Vlan tags on untagged switch

I'm running OpenWrt 18.06.1 on a TP-Link Archer C7v2. Network config is default, except that I switched of all wireless interfaces.

On my network I have a couple of servers running Debian. These servers show lots of dropped packets if I don't load the 802.1q (vlan) module. When I load the module, the rate of dropped packets disappears.

All ports on the switch on the C7 are untagged. Still it seems there are vlan tagged packets on the network.

Am I missing something? Or does anyone have an explanation why the rate of dropped packets gets to zero when I load the 802.1q module on my servers?

Could you try to capture the packets on one of those Debian machines? Something like this should work:
sudo tcpdump -i eth0 -env vlan

Main point being capture packets with vlan tag in it...

This is already the default - OpenWrt comes with WiFi turned off.

  • Is your CPU port tagged or untagged?
  • Did you change this setting from default?

Sounds like debian interface is configured for vlan support but connected to an access switch port. This is unnecessary because vlan is handled by the switch.

All ports are untagged.
This setting should be default. Below is what I think is the relevant part of /etc/config/network:

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 2 3 4 5'
option vid '1'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6'
option vid '2'

As far as I understand none of the ports are tagged and as such don't use the 802.1q 'functionality'.

Unless Debian is configured like this 'out of the box' I don't think so. No vlan packages have been installed. I actually had to load the 8021q module to get rid of all the dropped ethernet packets.

without a packet capture it's pointless to speculate. With a packet capture it will probably become trivial to figure out what's up. :wink:

1 Like

The default on Archer C7 V2 is tagged on eth1 vlan 1 and tagged on eth0 vlan 2. Your config shows the default has been changed to untagged.

Unable to reproduce dropped packets on my setup. tcpdump is quiet with -env vlan.

Thanks for all your help and suggestions so far.
The initial tcpdump I did also showed zero vlan packets. I will do some more testing when I’m back home.
@gjaltemba could you please post the part of the default /etc/config/network where the VLANs on the switch are defined?

1 Like

Default setting for Archer C7 V2 is like this after Perform Reset in Restore option

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'

1 Like

Thanks! Do you perhaps know why eth0 and eth1 are tagged? I’m trying to understand how this is all working (pretty much a networking newbie).

VLAN explained with default scenario of most LEDE routers

https://openwrt.org/docs/guide-user/network/vlan/switch_configuration

That config actually broke my internet connection (even worse... I’m away so I have no way to fix it).

Do you mean that after a Perform Reset in Restore option your wan is not working?

I din't do a perform a Reset in Restore, but I only changed the switch part in the network config and restarted the network service. In hindsight that wasn't a smart move, :wink: Basically I just added the "t" to the 0 and 6 ports.
Due to the fact that I use a non-default ip range, a reset wasn't an option when remote. Besides I have some custom things installed which I'd rather not loose.

Hopefuly I'll be able to access the router from the LAN connection so that I can restore the network config. If not, it's gonna be a long night (and I assume I'll have to go the failsafe route).

I do wonder why I lost my WAN connection (and hopefully the WAN connection only) by this change though.

If you tag the packets coming out of the switch to the CPU side, then you have to connect the wan and lan to tagged interfaces instead of plain eth0 and eth1. So you have similarly broken both the WAN and the LAN and will need to log in in recovery mode.

Setting it up that way initially is useful because it is simpler to add more VLANs.

When configuring the switch it is good to at least temporarily put a wifi AP on LAN so you have a way to log in if the Ethernet configuration is broken.

1 Like

Recovery with failsafe went very smooth. I was up and running again in very little time. Now I still need to make the changes to the switch. Will do that soon.

Did you finally get your switch working?

Sorry for the delay. Well, I got my router up and running and removed/unloaded the 802.1q module on my linux machines. Since then I still see dropped packets. And in higher numbers then before. So I'm not sure if the issue has been fixed.

Did you do a packet capture? Do you actually see tagged packets?