VLAN Tagged + is Primary not working

Hi,

I'm getting lost with my vlan config.... I have configured three vlans on my main switch bridge device to create three different networks (lan, guest, iot), that works as expected. When i connect my computer to the lan port i get an ip according to the vlan which i set as untagged (or marked with * as primary vlan).

Problems arise when i set alle three vlans as tagged, and one of them as primary vlan. When i connect my device, i get the correct ip according to the selected primary vlan. However i cannot access anything, like if the firewall is blocking the whole traffic.

Can anyone tell me what i have to change here?

Thanks!

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

Here you go.

(Another strange thing, if i assign the wan-interface the port24 straight, i won´t get an ip there from my modem-router. So i had to add port24 to a bridge br-wan and assigned this to wan-interface, works fine this way)

ubus call system board
{
	"kernel": "5.15.161",
	"hostname": "OpenWrt.Switch",
	"system": "RTL8382",
	"model": "Zyxel GS1900-24E",
	"board_name": "zyxel,gs1900-24e",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r27230-a70555fb4f",
		"target": "realtek/rtl838x",
		"description": "OpenWrt SNAPSHOT r27230-a70555fb4f"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1e:42fc:136c::/48'

config device 'switch'
	option name 'switch'
	option type 'bridge'
	option macaddr '60:31:97:f4:eb:bf'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	list ports 'lan6'
	list ports 'lan7'
	list ports 'lan8'
	list ports 'lan9'
	list ports 'lan10'
	list ports 'lan11'
	list ports 'lan12'
	list ports 'lan13'
	list ports 'lan14'
	list ports 'lan15'
	list ports 'lan16'
	list ports 'lan17'
	list ports 'lan18'
	list ports 'lan19'
	list ports 'lan20'
	list ports 'lan21'
	list ports 'lan22'
	list ports 'lan23'
	option acceptlocal '1'

config bridge-vlan 'lan_vlan'
	option device 'switch'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	list ports 'lan6:t*'
	list ports 'lan7'
	list ports 'lan13:t'
	list ports 'lan14:t'
	list ports 'lan15:t'
	list ports 'lan16'
	list ports 'lan17'
	list ports 'lan18'
	list ports 'lan19'
	list ports 'lan20'
	list ports 'lan21'
	list ports 'lan22'
	list ports 'lan23'

config device
	option name 'switch.1'
	option macaddr '60:31:97:f4:eb:bf'
	option acceptlocal '1'

config interface 'lan'
	option device 'switch.1'
	option proto 'static'
	option ipaddr '10.0.1.254'
	option netmask '255.255.0.0'
	option ip6assign '60'
	list dns '1.1.1.1'
	option force_link '0'

config interface 'wan'
	option proto 'dhcp'
	option device 'br-wan'

config bridge-vlan
	option device 'switch'
	option vlan '10'
	list ports 'lan6:t'
	list ports 'lan8'
	list ports 'lan9'
	list ports 'lan10'
	list ports 'lan11'
	list ports 'lan12'
	list ports 'lan13:t'
	list ports 'lan14:t'
	list ports 'lan15:t'

config bridge-vlan
	option device 'switch'
	option vlan '100'
	list ports 'lan6:t'
	list ports 'lan13:t'
	list ports 'lan14:t'
	list ports 'lan15:t'

config interface 'guest_10'
	option proto 'static'
	option device 'switch.10'
	option ipaddr '172.16.10.1'
	option netmask '255.255.255.0'
	option force_link '0'

config interface 'iot_100'
	option proto 'static'
	option device 'switch.100'
	option ipaddr '172.16.100.1'
	option netmask '255.255.255.0'
	option force_link '0'

config device
	option name 'switch.10'
	option type '8021q'
	option ifname 'switch'
	option vid '10'
	option acceptlocal '1'

config device
	option name 'switch.100'
	option type '8021q'
	option ifname 'switch'
	option vid '100'

config device
	option type 'bridge'
	option name 'br-wan'
	list ports 'lan24'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '10'
	option limit '240'
	option leasetime '72h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'guest_10'
	option interface 'guest_10'
	option start '10'
	option limit '150'
	option leasetime '12h'

config dhcp 'iot_100'
	option interface 'iot_100'
	option start '10'
	option limit '150'
	option leasetime '12h'

config host
	option name ............
	option leasetime 'infinite'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest_10'

config forwarding
	option src 'guest'
	option dest 'wan'

config zone
	option name 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot_100'

config rule
	option name 'guest-dhcp'
	list proto 'udp'
	option src 'guest'
	option dest_port '67 68'
	option target 'ACCEPT'

config rule
	option name 'guest-dns'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'iot-dhcp'
	list proto 'udp'
	option target 'ACCEPT'
	option src 'iot'
	option dest_port '67 68'

config rule
	option name 'iot-dns'
	option src 'iot'
	option dest_port '53'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'guest'

config forwarding
	option src 'lan'
	option dest 'iot'

config redirect
	option dest 'lan'
	option target 'DNAT'
.................

config redirect
	option dest 'lan'
	option target 'DNAT'
..............

config redirect
	option dest 'lan'
	option target 'DNAT'
............

config redirect
	option dest 'lan'
	option target 'DNAT'
	.........


Are you attempting to use the switch as a router?

All routing should be performed on the main router in your network. A switch is not appropriate for routing, even though it may be technically possible, due to the extremely limited bandwidth that will result (I.e. 20Mbps).

Yes i attemp this until i get my new internet.

But the vlan stuff should work anyway? Enabling all vlans as tagged to the port and choosing the primary for fallback should work, apparently it works cuz i get an ip, but im unable to ping anything in any direction

There are many issues here. The fastest fix is to reset to defaults. Then create the wan interface and take one port (24) out of br -lan and place it as the wan device directly (don’t make a bridge for it).

Try that first, then create additional networks once the wan/lan is working.

But it is a bad idea to do this on a switch.

Ok you where wrong, i just got 10mbit over the switch :melting_face:

I installed one router behind the provider's one, reflashed every device with current snapshot. But the problem is the same, regardless if im at the switch or at any of the other downstream wifi access points with the same config (all three subnetworks tagged, first one is primary).

Here for example LAN6 on the switch. If i assign all 3 vlans for it and 1 as primary i get an ip (client ip: 10.0.0.241/16 brd 10.0.255.255) but cannot reach anything.

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd8:addc:97d4::/48'

config device 'switch'
	option name 'switch'
	option type 'bridge'
	option macaddr '60:b:bf'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	list ports 'lan6'
	list ports 'lan7'
	list ports 'lan8'
	list ports 'lan9'
	list ports 'lan10'
	list ports 'lan11'
	list ports 'lan12'
	list ports 'lan13'
	list ports 'lan14'
	list ports 'lan15'
	list ports 'lan16'
	list ports 'lan17'
	list ports 'lan18'
	list ports 'lan19'
	list ports 'lan20'
	list ports 'lan21'
	list ports 'lan22'
	list ports 'lan23'
	list ports 'lan24'

config bridge-vlan 'lan_vlan'
	option device 'switch'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	list ports 'lan6:t*'
	list ports 'lan7'
	list ports 'lan8'
	list ports 'lan9'
	list ports 'lan10'
	list ports 'lan11'
	list ports 'lan12'
	list ports 'lan13'
	list ports 'lan14'
	list ports 'lan15'
	list ports 'lan16'
	list ports 'lan17'
	list ports 'lan18'
	list ports 'lan19'
	list ports 'lan20'
	list ports 'lan21:t*'
	list ports 'lan22:t*'
	list ports 'lan23'
	list ports 'lan24:t*'

config device
	option name 'switch.1'
	option macaddr '60:31eb:bf'

config interface 'lan'
	option device 'switch.1'
	option proto 'static'
	option ipaddr '10.0.1.254'
	option netmask '255.255.0.0'
	option ip6assign '60'

config bridge-vlan
	option device 'switch'
	option vlan '10'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan6:t'
	list ports 'lan21:t'
	list ports 'lan22:t'
	list ports 'lan24:t'

config bridge-vlan
	option device 'switch'
	option vlan '100'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan6:t'
	list ports 'lan21:t'
	list ports 'lan22:t'
	list ports 'lan24:t'

cat /etc/config/firewall 

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

when i change vlan1 to untagged everything works, i get the same ip as before

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd8:addc:97d4::/48'

config device 'switch'
	option name 'switch'
	option type 'bridge'
	option macaddr '60:31:97:f4:eb:bf'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	list ports 'lan6'
	list ports 'lan7'
	list ports 'lan8'
	list ports 'lan9'
	list ports 'lan10'
	list ports 'lan11'
	list ports 'lan12'
	list ports 'lan13'
	list ports 'lan14'
	list ports 'lan15'
	list ports 'lan16'
	list ports 'lan17'
	list ports 'lan18'
	list ports 'lan19'
	list ports 'lan20'
	list ports 'lan21'
	list ports 'lan22'
	list ports 'lan23'
	list ports 'lan24'

config bridge-vlan 'lan_vlan'
	option device 'switch'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	list ports 'lan6:u*'
	list ports 'lan7'
	list ports 'lan8'
	list ports 'lan9'
	list ports 'lan10'
	list ports 'lan11'
	list ports 'lan12'
	list ports 'lan13'
	list ports 'lan14'
	list ports 'lan15'
	list ports 'lan16'
	list ports 'lan17'
	list ports 'lan18'
	list ports 'lan19'
	list ports 'lan20'
	list ports 'lan21:t*'
	list ports 'lan22:t*'
	list ports 'lan23'
	list ports 'lan24:t*'

config device
	option name 'switch.1'
	option macaddr '60:31:97:f4:eb:bf'

config interface 'lan'
	option device 'switch.1'
	option proto 'static'
	option ipaddr '10.0.1.254'
	option netmask '255.255.0.0'
	option ip6assign '60'

config bridge-vlan
	option device 'switch'
	option vlan '10'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan6:t'
	list ports 'lan21:t'
	list ports 'lan22:t'
	list ports 'lan24:t'

config bridge-vlan
	option device 'switch'
	option vlan '100'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan6:t'
	list ports 'lan21:t'
	list ports 'lan22:t'
	list ports 'lan24:t'

config on my main router who creates the three networks:

cat /etc/config/firewall 

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest_10'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest_10'

config zone
	option name 'iot_100'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot_100'

config rule
	option name 'guest_DHCP'
	list proto 'udp'
	option src 'guest_10'
	option dest_port '67 68'
	option target 'ACCEPT'

config rule
	option name 'guest_DNS'
	option src 'guest_10'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'iot_DHCP'
	list proto 'udp'
	option src 'iot_100'
	option dest_port '67 68'
	option target 'ACCEPT'

cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd98:::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '10.0.1.1'
	option netmask '255.255.0.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr '505'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan2:t*'
	list ports 'lan3:t*'
	list ports 'lan4:t*'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'lan4:t'

config interface 'guest_10'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '172.16.10.1'
	option netmask '255.255.255.0'

config interface 'iot_100'
	option proto 'static'
	option device 'br-lan.100'
	option ipaddr '172.16.100.1'
	option netmask '255.255.255.0'

Do not use vlan id 1, dsa uses it internally.

That is not true. VLAN 1 can be used safely.

A few things here...

  1. Is there any particular reason you are uisng a /16? That is unnecessarily large.

  2. What exactly are you trying to reach and from where (what is the IP address of the test source, what is the target of that test)?

  3. port lan6 has all three networks tagged. There's no problem with this, but what does it connect to? Is that the upstream connection? Or a downstream one?

  4. your main router does not have any forwards defined for vlans 10 and 100 to or from vlan 1 or the internet. Is that intentional?

  5. VLANs 10 and 100 are tagged on all their member ports... where do these connect (lan1, 2, 6, 21, 22, 24)?

  6. Could you draw a network topology diagram so we can understand how this switch is supposed to interact with your network?

  1. yes i have .0.x for dhcp, .1.x for statics and some more for wireguard networks.
  2. i want to reach anything upstream from the client, i get an ip but cannot ping anything anywhere from the client, and i also cannot reach the client from any other device.
  3. port 6 is an example for a downstream port to a client pc.
  4. yes thats changed by now
  5. yes thats not quite right configured, but i fail to config them as i think i need to so i did not finish that...
  6. it boils down to the last figure from this example of the wiki

I want "guest lan ports". If there is a downstream wifi router connected to one ofe the switch ports (like lan6 here), it should connect its wifi networks to the according vlan (which works great).
If a ordinary client connects to the downstream switch port (or one of the downstream wifirouter lan-ports), it should get mapped to either vlan10 or vlan1 depending of the location.

Therefore my plan was to assign every lan port to every vlan as tagged, and mark one of them as primary. So if a downstreamrouter is connected it can serve all three vlans, and if a ordinary lan client connects the received untagged traffic should get mapped to the vlan thats set as primary?!

But that doesnt work on the switch nor at the wifirouters, i also played around with a freshly resetted wifirouter, there even mixing tagged and untagged on one lan port dont work after a reboot of the router...

So i played around with a fresh router quite a bit more, and i start to think the snapshot is just bugged out. Things work quite randomly and stop due to a different change somewhere else.
I SEE the package count going up at the right interface, so i know the vlan-tagged-primary is redirecting the untagged traffic to the right vnet and connected device, but something stops there.
I also cant get a standalone wifi network up and running consistently, sometimes work sometimes not, depends on changes to uninvolved other interfaces, seems things get confused when deleting the default interface and change the drfault bridge.
(Or i just miss something, but boy i tried much...)

So i think i will wait until 24 is stable and hope that problem is gone

Ok... but do you need a full /16 for this? It would seem to me that you can achieve this organizational goal in say a /22 or something.

And, what exactly do you mean by "some more for wireguard networks" -- Wireguard is a routed protocol that needs to be on a non-overlapping subnet. So the wireguard interfaces themselves must not overlap, and if you're setting up separate LANs that will use wireguard, they also can't overlap. What you have there is one huge subnet/network. I'm a bit confused as to the intended use here.

Can you give specific examples? Also, what's the address/subnet of the upstream network? (is it a public IP or an RFC1918 network)?

Is that client PC VLAN aware? Typically they're not unless you use advanced settings to enable VLANs.

Ok, good.

As long as you're not attempting to connect to/from any VLAN 10 or 100 addresses, that's fine.

But how does this relate to the actual physical devices on your network -- your own topology. This doesn't tell me what devices are connected to each port and how they're expected to communicate with each other.

this needs more clarity...
Specifically, how does a "downstream router" connect to one of the ports or an ordinary client? Are you going to set physical switch ports such that say port 4 = guest network, port 5 = VLAN 10, port 6 = vlan 100? Or do you expect this to be somewhat automatic? The latter is a different animal entirely.

The downstream router would need to be configured appropriately and specifically such that it could server all three VLANs -- and are we talking routing or just a bridged AP? None of this happens automatically.

Yes, untagged traffic can be mapped to a specific VLANs, but I'm wondering if there is some sort of a disconnect here about how the ports will behave and how devices need to be configured to connect to a tagged VLAN.

While this is certainly possible, I actually think it's unlikely. I think that there are some problems with the way things are configured and possibly the expectations or understanding of the downstream VLAN assignments.

Yeah i know this setup is somewhat a mess, but it works for now, EXCEPT of this Tagged - primary vlan. Thats my primary concern for now so i just build a testcase with a new router completely disconnected from the rest of my network
(beside upstream - wanport to provider)

I made a dirt simple example config of a freshly resetted AX3000t to exclude . I did the following:

  • create a single vlan on the default bridge
  • Assign the two used lan ports as UNTAGGED and primary
  • set the default lan device to use the vlan instead of the bridge
  • enable default wifi (connected to lan as default)

Now i connect a windows and a linux pc to the two lan ports. Works as expected, everyone gets an ip and can ping each other.

  • Now i set the vlans to tagged and primary.

Fun fact, the windows pc starts to work after a while. I can reach the routers webinterface. But there is a noticable lag from connecting the lan port until obtaining an ip (some seconds), sometimes i get two pings and then the connection is dropped and renewed. After a while it starts working like it should.

The ubuntu pc is not happy at all. It gets an ip after a while, but i cannot reach the router nor the other windows pc.

I also observe some driver crashes (?) in the openwrt syslog (something with ------cut here-----, i think it gets timeouts while waiting for the physical lan connection).

I installed ip-full and ip-bridge packages, did not help. I see the same behavior on my Zyxel switch and on the Xiaomi AX3000T, so i don´t think thats a device specific problem.

Here are the configs for this setup:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd37:fb08:be42::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan.2'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr '50:88:11:53:83:55'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan2'
	list ports 'lan3:t*'
	list ports 'lan4:t*'

firewall is untouched by me:

config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option dest		wan
#	option proto	tcp
#	option target	REJECT

# block a specific mac on wan
#config rule
#	option dest		wan
#	option src_mac	00:11:22:33:44:66
#	option target	REJECT

# block incoming ICMP traffic on a zone
#config rule
#	option src		lan
#	option proto	ICMP
#	option target	DROP

# port redirect port coming in on wan to lan
#config redirect
#	option src			wan
#	option src_dport	80
#	option dest			lan
#	option dest_ip		192.168.16.235
#	option dest_port	80
#	option proto		tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#	option src		wan
#	option src_dport	22001
#	option dest		lan
#	option dest_port	22
#	option proto		tcp

### FULL CONFIG SECTIONS
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port	80
#	option dest		wan
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
#	option target	REJECT

#config redirect
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port		1024
#	option src_dport	80
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp

I don't quite understand what you mean by this...

Good.

What do you mean "primary"? This is not a VLAN related term, so please explain what you're referring to.

If I had to guess, based on the below:

When you say "primary" you mean the * after the tagged indicator? This is not really a valid configuration in 99.999% of the cases.

You still haven't explained how things are physically connected here. I can tell you that if your computers are directly connected to lan3 and lan4, it's not going to work the way you want/expect.

Please provide a diagram of the connections and topology. A simple drawing on a piece of paper is sufficient, as long as there are labels that describe the devices and the ports. Then just take a photo of that and upload it here.

I'd have to see the logs that you're referring to, but it already seems like you're dealing with an invalid configuration, not a problem with OpenWrt.

Those should not be required pacakges, and yes, I would expect that an invalid configuration would have similarly undesirable behaviors on multiple types of devices.

I am coming to the conclusion that there is a disconnect for you about how VLANs function and how things need to be configured for VLANs to work. However, despite the long posts, I still am no closer to understanding how you have things physically connected and why you even want to use VLANs.

I can help you achieve the goals, but let's start with the following:

  1. Provide a network topology diagram as I requested above (multiple times).
  2. Describe what you hope to achieve with VLANs? A common example: guest and/or iot networks that are isolated from the main lan. Maybe the guest network has internet access and the iot network does not. This is just an example, but it is critical to make your intent clear so that we can work towards that goal.

I may ask more questions after you provide the above, but only after that information is provided will we have enough direction to have a discussion about specifics.

I'll reiterate -- this does not look like bugs with OpenWrt. Instead, it looks like invalid configurations and possibly a misundersanding about how VLANs work.

The * or PVID means that any untagged packets that arrive at that port will go into that VLAN. This means that a port should be set primary in only one VLAN, and it is almost always also be where it is set for untagged egress, i.e. u* so that the untagged traffic will be answered with untagged traffic.

So why did you not quit while you were ahead? Do not send tagged packets into a desktop or other device that is not configured to be VLAN aware. The port connected to such a device should be untagged in exactly one VLAN.

Yeah we are drifting apart, and i'm also definitive no expert :smiley: let me try to clarify. My goal is to isolate iot and guest network. That already works over the wifi networks, now i would like to "automap" a guest device on the lan port to the guest network. Provide all three vlans at the port if the client device is aware of it, if a dumb pc is connected put him into guest network. If i get this working i don´t have to figure out what port goes where and where untagged traffic should go, i just can throw this default behavior on every port. Thats what the Astrix - PVID - Primary VLAN ID is for, at least thats my understanding of the wiki entry.

Here is the diagram for the last config. Keep in mind that has nothing to do with the real world application and is just a test setup for my understanding.

According to this wiki entry about vlans
PVID: Primary VLAN ID makes the specified VLAN ID assigned to the interface the primary one. Untagged ingress will be assigned to the specified VLAN ID.

So this two configs of lan2 and lan3 should produce exactly the same outcome in above diagram with the two dumb client pcs.


the untagged ports works as expected. Both pcs get their ip and communicate happily with everyone else

This setup break things. Windows pc starts to work after some time, Ubuntu pc gets an ip but is not able to communicate with anybody

But the second config should also work regardless of tagging because the * at the tagged port should map the untagged traffic from both pcs to the vlan.
Or do i get the function of the astrix - primary vlan id wrong?

thanks for your help

The key word here is "ingress." It means inward bound. The egress (outgoing) packets on the port are not affected by the PVID setting. Instead, the main setting of tagged or untagged determines how packets will egress. And as I said before, if tagged packets are sent to an ordinary PC, it is unlikely to understand them. The first configuration that you did is the correct one.

I've never had to use the * setting. A simple T or U is fine. That may change on some hardware.

The idea of auto-assigning a VLAN is very much an advanced feature. This is typically done with 802.1x authentication methods -- the 'authorized' computers will authenticate themselves as they join the network and will be steered to the appropriate network. The rest of the devices that do not have authentication will be mapped to another network (in this case, a guest network). But make no mistake -- this is a complicated thing to setup, especially for novices, and it is seriously overkill for any home network as it requires not only per-device authentication, it also requires a RADIUS server and quite a bit of complex configuration.

https://openwrt.org/docs/guide-user/network/wifi/wireless.security.8021x

Ok... so in this case, word primary is in used with PVID. I've actually always known that is a "Port VLAN ID," but that's a minor terminology difference.

That addresses ingress traffic, as pointed out by @mk24. Egress traffic is handled by the U(ntagged) or T(agged) setting. It is highly unusual to have t* as usually you want the ingress and egress to both be untagged or both be tagged. This would cause an asymmetry which is extremely uncommon and only valuable in an extreme edge case.

When setting a port to have an untagged network, I always recommend explicitly using u* so that ingress traffic will always be assigned to the correct VLAN and the egress is that same VLAN. It's true that the * may not be necessary, but I think it is a good idea to include it (it will not harm anything).

Based on your diagram ports lan2 and lan3 should be on the same vlan with both set to u*. It is highly unlikely that either of those machines will understand 802.1q tags unless you have done some advanced configuration (within the Windows and Ubuntu OS's). Most normal user equipment (i.e. computers, phones, tablets, STBs, game consoles, etc.) will not have VLAN aware capabilities out of the box, and lots of devices have no means by which a user could setup VLANs. They normally rely on the ethernet connection being untagged.

Yeah, as I described, this setup is (typically considered) invalid. But regardless of the potential edge-case validity of it, it's certainly not going to help you achieve you goals.

You need it set as u* (or u) not t*.

Back to this goal...
For wifi, it's pretty straight forward - you can either:

  • setup an SSID per VLAN (so lan, guest, iot, etc.)

or

  • setup a single SSID with multiple passphrases, where the passphrase used will determine the VLAN that is joined. This is more advanced than the SSID per VLAN option, but is possible to do.

(I'm not including 802.1x here because it's like carpet bombing a city to kill a single kitchen rat).

Ethernet is different, though, as you typically set the port-VLAN membership such that that you have either trunks (which carry multiple networks where both ends are VLAN aware devices such as routers, managed switches, and APs), or you have access ports which are intended for normal end-user equipment (one network only, untagged + PVID). These are typically specified on a port-by-port basis on the VLAN aware routers or switches, so it's preset. You can change the settings, but it's not dynamic/automatic based on the device that is connected.

To make use of an automatic method, you'll usually be looking at 802.1x authentication. There is another option -- MAC-VLAN, where the MAC address of the connecting device is used to determine the VLAN that is joined). This is also a bit of a complex setup, and is not really ideal for the scenario at hand.

Really, unless you expect people to randomly connect guest/iot devices to random ports in your home, it's really not a big deal to pre-set the specific ports used for those purposes. So if you have an ethernet port in your guest room, set it as the guest network. If you have an ethernet port into which an iot device (maybe a lighting control bridge) will be connected, set that to your iot network as an access port.

@mk24 oooh thats what i missed, thank you! Thats a rather useless feature then...

@psherman yes per-device-auth is overkill, i thought i could get around that. But i will just assign the ports. Guest wifi & u-ports work well.

The idea with same wifi ssids but different passwords is fascinating, i will dig into that!

Thank you all for your help and patience!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.