VLAN question - what happens to untagged packets at the router?

Hello again.

Quick question for my understanding. If all of your router networks are attached to VLANs (like eth0.10, eth0.100, eth0.200) and there is no network attached to the untagged interface (eth0). What would happen to packets received at the router with no VLAN tag? Would they be silently dropped? (This is what I hope/want).

Or, do I need to create an network for the untagged interface and have the packets dropped at the firewall?


This is the default config anyway.

Arriving at a tagged or tagged port? You would need it to be tagged for this to work.


I think you're talking around the same question that I'm asking.

My router only has one physical port, and in my network, as designed, all the packets arriving at the router should be tagged into one of 5 VLANs (by a downstream managed switch), and I have 5 virtual interfaces on the router for those VLANS. What I'm asking is, if an untagged packet arrives at the router port in this setup (due to an error or a misconfiguration somewhere) what happens to that packet?

It's either going to be:
Dropped at driver/netfilter because there is no interface for it (if so, great!)
Delivered to all interfaces because there is no tag (if so, boooo!)
Delivered to an interface based on some invisible rules somewhere (yuk)

With only one port, you possibly don’t have a switch at all and you get what you get on the interface and it’s sub-interfaces.

Depending on the driver and switch hardware, if there is no untagged outbound, untagged inbound is dropped.

To be sure, you can assign a “black hole” VLAN as the PVID. 4095 is often used for this, but the OpenWrt driver for some I have tried wouldn’t accept 4095. Any number that isn’t in use elsewhere should work.

Correct, no switch in the router, it's just an Intel NIC.

I wondered if it's safer to create a black-hole interface attached to the untagged port i.e. 'eth0' and have that zone configured to reject everything.

I'm curious as to what the default behaviour is however.

With a port connected directly to the CPU and no switch, only the Linux kernel driver is involved. eth0 with no VLAN is still available to receive untagged packets. But, duplicates of all tagged packets from other VLANs also appear on eth0. So you should not connect eth0 to anything except possibly as a monitor. Untagged packets will inherently be dropped then.

1 Like

Nothing scary about how a VLAN-enabled interface works and any sensible driver doesn’t replicate all packets everywhere all the time. It’s more “oh, here’s a packet, who gets a copy”.

Great thanks. So just to be clear, if you have a single physical interface 'eth0' directly attached to your cpu and your /etc/config/network looked like this:

config interface 'LAN'
    option ifname 'eth0.100'
config interface 'Guest'
    option ifname 'eth0.200'

Then anything untagged arriving on eth0 would be dropped inherently?

Correct. Your lan and guest bridges will only get packets that arrived tagged with 100 or 200 respectively. Packets with other tags or no tag have no configured destination so they will be dropped.

1 Like

Playing out the full scenario - if you did have an interface on eth0, I assume it would also get all the 100 and 200 VLAN tagged packets, as well as any other VLAN tagged packets that didn't have an interface defined? Would they be still tagged on delivery to the destination? So you could use it as a 'trunk' link?

I'm imagining the scenario where you have an IPsec tunnel between two OpenWRT routers and VLAN aware layer2 hardware at both ends.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.