[solved] VLANs on ipq40xx alternative config (for Fritzbox 4040)

Continuing the discussion from Hardware advise (cheap, good support and available in Germany):

@jeff how did you do it? I've been following the forum and occasionally looking at some of the threads on this issue but I couldn't find a comprehensive guide :frowning:

My goal is to move one of the yellow ports from the "lan" network / zone to the "guest" one; the wifi SSIDs are already split this way, but currently "guest" has no wired access. I could live with not using LUCI to achieve this goal in the short term, I'd just document it and wait.

Especially since this is a rarely used setup, the wired guest port I mean.

If you explain what you want to get, we can help to setup.

as is)
4 wired ports and "home" wifi SSID belong to "lan" network (and firewall zone)
"guest" wifi SSID belongs to "guest" network (also)

to be)
3 wired ports and "home" wifi SSID belong to "lan" network (and firewall zone)
1 wired port and "guest" wifi SSID belongs to "guest" network (also)
(use case for wifi guest: well, the usual)
(use case for wired guest: occasionally I have to use a wired device that wants to be alone on a network)

With the standard config on my previous devices I would edit /etc/config/network and split the switch there, creating a new interface and so on and so forth. I've tried doing the same on the 4040 and it failed spectacularly.

@jeff mentioned that it was straightforward so I split the discussion to avoid hijacking the original thread.
If you need more information, just ask.

At least in my experience, LuCI just doesn't "understand" the IPQ40xx switch and its driver.

I don't know if the EA6350v3 is a dual-interface or single-interface device. My experience is with the EA8300 which presents eth0 and eth1 both.

The guiding principles I use are based on looking at the code and coming to the conclusions that

  • VLAN 1 and VLAN 2 are "special" -- avoid them
  • The "Internet" port is "hard wired" to eth1 by the driver
  • The "Ethernet" ports are "hard wired" to eth0 by the driver

First, I set up the switch itself

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

Now, I need to trunk VLANs over the Internet port in my situation. So I have several stanzas like

config switch_vlan
        option device 'switch0'
        option vlan '100'
        option vid '100'
        option ports '0t 5t'

Since the driver supports 128 VLANs from

jeff@office:~$ sudo swconfig dev switch0 help
switch0: 90000.mdio(QCA AR40xx), ports: 6 (cpu @ 0), vlans: 128
[...]

if it is a high-numbered VLAN, you need to remember that it is the vid that specifies the tag, and that it would be the vlan that needs to be referred to in a pvid line. So far, I haven't had to declare the pvid in my config.

config switch_vlan
        option device 'switch0'
        option vlan '101'
        option vid '1000'
        option ports '0t 5t'

This will get tagged traffic from the Internet port to and from eth1.100 and eth1.1000.

Now, if I want to have that VLAN's traffic appear on the "Ethernet" ports, it seems that it needs to be bridged. Changing the switch definition to span the ports and adding the bridge now looks like

config switch_vlan
        option device 'switch0'
        option vlan '101'
        option vid '1000'
        option ports '0t 1 2 3 4 5t'

config interface 'vlan1000'
        option type 'bridge'
        option stp '1'
        option ifname 'eth0.1000 eth1.1000'

I did not have to explicitly define the PVID for the ports. Checking the PVID returned by swconfig dev switch0 show is probably worthwhile.



Without knowing the intent of your bridging and firewalling, it's hard to define the bridges (and I don't use OpenWrt's in-built firewall scheme for my applications).

My guess is something like the following would be close

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '101'
        option vid '101'
        option ports '0t 1'

config switch_vlan
        option device 'switch0'
        option vlan '102'
        option vid '102'
        option ports '0t 2 3 4'

then look at the output of swconfig and see what might need adjustment.

7 Likes

This is much simpler. Luci doesn't "see" port 5. It always removes 5 or 5t from any config. That's it.

1 Like

Jeff, I think our definitions of "straightforward" are quite different :slight_smile: and you're way ahead of me.

Intent is:

  • two internal firewall zones "lan" and "guest"
  • "lan" firewall zone includes 3 ports of the switch and the "home" SSID on both wifi bands
  • "guest" zone includes 1 port and the "guest" SSID
  • traffic is allowed from guest to wan, from lan to guest but not from guest to lan

This way I can segregate a fussy wired client in the guest segment when needed.

I gave your settings a spin and, touch wood, it looks like what I wanted: the key insight is "away from vid 1 and 2". Other than that, even configuring via LUCI gives the expected result. Thanks :slight_smile:

EDIT, adding key parts of the config to help others:

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '101'
        option vid '101'
        option ports '0t 1 2 3'

config switch_vlan
        option device 'switch0'
        option vlan '102'
        option vid '102'
        option ports '0t 4'

config interface 'lan'
        option ifname 'eth0.101'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option stp '1'

config interface 'guest'                                                     
        option type 'bridge'                                                 
        option proto 'static'                                                
        option ifname 'eth0.102'                                             
        option ipaddr '192.168.3.1'                                          
        option netmask '255.255.255.0'                                       
        option stp '1'          
3 Likes

@aboaboit, exactly what i was looking for. In my case passthrough/vpn lan.
Why would you need stp (spanning tree protocol)?

I don't need it, strictly speaking, but it's nice to have. It will work just fine without it, unless you create loops.

Good evening everyone, I was wondering if you could help me with a problem very similar to the one discussed here? I've read through the thread but still can't quite grasp what I'm doing wrong.
What I'm trying to do:
PPPoE on eth1
VLAN 42: 0 tagged. 1, 2, 3 untagged (lan)
VLAN 99: 0 tagged. 4 untagged (guest - I wanna run an old OpenWRT router for guest wifi here).

Should look like this:

Now as soon as I Save & Apply this, my PPPoE on eth1 stops working.
The error said something along the lines
Timeout waiting for PADO packets
Unable to complete PPPoE Discovery
I don't get how changing anything on eth0 would effect eth1?

Any help would be greatly appreciated

[EDIT fixed screenshot as error pointed out by @aboaboit]

port 4 should be untagged, just as you wrote earlier: I see it as tagged in the screenshot.

1 Like

Dammit, you're right, I staged this to make a screenshot and made this mistake - in my actual attempt lan4 was set untagged.

1 Like

so it still does not work even with untagged ports? that's interesting

can you show the relevant portions of /etc/config/network ?

Never use Luci for vlan setup on ipq40xx. It removes port5 setting on save.
But you need 5t to have tagged vlan on wan.

I don't have a port 5 and it works.
Is this issue device-related?
Does it happen only if you want to use VLAN on wan?

What "it" works? Router works on default settings.
But is you need to do something with vlans, you'll need port 5. But Luci will remove this setting.

"it" in the context of this last few posts in this discussion means "pppoe" wan.
Again, I have two VLANs numbered 101 and 102, no port 5 and I'm obviously online.

This means that it is a one mac device. Then it may work.

1 Like

I think the 4040 does indeed have a separate eth device for wan, while the local ports are part of the switch.
Unlike my older devices, which used a switch port for wan.

Hi, I've just recreated the config that doesn't work for me. Here's the switch settings in LuCI:

As soon as I commit this, PPPoE on WAN dies with "PEER DEAD" followed by "Connection attempt failed"

This is from syslog at that moment:

Sun Aug 11 10:58:55 2019 daemon.notice netifd: Interface 'wan' is now down
Sun Aug 11 10:58:55 2019 daemon.notice netifd: Interface 'wan' is setting up now
Sun Aug 11 10:58:55 2019 daemon.err insmod: module is already loaded - slhc
Sun Aug 11 10:58:55 2019 daemon.err insmod: module is already loaded - ppp_generic
Sun Aug 11 10:58:55 2019 daemon.err insmod: module is already loaded - pppox
Sun Aug 11 10:58:55 2019 daemon.err insmod: module is already loaded - pppoe
Sun Aug 11 10:58:56 2019 daemon.info pppd[6192]: Plugin rp-pppoe.so loaded.
Sun Aug 11 10:58:56 2019 daemon.info pppd[6192]: RP-PPPoE plugin version 3.8p compiled against pppd 2.4.7
Sun Aug 11 10:58:56 2019 daemon.notice pppd[6192]: pppd 2.4.7 started by root, uid 0
Sun Aug 11 10:59:11 2019 daemon.warn pppd[6192]: Timeout waiting for PADO packets
Sun Aug 11 10:59:11 2019 daemon.err pppd[6192]: Unable to complete PPPoE Discovery

And here's /etc/config/network

config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.42.1'
option dns '1.1.1.1'
option ifname 'eth0.42'

config interface 'wan'
option ifname 'eth1'
option proto 'pppoe'
option username 'someuser'
option password 'somepass'
option ipv6 'auto'
option peerdns '0'
option dns '1.1.1.1 8.8.8.8 8.8.4.4'

config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 1 2 3'
option vid '42'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 4'
option vid '99'

PPPoE pretty much immediately reconnects as soon as I reset the VLAN settings to defaults in LuCI.

vlan 1 and 2 are special on the ipq40xx, better not use them.

this is my switch config section:

config switch_vlan
        option device 'switch0'
        option vlan '101'
        option vid '101'
        option ports '0t 1 2 3'

config switch_vlan
        option device 'switch0'
        option vlan '102'
        option vid '102'
        option ports '0t 4'

(incidentally, try using the "preformatted text" button instead of "blockquote" when pasting text here)

1 Like