VLANs on WRT3200ACM

324802v34 · December 3, 2024, 12:54am

Hey everyone, I'm having trouble getting VLANs working on my WRT3200ACM.

My setup is this:

[laptop] .. wifi to ..
[AP] .. wired to ..
[managed switch] .. wired to ..
[the lan2 port on the WRT3200ACM router]

The AP assigns VLAN 4 to all wifi traffic.

The managed switch is set to "tag all" for VLAN4 for ports that go to both the AP and the WRT3200ACM router.

(Aside from the modem plugged into the wan port on the router, the only other port being used is lan2, which connects to the managed switch, which connects to the whole rest of the network).

What I want is for the wifi clients (which the AP tag to VLAN 4) to be able to communication to/from the lan and wan zones according to the firewall rules I've configured (ultimately, I want the firewall config to restrict traffic between various VLANs).

Attempt 1

Via the web UI, I created a network interface with the device set to eth0.4.

Under this configuration, I couldn't see any traffic to the eth0.4 interface when the laptop would try to connect.

Attempt 2

While keeping the eth0.4 interface there..

Under Network->Interfaces->Devices, I edited the br-lan configuration and went to the Bridge VLAN filtering tab. I tried enabling VLAN filtering, and then setting VLAN 1-lan2 to "untagged", and VLAN 4-lan2 to "tagged". That just lost all connectivity to the router itself. (Luckily the web interface will revert back if the router doesn't get confirmation that the configuration change worked, otherwise I'd have had to reflash the router).

Attempt 3

I got rid of the eth0.4 interface and created a lan2.4 interface. That created a virtual interface that I think should receive any traffic with a VLAN 4 tag.


ls -l /sys/class/net

[...]

lan2 -> ../../devices/platform/soc/soc:internal-regs/f1072004.mdio/mdio_bus/f1072004.mdio-mii/f1072004.mdio-mii:00/net/lan2

lan2.4 -> ../../devices/virtual/net/lan2.4

This virtual interface now receives traffic tagged for VLAN 4. The laptop at the other end can now send and receive to other devices on the network based on the rules I set for its firewall zone.

The problem I'm having now is that the laptop cannot receive anything from the wan. I setup the rules for its firewall zone the same as they are for the lan zone, which can talk on the wan just fine.

Doing some ping tests:

Running tcpdump -i wan host 8.8.8.8 on the router.

When I run ping 8.8.8.8 from the laptop, I only see the ICMP echo requests going out, but nothing coming back.

If I run the same thing from any other machine that's plugged into the switch, not associated with a VLAN, and thus (I think) assigned to the lan firewall zone, then tcpdump shows the ICMP echo requests and replies.

Questions

Have I gone down the wrong road with this lan2.4 interface to get VLANs working? If so, why didn't the eth0.4 interface work?

Should I be bothering with Bridge VLAN filtering at all, and if so, what was I doing wrong?

Any ideas why devices from vlan2.4 can talk to other devices in lan just fine, but can't talk out to (or probably more accurately, can't receive from) wan?

slh · December 3, 2024, 2:54am

https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial

psherman · December 3, 2024, 3:09am

@slh has pointed to the page which should help answer your questions. However, if you still have issues/questions, feel free to ask them here and/or post your config for review and suggested fixes.

flygarn12 · December 3, 2024, 5:16am

Wrt3200acm doesn’t have eth0, at least not for management!
The ports are named like they are printed on the plastic, wan, lan1, lan2, lan3 and lan4.
The eth0 (and eth1 but DSA doesn’t show that) is the routers two internal switch ports to the cpu, don’t touch those port.

So for your vlan setup case VID=4 for the ports (or more exactly the DEVICE) would result in:
wan.4
lan1.4
lan2.4
lan3.4
lan4.4
This setup is actually a interface setup with a directly defined device with or without a tagged vlan.

But often for trunk ports it’s better to use bridge-vlan setup instead of this simplified setup.
Bridge-vlan setup model has first a L2 device defined and then are the vlan defined under the device.
And then the L3 interface is defined and linked to the L2 device.

zekica · December 3, 2024, 6:36am

This might help:

324802v34 · December 4, 2024, 12:56am

Thanks everyone. flygarn2's mention of using a bridge-vlan setup worked for me.

I ended up making br-lan an unmanaged switch, then creating a br-lan.4 interface that served DHCP. I had to edit the br-lan device's Bridge VLAN Filtering to make it treat lan2 as a proper trunk port.

At this point, everything worked.

I ran into trouble somewhere along the way by using hybrid ports on managed switches or the router, but that just seems to confuse things, so I committed to only using Access ports and Trunk ports, and that cleared things up a lot.

system · December 14, 2024, 12:56am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.