VLAN on Ports - No switch

Hi All.

23.05 on a nanopi. I have 3 Ethernet ports.

I'd like to set it up as such:

Port 1 - LAN (VLAN10)
Port 2 - LAN (VLAN10), DMZ (VLAN3), CAMERAS (VLAN5)
Port 3 - WAN (No VLAN)

My linux laptop is plugged into Port 1 so i can configure the new device.

Port 2 will connect to my Ruckus ICX6450. The Ruckus has 2 PoE APs that are VLAN aware and serve up the various networks on their respective VLANs.

Port 3 is WAN and not an issue.

Whenever I put eth1.10 instead of eth1 in this block, I loose connectivity until I change it back to eth1 and restart networking. Is this just an issue because my linux laptop doesn't speak 802.1q? (I did load the 8021q module).

config interface 'lan'
	option device 'eth1'
	option proto 'static'
	option ipaddr '172.22.10.1'
	option netmask '255.255.254.0'
	option delegate '0'

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd00:ab:cd::/48'

config device
	option name 'eth2'
	option macaddr '82:d4:8b:55:b6:8a'

config interface 'wan'
	option device 'eth2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth2'
	option proto 'dhcpv6'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth0'

config device
	option name 'eth1'
	option macaddr '82:d4:8b:55:b6:8b'

config device
	option name 'eth0'
	option macaddr '82:d4:8b:55:b6:8b'

config interface 'lan'
	option device 'eth1'
	option proto 'static'
	option ipaddr '172.22.10.1'
	option netmask '255.255.254.0'
	option delegate '0'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

config device
	option type 'bridge'
	option name 'docker0'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '5'
	option name 'eth1.5'
	option ipv6 '0'

config interface 'cameras'
	option proto 'static'
	option device 'eth1.5'
	option ipaddr '172.22.5.1'
	option netmask '255.255.255.0'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '10'
	option name 'eth1.10'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '3'
	option name 'eth1.3'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '9'
	option name 'eth1.9'

config interface 'dmz'
	option proto 'static'
	option device 'eth1.3'
	option ipaddr '172.22.3.1'
	option netmask '255.255.255.0'
	option delegate '0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '3'
	option name 'eth0.3'

How can I accomplish having port 1 with VLAN10 and port 2, with VLAN3, 5, and 10? I want to have the same DHCP pool and connectivity on both those ports for that VLAN, please.

Thank you.

You need to add the two ports to a bridge, enable vlan filtering and then add the vlan interfaces on the bridge:

• enable vlan filtering on the bridge and add one vlan (10) for your main lan. Select untagged and pvid on both ports.
• move your lan interface to br-lan.10

Apply the settings and see if you can access your router both via port 1 and port 2.

Then just add the other two vlans, but only select port 1 but now tagged.

The lan interface device needs to be br-lan instead of direct to an eth port. Then in br-lan, add tag 10 to eth2. It is not clear from your description whether you want eth1 (which has only one network, vlan 10 aka lan) to be tagged or not. If you're connecting it to a not vlan-aware device such as a PC, it needs to stay untagged.

With direct to CPU ports it works to have multiple bridges, if there is a DSA switch involved then you need to put all ports into one bridge with vlans inside. That also works with direct ports if you prefer to do it that way from the start.

So this partially works.

If i have LAN and DMZ enabled as interfaces, I can access the LAN. If I enable any other interfaces, I cannot pull an IP from DHCP - tcpdump looks like I can't find the router.

I bridged eth0 and eth1. All good there. I defined the vlans and left them off of eth0 and tagged on eth1 as seen here:

image900×547 27.2 KB

What network looks like at the moment:

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'eth2'
	option macaddr '82:d4:8b:55:b6:8a'

config interface 'wan'
	option device 'eth2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth2'
	option proto 'dhcpv6'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth1'

config device
	option name 'eth1'
	option macaddr '82:d4:8b:55:b6:8b'

config device
	option name 'eth0'
	option macaddr '82:d4:8b:55:b6:8b'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '172.22.10.1'
	option netmask '255.255.254.0'
	option ip6assign '60'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

config device
	option type 'bridge'
	option name 'docker0'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth0:u*'
	list ports 'eth1:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '7'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth1:t'

config interface 'spy'
	option proto 'static'
	option device 'br-lan.5'
	option ipaddr '172.22.5.1'
	option netmask '255.255.255.0'

config interface 'dmz'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '172.22.3.1'
	option netmask '255.255.255.0'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.7'
	option ipaddr '172.22.7.1'
	option netmask '255.255.255.0'

config interface 'wg0'
	option proto 'wireguard'
	option private_key ''
	option listen_port '443'
	list addresses '172.22.110.1'

config wireguard_wg0
	option description ''
	option public_key ''
	option private_key ''
	list allowed_ips '172.22.110.33'
	option route_allowed_ips '1'

I'm stumped as to why I can't pull a DHCP address if I turn on more than the lan and dmz interfaces. If I assign a static IP to my laptop it works just fine on the lan vlan.

Let’s see the rest of the config.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/dhcp
cat /etc/config/firewall

One thing I do see is that you've omitted the CIDR subnet size for wg:

This should be:

	list addresses '172.22.110.1/24'

	list allowed_ips '172.22.110.33/32'

Thank you for the catch on wg0.

Regarding my other issue - you helped solve it by having me look at /etc/config/dhcp. I had several errant entries there from pervious attempts to configure dhcp servers. Once I deleted those and restarted network (IDK if that was necessary, but I did just in case), everything started working like a charm!

Thanks to you, zekica, and mk24.

The changes from 19.07 to 23.05 are substantial (I never was able to upgrade, but got a second router to do a flashcut - still configuring it as I am changing IP ranges to avoid vpn issues when visiting other places that use 192.168.0 or .1)

Thank you again

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.