is the port-vlan membership -- define what VLANs should be on each port (and for the trunk port(s) which VLAN should be untagged or if they are all tagged).
  • Which VLAN is used to manage the device?
  • What IP address should the device use on the management network (or should it be DHCP client)?
  • Is the config from your first post the same as it is now?
10

At this moment the tp-link switch is still in position.

The dump ap is connected to this tp-link switch on a vlan 20 port

The idea is that the tp-link switch is removed, and I then use the linksys mx5500 as vlan switch.

On the tp-link switch port 1 is tagged

port 3 to 8 untagged on vlan 20

port 2 is untagged on vlan 30

vlan 20 is my normal lan on my openwrt router (raspbery pi) (192.168.1.0)

vlan 30 is my ziggo lan (with his own dhcp server en and ip range on the same router (192.168.180.0)

What I think I want to accomplish is this;

on the mx5500 (OpenWrt 25.12.0-rc1)

port 1 as tagged

port 2 as vlan 30

port 3, 4, 5 vlan 20

The device can by managed by a vlan 20 port and has a static ip address on vlan 20 (192.168.1.5)

The config is still the same, I keep restoring this default when I mess things up :wink:

11

You didn't mention the wan port and your MX5500 only have 3 lan ports. So.. I'm going to assume that's the wan will serve as port 1 in your description, and that ports 2-4 are really lan1-lan3.

Start by creating bridge-vlans:

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan1:u*'
        list ports 'wan:t'

Edit the lan interface to use br-lan.20:

config interface 'lan'
        option device 'br-lan.20'
        option proto 'static'
        option ipaddr '192.168.1.5'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option dns '192.168.1.1'

And create an unmanaged interface for vlan 30:

config interface 'vlan30'
        option device 'br-lan.30'
        option proto 'none'

Restart. Connect the upstream network to the wan port and you should be good to go. Remember, both VLAN20 and VLAN30 are tagged on the wan port, so if the upstream network isn't setup to match, that needs to be adjusted.

12

thx! gonna edit my config as soon I’m home, not at home now for the holidays.

I’ll let you all know.