VLAN - setting up OpenWRT trunk port

OpenWRT 23.05.3 on a WNDR3700v2 AP

I have a Cisco 3560G switch with a trunk port configuration into which one of my lan ports (LAN #1) is plugged into using a fully tested network cable.

The WNDR3700v2 I believe has its own internal switch and instantiates "eth0" and "eth1" ports.

I used the "switch" menu option to add all the VLANs and setup LAN1 port as tagged for every VLAN (none untagged). I also selected "tagged" for every VLAN under the CPU eth0 port.

If I connect to the WNDR3700v2 via WiFi I cannot ping any of the devices on the VLAN 192. Conversely, if I plug into an access port on the 3560G with my laptop I can ping VLAN 192 network devices but not the IP address of the WNDR3700v2.

I have other Linksys APs (WRT3200ACM, WRT1900ac, RT3200) that I hope to setup similarly.

I welcome your comments and suggestions.

Stuart

Follows hereupon the contents of "/etc/config/network".
Note: The MAC address was redacted with a dummy MAC address.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd48:5a0c:a6d9::/48'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option type 'bridge'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'eth0'
	list ports 'eth0.1'
	list ports 'eth0.2'
	list ports 'eth0.10'
	list ports 'eth0.172'
	list ports 'eth0.192'
	list ports 'eth0.300'
	option promisc '0'

config device
	option name 'eth0'
	option macaddr '11:22:33:44:55:66'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.80.1'
	option netmask '255.255.0.0'
	option ip6assign '60'
	option gateway '192.168.70.218'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'
	option blinkrate '2'
	option enable_vlan4k '1'

config switch_port
	option device 'switch0'
	option port '1'
	option led '6'

config switch_port
	option device 'switch0'
	option port '2'
	option led '9'

config switch_port
	option device 'switch0'
	option port '5'
	option led '2'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '5t 3t 2'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5t 3t 1'

config switch_vlan
	option device 'switch0'
	option vlan '10'
	option ports '5t 3t'

config switch_vlan
	option device 'switch0'
	option vlan '172'
	option ports '5t 3t'

config switch_vlan
	option device 'switch0'
	option vlan '192'
	option ports '5t 3t 0'

config switch_vlan
	option device 'switch0'
	option vlan '300'
	option ports '5t 3t'

config interface 'rescue'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.0.0'
	list comment 'for rescuing and management operations'
	option device 'br-rescue'

config device
	option name 'br-rescue'
	option type 'bridge'
	list ports 'eth0'
	option bridge_empty '1'

Stuart,

Don't take this the wrong way, but your configuration is a complete mess.
I don't see how it will help if we point out all your mistakes.
Better reset to defaults, tell us what you are trying to achieve and we will try to help.

Pavelgl,

Well, I am not taking it the wrong way as I knew the configuration I posted did not work. After all, who asks for help with a configuration that is working perfectly? If you do want to insult me you will have to work a lot harder at it! :slight_smile: I imagine my biggest mistake was trying to use the GUI to configure this!

I have been using my APs mostly as "dumb APs with roaming" until now when I messed up the configurations on them and decided to start over from scratch anyway so no problem factory resetting my APs.

I have several trunk ports on my 3560G switch, one of which has a MOCA device plugged into it (CATV is my backbone media to get to each room in my home), and have APs plugged into MOCA boxes in different rooms. Thus my entire network backbone is CATV into a trunk port. In the rack that my 3560G is in, I am using other trunk ports (for servers) and some access ports for devices (like my SharkRF original OpenSpot). The MOCA boxes can pass untagged or tagged VLAN packets no problem.

WNDR3700v2
LAN-PORT-1 I wish to be a trunk port that plugs into the MOCA box carrying all the VLANs over my backbone.
LAN-PORT-2 I wish to be a trunk port that I can plug a server into that is VLAN capable and configured.
LAN-PORT-1 and LAN-PORT-2 would likely never see any un-tagged traffic but if I could configure as such, it would be placed on VLAN 192.
LAN-PORT-3 Access port on VLAN 192
LAN-PORT-4 Access port on VLAN 10

My network VLANs are 1,2,10,172,192 (most devices), 300 (WAN VLAN for Internet connection) and pfSense routes betwixt the LAN VLANS and WAN VLAN.

Each radio (2.4GHz and 5GHz) would have 2 wireless LANs on them as described herein below. Eventually I'd enable the wireless LANs for roaming and setup other APs configured the same as the WNDR3700v2 is setup including ports described above.

SSID-1 bridges traffic to VLAN 192 (for my devices)
SSID-2 bridges traffic to VLAN 300 (for guest WiFi users)

I switched a while back from OpenWRT to pfSense as my core router (because of pfSense's pfblocker-ng), though I am now considering to switch back to OpenWRT as my internet facing router. I am going to research more on what packages OpenWRT has that provide similar functionality to pfblocker-ng. I run a Pi-Hole VM too and know that OpenWRT could perform that service as well with little fanfare.

Stuart

Your network is too complex and I can only give you some basic guidelines on how to set up your device, avoiding mistakes.

First do not set the same port as a member of more than one bridge (as with eth0). Actually, when using VLANs, you shouldn't use eth0 at all, only eth.X.

If you need to access the device through a specific VLAN, you must create a dedicated interface. You can't just bridge all the VLANs together and expect it to work.

Example of wired-only access:

config interface 'vlan_192'
	    option device 'eth0.192'
	    option proto 'static' # or dhcp
	    ...

config switch_vlan
	    option device 'switch0'
	    option vlan '192'
	    option ports '5t 3t 0'

Wired/wireless access.

config device
	    option name 'br-vlan192'
	    option type 'bridge'
	    list ports 'eth0.192'

config interface 'vlan_192'
	    option device 'br-vlan192'
	    option proto 'static' # or dhcp or none
	    ...

config switch_vlan
	    option device 'switch0'
	    option vlan '192'
	    option ports '5t 3t 0'

# /etc/config/wireless

config wifi-iface 'vlan192'
        option network 'vlan_192'
        ...

If you just want to connect the server to the backbone (LAN2 to LAN1 over VLAN 172 for example) and the server does not need access to the AP itself, you do not need to create an interface. Just set the vid for the corresponding ports. You can even exclude the CPU port.

config switch_vlan
	    option device 'switch0'
	    option vlan '172'
	    option ports '2t 3t'

Also note that due to the large netmask, the lan and rescue interfaces are actually on the same subnet, which can cause problems.

Hope this helps.

1 Like

Instead of helping me with a full configuration, let me ask you to assist me with figuring out how certain things function within OpenWRT 23.05.03 and how they look in a configuration file.

Let us presume I am going to factory reset the WNDR3700v2.

For now my goal is to get the WNDR3700v2 to have a trunk port carrying all VLANs and an access port for VLAN 192. We can deal with the wireless AP part later on and I will forgo a rescue interface for the moment as I want to simply the configuration.

Let us start with something basic, two VLANs, 172 and 192.

If my AP instantiates eth0, eth0.172, and eth0.192, then it is understandable that eth0.192 only carries VLAN 192 traffic and eth0.172 only carries VLAN 172 traffic. Thus, what does eth0 carry? Does it carry packets for all VLANs or only untagged packets?

If eth0 is carrying all VLAN traffic, then defining an interface with just eth0 as its bridge device would give me a trunk port for any LAN ports connected to that interface, correct?

If I want an access port on the AP for VLAN 192, then it seems I would create it by marking one port as untagged for VLAN 192 and leaving everything else as "off" (Including the CPU), correct?

Thanks!

Stuart

It does not work that way. In theory, plain eth0 should be any untagged packets. However it is common for consumer grade hardware and drivers to not well handle mixing tagged and untagged on a single port, thus @pavelgl advice to not use a plain eth name for anything when VLAN tagging is in use.

Also depending on the hardware, eth0 may be only an internal DSA node, which should not be referenced in any configuration at all. Use the external port names such as lan1 and wan. The CPU port is implicit in the bridge name e.g. br-lan.10.

The configuration must have a config interface for every active VLAN. If a VLAN is only going to be hardware switched between physical Ethernet ports, and/or software bridged to wifi, this config interface should be of proto none. OpenWrt does not have the equivalent of Cisco mode trunk where all VLANs will be passed without needing to declare each one by number.

1 Like

mk24, Pavel, et alia:

I understand the concerns regarding the eth0 and shall not use that on any of my Interfaces (LAN in the instant case) as I am using VLANs. I was confused by the fact it exists in precedence to creating any VLANs, but that is fine, I do not expect any untagged traffic over my network at all. All traffic is going to enter already tagged via the AP on a VLAN port, already tagged via the 3560G on a trunked port, via a 3560G access port, or via OpenWRT on a port that is designated "untagged VLAN x". I would also presume that a port on the AP that has only a single VLAN marked as "untagged" is in effect an access port from OpenWRT's point of view.

Okay, I did suspected OpenWRT did not have a trunk port in the sense of carrying all unspecified VLAN traffic, but thank you for clarifying that. However, for the purposes of this discussion I shall consider a trunk port anything that is not an access port and carries specified pre-tagged VLAN traffic (for one or more VLANs) over that port.

I thought in the past that I had somehow setup ports on OpenWRT that carried say VLAN 172 and VLAN 192, but that if I set it up as "primary 192" that meant that untagged packets got tagged for 192 on ingress and untagged on egress, though incoming tagged VLAN 172 or incoming tagged VLAN 192 packets got placed on the network in their already tagged state.

It sounds like there is no way to have an interface that bridges two VLANs, correct?

Does anyone have any example configs that would show:

In my case x=192, y=172

  1. A port that is only configured to accept tagged VLAN x and tagged VLAN y packets
  2. A port that is only configured to accept untagged packets destined for VLAN x
  3. A port that is configured to accept tagged VLAN x, tagged VLAN y, and treats un tagged packets as destined for vlan x

What I am going to do is assert the configuration from the command line and then view the GUI to understand how I could have setup that configuration via the GUI. I have no fear of the command line, but since I have several of these APs to configure there would be a convenience to knowing how to achieve this configuration via the GUI.

Thank you to everyone.

Stuart

Added note: Some further reading stands indicative of the fact that this AP uses swconfig not DSA and that may well have had me a bit confused too. My other routers use DSA.