Vlan not working for lan ports

Hi,

I've configured OpenWrt to use different vlans for my wlan - this works pretty fine.
If I try the same for lan my client doesn't get any IP.

Is there a special configuration needed? Currently only this is configured:

if a client connects via WLAn it gets into vlan 300 - and gets a correspending IP - via lan I'm not getting any dhcp answer (dhclient -v)

Thanks in advance! :wink:

Could you post the output of the following for OpenWrt router (from SSH)

cat etc/config/network
cat etc/config/wireless
cat etc/config/firewall
cat /etc/config/dhcp

Use Pre-formatted text tool to include the code. After pasting the code, highlight it all and click Pre-formatted text tool.

Mask out (or delete) your MAC and public IP addresses, and your WiFi password.

network config:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xx::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'eth0.1'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'
	option auto '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '100'
	option vid '100'
	option ports '5t'

config switch_vlan
	option device 'switch0'
	option vlan '200'
	option vid '200'
	option ports '5t'

config switch_vlan
	option device 'switch0'
	option vlan '300'
	option vid '300'
	option ports '0 5t'

config switch_vlan
	option device 'switch0'
	option vlan '400'
	option vid '400'
	option ports '5t'

config interface 'vlan100'
	option type 'bridge'
	option proto 'static'
	option ifname 'eth0.100'
	option ipaddr '192.168.101.1'
	option netmask '255.255.255.0'

config interface 'vlan200'
	option type 'bridge'
	option proto 'static'
	option ifname 'eth0.200'
	option ipaddr '192.168.102.1'
	option netmask '255.255.255.0'

config interface 'vlan300'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.103.1'
	option netmask '255.255.255.0'
	option ifname 'eth0.300'

config interface 'vlan400'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ifname 'eth0.400'
	option ipaddr '192.168.104.1'

wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'VHT80'
	option country '00'
	option legacy_rates '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option encryption 'wpa2+ccmp'
	option auth_port '1812'
	option ssid ''
	option dynamic_vlan '2'
	option vlan_naming '0'
	option vlan_tagged_interface 'eth0'
	option vlan_bridge 'br-vlan'
	option auth_server '127.0.0.1'
	option auth_secret ''
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'
	option country 'FR'
	option legacy_rates '1'
	option __toggle 'Disable'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option dynamic_vlan '2'
	option vlan_naming '0'
	option vlan_tagged_interface 'eth0'
	option vlan_bridge 'br-vlan'
	option ssid '
	option network 'vlan400'
	option encryption 'psk2+ccmp'
	option key ''
	option disabled '1'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option legacy_rates '1'
	option channel 'auto'
	option country 'DE'
	option hwmode '11g'
	option __toggle 'Disable'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option mode 'ap'
	option ssid ''
	option dynamic_vlan '2'
	option vlan_naming '0'
	option vlan_tagged_interface 'eth0'
	option vlan_bridge 'br-vlan'
	option encryption 'wpa2+ccmp'
	option auth_server '127.0.0.1'
	option auth_port '1812'
	option auth_secret '

firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'vlan100'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'vlan100'
	option forward 'REJECT'

config zone
	option name 'vlan200'
	option network 'vlan200'
	option input 'ACCEPT'
	option log '1'
	option log_limit '50'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'vlan300'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'vlan300'

config zone
	option name 'vlan400'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'vlan400'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'vlan300'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'wan'
	option src 'vlan100'

config forwarding
	option dest 'wan'
	option src 'vlan400'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'vlan200'

dhcp config:

config dhcp 'vlan100'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'vlan100'

config dhcp 'vlan200'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'vlan200'

config dhcp 'vlan300'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'vlan300'

config dhcp 'vlan400'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'vlan400'

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option serversfile '/tmp/adb_list.overall'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

300 or 400? And which AP? Because VLAN 400 is the network assigned to your second AP

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option dynamic_vlan '2'
	option vlan_naming '0'
	option vlan_tagged_interface 'eth0'
	option vlan_bridge 'br-vlan'
	option ssid '
	option network 'vlan400'

Which port?

It would also help if you explain what are you trying to achieve. Why these several VLANs, some include a LAN port and some don't.

Hi,

I'm using 3 WLAN's. The one with the psk is hard binded to vlan400, the other wlan's use dynamic vlan routing (dependent on the radius settings of the user). And this works fine.

I created test users which are assigned to vlan's 100 - 400.

The only thing I want to achieve now is that lan port 1,2,3,4 is assigned to the vlans.

I'm using the wrt3200acm model from linksys.

In the switch, you just set the port you want to assign to a VLAN as untagged for that VLAN and turn it off for the rest of the VLANs.

Though, unless you need all 4 ports for the 4 VLANs you created, I would leave one port on VLAN 1 for unrestricted access to the router. You don't want to lock yourself out.

1 Like

You're right one port should be at least assigned to the default lan :slight_smile:

Anyhow, I'm not able to configure this. In my initial screenshot I've configured lan port 4 (it's 0 in the config file) to vlan300 untagged.

config switch_vlan
option device 'switch0'
option vlan '300'
option vid '300'
option ports '0 5t'

In my opinion this should do the work, but no IP is assigned to client if I assign a lanport to anything else than the default vlan 1.

I'm getting also nothing back via dhclient -v. He only makes broadcasts but no one replies.
I also set the default firewall zone forwarding to input/output/forwarding accept/accept/accept without any success.

Why do you have the VLAN interfaces in /etcconfig/network as bridge?

also did you restart the router or the network after making the changes?

Run swconfig dev switch0 help to find the number of vlans supported by your hardware. If it is only 16 or 128 you have to keep the option vlan numbers in your config less than that. You can use any option vid number though this really is only necessary if you have to interact with an existing network with high VLAN tags. For internal switching to untagged ports just use small numbers 1,2,3, etc.

1 Like

hi @Hegabo ,

I followed this guide to setup dynamic vlan via wpa2-enterprise:
https://openwrt.org/docs/guide-user/network/wifi/wireless.security.8021x

The router was also restarted...
Should anything else than a bridge be configured?

@mk24: you're right, the output of the command:
switch0: 10.mvsw61xx(MV88E6352), ports: 7 (cpu @ 5), vlans: 64

I've configured now vlans 5,6,7,8 instead of 100,200,300,400 but I still don't get anything.
I also tried to add a static ip in this network range but without success..

hey, any ideas?

Sorry, I don't know!

If you don't figure out why it's not working, you could just start over form default config, follow a different guide and go step by step so that you know where things go wrong.

You did have some VLANs in the switch that went nowhere, like
option ports '5t'
Here there is tagged traffic to / from the CPU, but no link to any other port on the switch chip. It should be something like:
option ports '5t 2'
Port 2 on the back of the router is then dedicated to that VLAN, it must not be associated with any other VLAN in the switch.

Did you find the answer. I am also facing same issue. VLANs and wifi assigned to them works fine. But lan ports corresponding dns issue and no internet. Please help