VLAN tagging w/o built in switch, AX3600

Hi,

I am replacing my trusty Archer C7 dumb AP with one of those fancy AX3600 WiFi 6 thingies, also configured as dumb AP.

C7 is regular AP/edge switch except one thing: anything connected to LAN 3 or LAN 4 was handled differently by router via VLAN id 5.Those ports were isolated from the rest of network on its own subnet and could only reach internet.

Unfortunately, AX3600 does not have built in switch, so I wonder how can I map C7 switch config above into network configuration that fits AX3600 (which seems to have individual ports instead of programmable switch).

I tried this and only succeeded with locking myself out (there is no LAN 4 on AX3600 so I only want LAN3 to be handled differently on new device):

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u'
        list ports 'lan2:u'
        list ports 'lan3:t'
		list ports 'wan:u'

config bridge-vlan
        option device 'br-lan'
        option vlan '5'
        list ports 'lan3:u'
		list ports 'wan:t'

it has a switch but its handled via dsa (more or less) see https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial

1 Like

For the untagged ports, use 'u*

What you've shown there:

  • VLAN 1 is untagged on ports lan1, lan2, and wan.
  • VLAN 1 is tagged on port lan3
  • VLAN 5 is untagged on port lan3
  • VLAN 5 is tagged on wan

This makes ports wan and lan3 trunk ports, the others are access ports for access ports for VLAN1.

Is that what you're going for?

The final part of the puzzle is assigning the networks appropriately...
if VLAN 1 is your main network (used to manage the device), typically you want that to have an address assigned. So you'll do that with a network using device br-lan.1 and then proto static (or DHCP).
The other network (in this case, VLAN 5), will have a network associated that has proto 'none' and device br-lan.5. From there, you can connect either or both of them to SSIDs for wifi.

1 Like

Thank you for quick reply.

This is how my old device was configured:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd67:1810:d9ae::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.7'
	option gateway '192.168.0.1'
	list dns '192.168.0.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 1 2 3 4t 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '5'
	option ports '0t 1t 4 5'

I just want to rewrite "switch" parts of config into "dsa" lingo, if possible.
Disclaimer: I have very little understanding of VLAN tagging. I just got it to work on C7, via managed switch and into the router :smiley: I then set up a separate interface on router to handle VLAN5 as "guest".

You've pretty much done it already, other than the fact that I'd recommend you us 'u*' for the access ports (i.e. the ports that have only one network associated).

Where are you stuck?

OK, maybe it was just u* that is needed. I will try it tomorrow.

With config above, my router was not accessible from any port after reboot. I had to use reset switch and set it up as AP again.

Thank you for your time!

oh... I see.

You do need to make sure that your lan interface uses device br-lan.1 (instead of br-lan).

Post your complete network config from the new router and we can see if it looks okay.

This is complete network config from new router (which ldid not work and locked me out, even when I tried to access router from WAN port):

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdee:ee8d:5ecc::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.7'
	option gateway '192.168.0.1'
	list dns '192.168.0.1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u'
        list ports 'lan2:u'
        list ports 'lan3:t'
	list ports 'wan:u'

config bridge-vlan
        option device 'br-lan'
        option vlan '5'
        list ports 'lan3:u'
	list ports 'wan:t'

You have the bridge device defined twice... remove the second instance.

Since ports LAN1 and LAN2 are access ports for VLAN 1, use u* like this:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:t'
        list ports 'wan:u'

Change the lan to use br-lan.1 like this:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.7'
	option gateway '192.168.0.1'
	list dns '192.168.0.1'

Create an unmanned network interface for the other VLAN (so that you can connect it with a wifi SSID) -- I'm calling it vlan5, but you can call it something else if you want (i.e. guest, iot, etc).

config interface 'vlan5'
	option device 'br-lan.5'
	option proto 'none'
1 Like

Or simply just write the port name without it, see jow's explainatation: Yet another DSA-"I still have questions"-thread - #2 by jow

1 Like

Wohoo!

I got it running! Many thanks you kind strangers, you are the best!

For future reference, here is a recipe for "dumb AP" with IP 192.168.0.9 with two (LAN3, LAN2) of four ports being tunnelled as "VLAN5" for further isolation in router. (if there is switch in between it needs to be able to handle VLAN's and be configured accordingly)

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd47:5f38:59af::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'
	
config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'wan:u'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.9'
	option gateway '192.168.0.1'
	list dns '192.168.0.1'
	
config interface 'vlan5'
	option device 'br-lan.5'
	option proto 'none'
	
config bridge-vlan
        option device 'br-lan'
        option vlan '5'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
	list ports 'wan:t'

This way, I can connect dodgy Chinese IoT things to port 2 or 3 and keep them isolated from internal network.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.