VLANs both tagged and untagged on same port

Hey there,

I have run into a situation, where (I think) I need both tagged and untagged VLANs on a single port. Unfortunately, my hardware does not seem to support this: TP-Link WR 842 and WR841. (See also Mixed tagged/untagged VLAN possible?, a bug that has been around since at least 2014, see https://forum.archive.openwrt.org/viewtopic.php?id=49024) I just installed the WR841 with the latest supported OpenWRT 21.02.3. The WR842 runs a legacy Chaos Calmer 15.05, because I have a VPN service on it, which I cannot interrupt for a longer time.

<background comment="OpenWRT question following after that">
The reason I want this feature is: I am trying to provide WLAN to multiple stories of our house, using G.hn modems on the installed Coax cabling. Those devices have an (essentially) unmanaged switch on their LAN sides, which unalteredly forwards all Ethernet packages regardless of VLANs, and where I would like simple hosts to be connected to. While, at the same time, I have my two OpenWRT routers sitting on both ends and talking through tagged VLANs, one for each WiFi SSID.

So, I am looking for help to get this working. I have some ideas and will be glad about feedback...

1. I could recable my house. No real option, budget-wise.
2. I could use some other technology to foward the signal in my house. But WiFi repeaters turned out unreliable, plus I would prefer a wired solution. Supposedly, ethernet over powerline will also have miserable performace. So, ethernet over coax seems really attractive.
3. I could try to somehow get a grip on the management features of the integrated switch. I know, it can be configured, but only through some remote configuration, which requires a costly (and absolutely overkill) master device.
4. I could ditch the manufacturer of my Coax modems for a different brand. But I am actually quite happy with the support they give. Plus, they are quite affordable, so the following option will be cheaper.
5. I could abandon the integrated switch of the Coax modems and put a cheap managed switch behind those devices. The downside being some wasted LAN ports and additional hardware.
6. I could go for a routed solution, so all traffic between the VLANs has to pass my main router. I had such a setup before with an OpenVPN tunnel between the routers. But I like the idea of doing it right this time, i.e. to have my network segments directly reachable from each host.
7. I could try to make the ports of the modems at least usable in a limited way, by putting one of my VLANs (the most used one) on the line in an untagged way.

</background>

I am currently going for the last option, i.e., putting all VLANs (one for each WiFi SSID in my house) on the coax line and therefore on the (for the time being) unmanaged switch: all of them tagged; except the most used one, which would untagged. But I am running into the OpenWRT switch limitation mentioned in the beginning.

On one side of the coax line, I can circumvent the limitation by using two ports: One to put all tagged VLANs on the line, and one to put the one untagged VLAN on the line. That is not elegant, but it works. Unfortunately, on the other end of the coax line, I can only use one ethernet cable. So, this workaround won't work.

After some resignation, now, I thought the situation is actually also a great opportunity to upgrade my OpenWRT hardware (namely, gigabit LAN and 5GHz WLAN). And most of my pains would go away, if I just got a new router without the limitation.

So, long story short, the questions I would appreciate help from the community on are:

1. Which devices can you recommend with
   • decent specifications, such as: gigabit LAN and 5GHz WLAN and some power reserves to run a VPN host on it
   • an integrated switch which does not have the limitation mentioned above, i.e., that will let me put untagged and tagged VLANs on the same port simultaneously
   • an affordable pricetag (well below 100€ as I will need two of those devices)?
2. Do you have suggestions how to solve the "problem" with the existing hardware, or possibly cheap additions, maybe by just configuring my routers a bit differently.
3. Do you have comments on a more elegant solution to the "problem" alltogether (a bit off-topic, see "background" above).

Thanks for your help!

Why not tag all the packets?

Thanks for trying to keep it simple!

That's actually what I tried first. But, then, I cannot connect "dumb" (or VLAN unaware) hosts to the switch directly. It's basically, my idea no. 5 above.

Ah, sorry misunderstood, I thought you always had an openwrt/managed switch on each side (or in other words I did not read carefully enough).

Anyway, I have 2x r7800 with 1 as AP, the other as router/dhcp/wireguard host (they are just cat 7 wired together though) . That works for me, don't expect gigabit Wan speeds. Lan should be gigabit, but ckeck reviews for yourself (I actually never tested it) . It is a bit on the expensive side I guess, given your budget. But the device has a lot of community support., with multiple community builds etc. The cheapest would be get some managed switches and just tag everything...

I hope this helps

The problem isn’t the VLAN, is is your basic network hardware design that lack capabilities you need/want. You are allowed to have max one untagged vlan per trunk port, more than that no computer can know what untagged package goes where.
So in reality one untagged vlan in a trunk is also tagged. But it is tagged as the untagged vlan.

But to get this really working you either need to buy AP that can handle VLAN like all business class AP or have AP that have OpenWrt support and then run fully implemented VLAN trunk ports.
But I doubt you need to rewire anything.

Thanks, @Ramon. By my current knowledge, the cheap switches will be the way to go. But I'm still hoping, someone will show up with a groundbreaking tip here.

Do you know, if your device supports (multiple) tagged and (one) untagged VLANs on the same port? I can configure that in Luci, but swconfig dev switch0 show designates all VLANs as tagged. Just as described in the bug linked above...

Thanks also, @flygarn12, that is exactly what I am trying to achieve: multiple tagged VLANs and one untagged VLAN on the same port. But somehow, a bug in some driver seems to be breaking this. Do you know of any device with a fully supported switch driver in OpenWRT?

To illustrate, here is my switch setup (WAN is the port of concern):

Screenshot_20220722-115851_Chrome2108×834 168 KB

And that is the output of swconfig:

root@ak-rath-ug:~# swconfig dev switch0 show
Global attributes:
        enable_vlan: 1
        alternate_vlan_disable: 0
        bc_storm_protect: 0
        led_frequency: 0
Port 0:
        disable: 0
        doubletag: 0
        untag: 0
        led: 5
        lan: 0
        recv_bad: 0
        recv_good: 34993
        tr_bad: 0
        tr_good: 62843
        pvid: 10
        link: port:0 link:up speed:100baseT full-duplex
Port 1:
        disable: 0
        doubletag: 0
        untag: 1
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 18285
        tr_bad: 0
        tr_good: 63069
        pvid: 10
        link: port:1 link:up speed:100baseT full-duplex
Port 2:
        disable: 0
        doubletag: 0
        untag: 1
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 2
        link: port:2 link:down
Port 3:
        disable: 0
        doubletag: 0
        untag: 1
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 2
        link: port:3 link:down
Port 4:
        disable: 0
        doubletag: 0
        untag: 1
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 2
        link: port:4 link:down
Port 5:
        disable: 1
        doubletag: 0
        untag: 0
        led: ???
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 0
        link: port:5 link:down
Port 6:
        disable: 0
        doubletag: 0
        untag: 0
        led: ???
        lan: ???
        recv_bad: ???
        recv_good: ???
        tr_bad: ???
        tr_good: ???
        pvid: 0
        link: port:6 link:up speed:1000baseT full-duplex
VLAN 2:
        ports: 0t 2 3 4 6t
VLAN 10:
        ports: 0t 1 6t
VLAN 11:
        ports: 0t 6t
VLAN 12:
        ports: 0t 6t
VLAN 13:
        ports: 0t 6t

We can’t do magic from nothing.
You have yourself pretty much in a corner here since 21.02 has IEEE 802.1Q implemented, so to come and say 15.05 has bugs or lack of technology implementation is pretty much expected for 7+ year old hardware and firmware.

To be honest, if you run a VPN service on a router more than 7years old without updates since then you can pretty much turn it off since the cryptographic level on that device is in reality open traffic as of today.

We can’t do magic from nothing

You're right about that. That's why I'm asking for tips about hardware fully supporting VLANs in OpenWRT.

The configuration above is from the other device with a current OpenWRT image. It has the same issue.

VPN service on a router more than 7years old

Another good reason to look for a new hardware, yes...

I never tried to combine, so I do not know, I just have vlans running over it. But there are numerous R7800 posts for the community builds, maybe ask there? One thing though, you are using the Wan port, did you try if it works on a Lan port? Wan port may not be handled by the same switch as the Lan ports...

I agree though running version 15 is a security risk!

This bug presents on some TP-Link TL-WR740N v2 (not v4), as well as some WR841N versions. It caused me a lot of headaches several years back, until I found out the reason.

I always stay on the safe side and tagged all packets since then.

Thanks everyone for your help!

I ended up buying a new router, in order to test if I could combine multiple tagged VLANs with one untagged VLAN on the same port. I can confirm, that the Archer C7 v5 seems to be able to do this.

This also gives me Gigabit ethernet and an up-to-date firmware, adressing my v15 security loophole.

So, in the end, it just seems to be a matter of old hardware not being fully supported by this feature.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.