I wouldn't know where to begin without defining the input port on the R4SE to receive the tags for vlan2 coming from your ISP router, and the output port on the R4S to send the tags for both vlan2 and vlan1 on the trunk line to your switch.
There seems no way for the R4SE and switch to know what vlans they are receiving, or the switch to know what vlan to tag outgoing traffic with otherwise (the switch must preserve the vlan2 tags on traffic going to the IPTV box I presume).
The Nanopi does not have a switch thus it does not use DSA. The two eth ports are independently connected to the CPU like in most x86 hardware.
Use the notation eth0.2 directly in the wan interface to apply tags of VLAN number 2 to the packets going to the modem. To trunk eth1, just use eth1.X in different networks or bridges, with different values of X. The switch must be configured with the same VLAN numbers on the receiving port.
Thanks for the replies, meanwhile I did something stupid and lost remote access to the nanopi. It is 400km away, so I'll only be able to try this on the 4th Jan.
I'll try the eth0.2 notation and will report back.
Thanks!
Hi again,
I tried but I'm still missing something:
(note that now I've changed the VLAN2 to VLAN10 - Strangely my ISP router doesn't allow to use 192.168.2.0 network - For the sake of simplicity I want the third octet in the IP address to be the same as the VLAN eg: 192.168.10.x ---> VLAN10 / 192.168.1.x --> VLAN1)
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdec:8090:b28a::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
option igmp_snooping '1'
list ports 'eth0.10'
list ports 'eth1'
list ports 'eth1.1'
config device
option name 'eth1'
option macaddr '9e:13:4a:a8:f3:71'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.1'
option gateway '192.168.10.1'
option broadcast '192.168.1.255'
list dns '192.168.10.1'
list dns '8.8.8.8'
config device
option name 'eth0'
option macaddr '9e:13:4a:a8:f3:70'
option igmpversion '3'
config interface 'wan'
option device 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.10.2'
option gateway '192.168.10.1'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config device
option type '8021q'
option ifname 'eth0'
option vid '10'
option name 'eth0.10'
config device
option type '8021q'
option ifname 'eth1'
option vid '1'
option name 'eth1.1'
config interface 'vlan10'
option proto 'static'
option device 'eth0.10'
config interface 'vlan1'
option proto 'static'
option device 'eth1.1'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth0.10:t'
list ports 'eth1.1:t*'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'eth0.10:t'
list ports 'eth1.1:t'
How can I tell the WAN interface to have untagged VLAN10 and LAN interface to have tagged VLAN10 and tegged VLAN1 ?
By the way, since the ETH0 and ETH1 NICs are connected directly to the CPU and there is no switch fabric within the nanopi, do we really need to have the ´br-lan´bridge? Why?
Thanks
Funny, we had the same topic this morning. You should find some answers here Howto configure a VLAN-aware bridge on x86?
I'm totally lost...
Any suggestion? I've seen this video a dozen of times, still not a definitive understanding of what do I need to do... Quite frustrating as I was able to properly play around with VLANs before this DSA headache...
I know what a VLAN is and I think I still remember all of the theoretical concepts (took my CCNA 16 years ago), but I can't seem to understand the logic on this one. There must be something that is obvious to everyone that I may be missing....
I see people say not to use dsa config on thr r4s because there is no ds (distributed switch) yet OpenWrt developers also reply to some threads saying that the r4s has been added as of v22 to use dsa syntax already, implying that maybe all targets will be migrated to one common dsa style config syntax.
I think I read that some people have been successful at using the old config syntax on their r4s and I used full dsa config via luci as others seem to have as well. I did mine this way so I could add more interfaces via usb dongles and software bridge them in the future if I ever want to. I used a similar config on my 8 port switch and my ap with one eth int trunking all the vlans through all 3 devices. vlan 1 isn't used. I put my native vlan on 9 with no user traffic and device management is on vlan 10.
I did not dig into your config. I may be able to help more tomorrow.
Here is my r4s /etc/config/network file:
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'
list ipaddr '192.168.99.1/32'
config globals 'globals'
option ula_prefix 'fd8a:6568:a029::/48'
option packet_steering '1'
config device
option name 'eth1'
option macaddr '4a:67:89:a7:fe:2d'
option ipv6 '0'
config device
option name 'eth0'
option macaddr '48:67:89:a7:fe:2d'
config interface 'wan'
option device 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option gateway '192.168.1.254'
option ipaddr '192.168.1.1'
config interface 'wan6'
option device 'eth0'
option proto 'none'
option auto '0'
config route
option interface 'wan'
option target '0.0.0.0/0'
option gateway '192.168.1.254'
config device
option type 'bridge'
option name 'sw_switch'
list ports 'eth1'
option bridge_empty '1'
option priority '0'
option stp '0'
config bridge-vlan
option device 'sw_switch'
option vlan '9'
list ports 'eth1:u*'
config bridge-vlan
option device 'sw_switch'
option vlan '10'
list ports 'eth1:t'
config bridge-vlan
option device 'sw_switch'
option vlan '21'
list ports 'eth1:t'
config bridge-vlan
option device 'sw_switch'
option vlan '31'
list ports 'eth1:t'
config bridge-vlan
option device 'sw_switch'
option vlan '41'
list ports 'eth1:t'
config bridge-vlan
option device 'sw_switch'
option vlan '51'
list ports 'eth1:t'
config interface 'vl10_mgmt'
option proto 'static'
option device 'sw_switch.10'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config interface 'vl21_trusted'
option proto 'static'
option device 'sw_switch.21'
option ipaddr '192.168.21.1'
option netmask '255.255.255.0'
config interface 'vl31_tv'
option proto 'static'
option device 'sw_switch.31'
option ipaddr '192.168.31.1'
option netmask '255.255.255.0'
config interface 'vl41_untrusted'
option proto 'static'
option device 'sw_switch.41'
option ipaddr '192.168.41.1'
option netmask '255.255.255.0'
config interface 'vl51_guest'
option proto 'static'
option device 'sw_switch.51'
list ipaddr '192.168.51.1/24'
config interface 'vl9_native_vl'
option proto 'none'
option device 'sw_switch.9'
I hope it helps.
No offense but this is just broken... Either you use a VLAN-Subinterface notation; OR you use these "modern" syntax of :t to tag the VLAN on an interface (which in this case, in openwrt speak is a device... but yeah you know....)
Depends... Do you want just two individual interfaces, your do you want to have it "similar" like with these all-on-one plastic boxes where you need to have one VLAN for LAN and one VLAN for WAN to separate the ports. My impression is that many people got really configured about this whole "LAN is tag 1" and "WAN is tag 2" just because of this switch chic... It was just there to separate the Ports from each other internally. If you have two or more individual NICs, then yes, you would just configure them on their own... Anyway:
You have 2 options (as I see it)
Back to your problem:
No tag? Then no tag! Tag? Then tag! 
See:
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'eth0'
list ports 'eth1:t'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth1:t'
Try not to not confuse yourself:
br-lan here and lan over there...)config bridge-vlan" as: "Configure; with bridge a vlan, because there is this tool called bridge which has an option vlan to configure.... a vlan on a bridge. iproute2 can do so to. I assume this is just a wired config syntax.Hope this helps you... somehow... Really its not that hard or complicated, and please try to stay away from these Videos. 98% of the time its wasted time! /oldmansrantingwhoisactuallynotthatold
PPS:
Either list only the NIC without this subinterface notation. OR, leave it out, because if you list a port later on your vlan (which you configure with config bridge-vlan) the port gets attached to the "bridge" anyway; so the following two stanzas would be correct.
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth1'
and
config device
option name 'br-lan'
option type 'bridge'
But this depends on do you want to have a single vlan-aware bridge, or not. Like stated before: In your case, two separated interfaces makes more sense.
PPPPS: I hope I do not sound rude or anything, its just early, having the first coffee, but your config looked so broken I couldn't help my self but to reply...
The easiest way to configure this is to put the switch between the router and the R4SE.
To do this, you'd set VLAN2 on the ports that connect to the ISP router and the TV box, as well as the NanoPi. On the NanoPi, you could actually set the WAN the same physical port as the lan by simply assigning multiple VLANs to that port.
Here's an example plan:
TL-SG108E port 1: ISP router, VLAN 2 untagged, PVID 2
TL-SG108E port 2: TV box router, VLAN 2 untagged, PVID 2
TL-SG108E port 3: NanoPi, VLAN 2 tagged, VLAN 1 tagged
TL-SG108E ports 4-8: LAN, VLAN 1 untagged, PVID 1
Then on the NanoPi, you'll setup the lan on eth0.1 and the wan on eth0.2.
That will do exactly what you want with a lot less fuss.
Untagged vlan 1 with 192.168.10.0/24 between the ISP router and your r4se isn't reflected in your drawing.
When setting up vlans, consider enabling luci and ssh access via untagged vlan 1 on the wan interface on your r4se with it behind another firewall or on your bench and not connected to the internet yet. This allows you to maintain connectivity on a stable interface while you make changes on the other. Disable the firewall rule after config is set.
You mention having a working config for your Linksys EA8500. It may be useful to share your known good working network file from that as well as the firewall config.
A question for you: Where is OpenWrt booting from on your r4se? Did you get it to boot OpenWrt without pushing the mask button every time?
Indeed, I had commented that in my other post:
So the network between the ISP router and Nanopi is now 192.168.10.0 and the VLAN is now 10 instead of 2.
Yes, this is what I'm doing at the moment. I have an SSH towards WAN and proxy configured in my browser to access LUCI. This is still behind the ISP router.
I had a working config on the Linksys EA8500 before i had upgraded it to OpenWRT22 
Yes, it is booting without the mask button being pressed. I've shared the procedure I've done in this thread,
Any backups to unzip and refer to, or terminal session logs that might show the contents of the file from then?
So, you have VLAN 10 with 192.168.10.0/24 trunked between the ISP router and the r4se with no other VLAN active between the ISP router ans the r4se? Is the TV now needed to be on the same layer 2 domain as that VLAN 10 instead of 2 and VLAN 1 is only on the r4se LAN side and NATed to the VLAN 10 address on the WAN side? Is VLAN 1 still the native VLAN / PVID?
Thanks for the info on booting OpenWrt on the r4se.
Found it here 
No, I can't define any vlans in the ISP router so the network between ISP router and nanopi's WAN is untagged. (Not trunk)
The objective will be to have a similar setup as I had with the EA8500: devices connected to switch ports with vlan10 untagged will be on the ISPs LAN.
It is looking like the plan in post #10 by psherman may be a good setup.
See how that works for you.
I was just about to call attention to my suggestion just in case it had been overlooked. Thanks for promoting it @spence .
@jabss - give it a shot and let me know if it works as you'd like and/or if you have any questions.
EDIT: obviously, since you want to use VLAN 10 and VLAN 20 now, just substitute accordingly in my recipe.
Yes, I've been thinking about this suggestion.
Although it might be a effective and quick workaround at the expense of half of the bandwidth (or an additional switch port), my purpose with using OpenWRT is also to learn.
Even though that, IMHO, there isn't enough documentation regarding this topic at the moment, I believe I should keep trying doing it the 'right way' and when I do it, I'll document the results the best I can, as I've been doing since I've started with openWRT back in 2006, with my first netgear WRG614 router.
If I do this workaround, I'll always be thinking there is a 'better' way of doing it and will only stop thinking about it when I finally do it 
This thread was very useful for me to set up VLANs on my R4S. I would post my config but I'm not sure if would muddy the waters as I have the adblock package running which inserts firewall rules to block DNS requests from devices, and also there is no ISP router in my setup.
IMO, this configuration is actually more efficient and not a "workaround."
This will not negatively affect bandwidth... in fact, it is possible that it will actually improve it compared to your original topology. The reason I can say this is that the NanoPi doesn't have a hardware switch built in, so you must bridge ports that would be normally individually routed ports. Bridging is a software equivalent to hardware switching, but requires CPU intervention and therefore had the potential to slow down the overall performance of your system. (That said, the NanoPi may have sufficient CPU power to make this aspect less relevant... some systems are more significantly impacted than others).
I don't know the internal architecture of the NanoPi, so if there is any reduction in the maximum throughput, the simple solution is to put WAN and LAN on different ports, but this would be completely unnecessary if your total ISP bandwidth (up + down) is less than 1Gbps, and could actually be irrelevant for speeds up to 2Gbps (total up+down).
I will say that yes, my proposal does utilize one extra port on the TP-Link switch (maybe 2 extra ports)... this is only relevant if you are currently port constrained and need even possible port available (and, btw, you could use the other ports on the Nano Pi as LAN ports).
On this point, yes... I see where you are going.
Quite honestly, I believe the way I am proposing is the best topology given the hardware you are using and the nature of the problem.
But, if you want to go with your original proposed topology, let's actually start over with a nearly-default network config on the NanoPi. Your device doesn't have a hardware switch and therefore you should not be using DSA syntax. That is likely one of the biggest issues you're currently struggling with.
I can help you get it working per your original diagram if you want, but I would highly recommend that you start with a fresh/default configuration... make a backup before you reset the device... then reset, and post the default or near default (it's fine if you change the OpenWrt lan address, but don't change anything else) /etc/config/network config file.
After hitting the head against the wall and seeing this video on "how to create VLANs using DSA on RPI4", I believe I made it!
With the current configuration, I have a trunk (tagged VLANs 1 and 10) throughout Nanopi's ETH1 towards a managed switch.
The switch receives the tagged frames, decodes it, and even gets its own IP address via DHCP from nanopi because it's PVID setting for that port is VLAN1.
The devices connected to the switch ports assigned to VLAN1, receive an IP from the Nanopi range (192.168.1.x) while the ones connected to the switch ports assigned to VLAN10 receive an IP from the ISP router (192.168.10.x).
After knowing how to do it, it is actually quite simple.
In one hand I admit I was over-complicating things, but in the other hand, the fact that there are maybe many ways to reach the same outcome also confuses people. I was always starting by creating a new VLAN 802.q1 device and it turns out it wasn't needed.
My working config for any future reference:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdec:8090:b28a::/48'
option packet_steering '1'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.1'
option gateway '192.168.10.1'
option broadcast '192.168.1.255'
list dns '192.168.10.1'
list dns '8.8.8.8'
option device 'MyBridge.1'
config device
option name 'eth0'
option macaddr '9e:13:4a:a8:f3:70'
option igmpversion '3'
config interface 'wan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.10.2'
option gateway '192.168.10.1'
option device 'MyBridge.10'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'MyBridge'
option bridge_empty '1'
list ports 'eth0'
list ports 'eth1'
config bridge-vlan
option device 'MyBridge'
option vlan '1'
list ports 'eth1:t'
config bridge-vlan
option device 'MyBridge'
option vlan '10'
list ports 'eth0'
list ports 'eth1:t'
Next step will be to have Nanopi to be the DHCP server for both VLANs as I did before with EA8500.
Thank you all for your support, patience and knowledge!
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.