VLAN with aware and non aware hardware

I have been experimenting with openwrt and vlans with several bits of hardware and trying to run openwrt with a mix of vlan and non vlan hardware.

I have successfully created a working vlan system where br-lan has the correct vlans associated, the devices are created with each vlan un br-lab and I have been playing with linking different ssid to each vlan - this works ok.
Openwrt (mx4200) is linked as an ap to a fortigate firewall which handles vlan and non vlan traffic. non vlan tagged packed sit on the default lan, tagged packets go to the correct vlan.
I want this to be the case on openwrt but I get the impression it cant (easily).

I have a trusted vlan 200 and have to tag the lan interface to a vlan and use that, therefore any 'normal' traffic assigned to lan on the wifi interface are actually tagged to vlan 200 via the lan interface.
The guest network tagged to brlab.30 correctly go to vlan 30.

What I would like to see is wireless interfaces tagged to a specific vlan got to that vlan, wireless interfaces tagged 'just' to lan dont get a vlan header (and thus pass to the firewall standard lan).
Obviously if I remove br-lab.200 from lan and set it to just br-lan I lose connectivity .
Can a dsa system work with a hybrid tagging or all / nothing vlans ?

Yes, in general.
Some hardware doesn't like running mixed untagged+tagged, but that is relatively uncommon. Most hardware is okay.

The only other consideration is the debate about best practice... there are two camps:

  1. untagged + tagged is okay
  2. it's not okay; make all VLANs tagged on a trunk. Some of this is related to the hardware that doesn't play nice, and some is personal/professional opinion when it comes to the potential for issues or mistakes.

Post your config and describe what you want to happen on each port and we can go from there.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
1 Like

thankyou

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd5:38c9:fcab::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        option ipv6 '0'

config device
        option name 'lan1'
        option macaddr ''

config device
        option name 'lan2'
        option macaddr '

config device
        option name 'lan3'
        option macaddr ''

config interface 'lan'
        option device 'br-lan.200'
        option proto 'static'
        option ipaddr '192.168.0.251'
        option netmask '255.255.255.0'
        option gateway '192.168.0.254'
        option delegate '0'
        list dns '192.168.0.91'
        list dns '192.168.0.254'

config device
        option name 'wan'
        option ipv6 '0'
        option macaddr ''

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '30'
        option name 'br-lan.30'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '300'
        option name 'br-lan.300'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '200'
        list ports 'lan1:u*'
        list ports 'lan2:t*'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '300'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'

config interface 'VLAN_100_ROB'
        option proto 'none'
        option device 'br-lan.100'

config interface 'vlan_30_guest'
        option proto 'none'
        option device 'br-lan.30'

config interface 'vlan_200_trust'
        option proto 'dhcp'
        option device 'br-lan.200'

config interface 'vlan_300_162'
        option proto 'none'
        option device 'br-lan.300'

config interface 'wwan'
        option proto 'dhcp'
        option hostname '*'
        option device 'wan'

Ubus call system board

{
        "kernel": "6.6.27",
        "hostname": "OpenWrt_FrontRoom",
        "system": "ARMv8 Processor rev 4",
        "model": "Linksys MX4200v2",
        "board_name": "linksys,mx4200v2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r0-6bf3c56",
                "target": "qualcommax/ipq807x",
                "description": "OpenWrt SNAPSHOT r0-6bf3c56"
        }
}

I appreacite best case is every packet is tagged and untagged ones are dropped, I am not quite there yet :slight_smile:
What I would like is br-lan handles untagged packets with static ip set in the lan. 'normal' wifi interface has no vlan interaction and passes this out on trunk.

My wireless interface I do want on vlan is linked to br.xx and thus this is sent to trunk on a tagged link.

Other traffic on 'notmal' (no tag) lan can acces brlan natively