VLAN Trunking on WAN

I am new to OpenWRT and have done some reading regarding to VLAN trunking on WAN setup. However, the provided solution doesn't work. Therefore, asking support from this great community :slight_smile:

I would like to avoid double NAT, by changing my ISP's ONT router into bridge mode. The setup is PPPOE, using VLAN trunking. I have the required VLAN_ID, PPPOE username and password.

How to replicate this in OpenWRT (after changing ISP's router to bridge mode)?

I am on OpenWRT 23.05 on LinkSys EA7500 v2 (default firmware and setting, except wireless and have add HTTPS DNS Proxy using LuCI at default setting as well).

Have done the following:

  1. Adding new VLAN Device: Network - Interfaces - Device
    Device type: VLAN 802.1q
    Base device: WAN (wan and wan6)
    VLAN_ID: 219 (as per my ISP)
    Other setting is default.

  2. Adding new WAN Interface: Network - Interfaces - Interfaces
    Protocol: PPPOE
    Device: the above VLAN on Point (1)
    Username and Password: according to my IP.

Thank you...

[edited: adding reference pic to ISP's router, which needs to be replicated in OpenWRT, after the router changed to bridged mode]

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Here it is...

ubus call system board

{
        "kernel": "5.15.162",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Linksys EA7500 v2",
        "board_name": "linksys,ea7500-v2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2a:f4da:6dbd::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr '***redacted***'

config device
        option name 'lan2'
        option macaddr '***redacted***'

config device
        option name 'lan3'
        option macaddr '***redacted***'

config device
        option name 'lan4'
        option macaddr '***redacted***'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr '***redacted***'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option type '8021q'
        option ifname 'wan'
        option vid '219'
        option name 'wan.219'

config interface 'BIZWAN'
        option proto 'pppoe'
        option device 'wan.219'
        option username '***redacted***'
        option password '***redacted***'
        option ipv6 'auto'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option country 'ID'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '***redacted***'
        option encryption 'psk2'
        option hidden '1'
        option key '***redacted***'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option country 'ID'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid '***redacted***'
        option encryption 'psk2'
        option hidden '1'
        option key '***redacted***'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        list server '127.0.0.1#5054'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        list doh_backup_server '/mask.icloud.com/'
        list doh_backup_server '/mask-h2.icloud.com/'
        list doh_backup_server '/use-application-dns.net/'
        list doh_backup_server '127.0.0.1#5053'
        list doh_backup_server '127.0.0.1#5054'
        list doh_server '127.0.0.1#5053'
        list doh_server '127.0.0.1#5054'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

You config doesn’t look like a standard default environment- there are signs of major changes to the dns system (doh/dot?).

Try removing the 802.1q stanza, as it isn’t actually necessary.

Then delete these:

And change the name of BIZWAN:

Make it just lowercase wan. Restart and try again.

1 Like

Well, as earlier explained, I added a new software "https dns proxy" from OpenWRT:
https://openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy

It's setting is according to the default...

I assume, I can change all those changes using LuCI, right? Will check it first, how to do it...

If I remove VLAN setting (where I set VLAN_ID 219), then how should I set-up VLAN? This is coming from original ISP's router setting. I have tried to disable VLAN on it, but then no internet connection... Therefore, I assume, VLAN has to be set (maybe I'm wrong).

This is the setting that I need to replicate in my OpenWRT.

Nitpick: a "(vlan) trunk" caries multiple vlan on a link. If you just have a vlan tagged ethernet then it is just a vlan nothing more.
And yes, just configure your vlan stanza and set vlan id and mtu on your wan interface...

2 Likes

Do as @psherman advised. Later, when you have an internet connection, do all the other changes you have planned.

1 Like

I'm suggesting removing the 802.1q stanza I highlighted. The underlying .1q device will be automatically created when you use standard dotted notation on the wan. That is, when you specifcy wan.219 as the device, the 802.1q tagging will automatically work.

2 Likes

Hi All,

Sorry for late response.. I lost my internet when making the changes. Was worse than the last time (prior to posting this thread), as I need to call my ISP to reset my router.

Anyway..

Here is the error from "wan" interface (previously "BIZWAN"), with wan.219 (VLAN active):
Protocol: PPPoE
MAC: redacted
RX: 313.73 GB (230631143 Pkts.)
TX: 31.45 GB (131018537 Pkts.)
Error: Unknown error (USER_REQUEST)

Error from "wan" interface, if VLAN is not used:
Protocol: PPPoE
MAC: redacted
RX: 0 B (0 Pkts.)
TX: 778 B (8 Pkts.)
Error: Connection attempt failed

That's a lot of data for a failure... are you sure it's not connecting properly?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall
1 Like

Here it is:

#cat /etc/config/network:
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '***redacted***'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr '***redacted***'

config device
        option name 'lan2'
        option macaddr '***redacted***'

config device
        option name 'lan3'
        option macaddr '***redacted***'

config device
        option name 'lan4'
        option macaddr '***redacted***'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr '***redacted***'

config interface 'wan'
        option device 'wan.219'
        option proto 'pppoe'
        option username '***redacted***'
        option password '***redacted***'
        option ipv6 'auto'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

#cat /etc/config/wireless:
config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option country 'ID'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '***redacted***'
        option encryption 'psk2'
        option hidden '1'
        option key '***redacted***'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option country 'ID'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid '***redacted***'
        option encryption 'psk2'
        option hidden '1'
        option key '***redacted***'

#cat /etc/config/firewall:
config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'


Still no IP on "wan", instead the same error message.. Initially, "connection attempt failed". And then change to "unknown error (USER_REQUEST)"
Protocol: PPPoE
MAC: redacted
RX: 0 B (0 Pkts.)
TX: 5.90 KB (168 Pkts.)
Error: Connection attempt failed
(after a while change to: unknown error (USER_REQUEST)

Asked my ISP on potential workaround.

The lady only said four things that needs to be setup:
VLAN_ID: 219
PPPOE username and password
MRU: 1492

How to set MRU on OpenWRT? I only found MTU. Is it even relevant in this?

It's mtu. Maximum transmission unit.

It's possible that the isp is locked to the mac address of the original router. If so usually you wait for a timeout period to expire with the isp before it accepts the new mac address or you find out what the mac address of the old one was and copy it across to wan.219 to use

2 Likes

oh, another thing you might want to try as a last resort is using one of the LAN ports as your wan port try taking lan4 out of br-lan and making a lan4.219 for instance, use lan4 as your wan port and see if that works
Though I made this post under the assumtpion you were using a ipq40xx based device but I looked it up and yours is a mt7621 so it probably won't make a difference

1 Like

Can try this. However, is it OK to have twin mac address in the same network?

In doing this, does it not effectively converting the router to become a switch?

Or, that statement is only applicable for "standard" router, where we can't separate lanX from bridge...

BTW. Will try as well.

I'm using this same router and my ISP also requires the use of a VLAN ID. But sharing my config won't help you with that as I have a managed switch taking care of the VLAN part of things.

However, I have always consistently had a problem with PPPoE starting on the wan port because the port somehow doesn't initialize properly. For this reason, I start an unmanaged interface on the same port. This seems to have the effect of making sure the port is initialized properly and PPPoE works:

config interface 'wan'                    
        option device 'wan'               
        option proto 'pppoe'              
        option username *REDACTED*               
        option password *REDACTED*                        
        option ipv6 'auto'                                                 
        option delegate '0'                            
        option peerdns '0'                             

config interface 'znull'              
        option proto 'none'           
        option device 'wan'           
        option defaultroute '0'
        option peerdns '0'     
        option delegate '0'

"znull" is not in any firewall zone and nothing uses it. I put it there because if I don't PPPoE on the real wan interface never starts successfully.

Hope this helps if nothing else does.