VLANs on Xiaomi 4C

Hello! I've been trying to set up VLANs on my Xiaomi 4C router, but after watching a lot of videos I noticed that my Xiaomi only has eth0:

Does this mean that all LANs on my 4C will have to be VLANs? Thanks in advance :slight_smile:

You’ve got options about how you do the config. Yes, everything goes through eth0, but you can treat the ports however you want.

What is your goal? Based on that info, we can suggest how to implement it.

1 Like

My goal is to use my 4C as an access point with multiple SSIDs connected to multiple VLANs. The way I've done this in the past is, I've configured the physical interface to match the LAN configuration on my firewall (pfsense in this case). And then I've extended the physical interface to include VLANs, which are then mapped to VLANs on the firewall.

When I watched the videos on how to do this, I saw that this configuration was being done here (and not on the Switch config I posted above):

But this did not work for me, so I guessed the reason is that this is already a VLAN, and I can't have a VLAN on a VLAN (if that makes sense). So I wanted to confirm if my understanding is correct. If so, then I know that for my set up to work, my firewall also has to have VLANs and VLANs only.

I hope I'm approaching this correctly, and I would appreciate your thoughts on this :slightly_smiling_face:

Given your goal, the best way forward is for you to tell us what VLANs you have on the uplink port -- untagged (if any) + tagged -- tell us the VLAN ID and the name/purpose of the network (also specify which VLAN will be the management network and the IP address you want for the 4C).

And, post your network file. From there, we can guide you through the setup on your OpenWrt router.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
1 Like

So what I attempted is the following:

firewall (I guess this is what you mean by uplink port?)
has this management address (LAN not VLAN) 192.168.2.1 (untagged), and when the cable is plugged into the 4C port 1 (as labeled on the back of the 4C) it works, without any configuration.

The VLAN on the firewall has ID 31, and it also has ID 31 on the 4C (not shown in the config below because I went back to factory settings). The purpose of this VLAN is to be able to connect to a VPN automatically. This config I had allowed me to use the VLAN but the LAN above stopped working. Is my understanding correct that also the management LAN needs to become a VLAN? is VLAN ID 1 somehow reserved and should not be used?

Regarding the information you requested here it is:

{
	"kernel": "5.15.127",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7628AN ver:1 eco:2",
	"model": "Xiaomi Mi Router 4C",
	"board_name": "xiaomi,mi-router-4c",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0-rc3",
		"revision": "r23389-5deed175a5",
		"target": "ramips/mt76x8",
		"description": "OpenWrt 23.05.0-rc3 r23389-5deed175a5"
	}
}

And also:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'redacted'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr 'redacted'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '4 2 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

Thanks again for your help :slight_smile:

Hi

according to your default config ...
6 is CPU, 4&2 are LAN ports, 1 is WAN
so ...

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '6t 4 2 1 '

config switch_vlan
        option device 'switch0'
        option vlan '31'
        option ports '6t 1t '

config device
        option type 'bridge'
        option name 'br-vlan1'
        list ports 'eth0.1'

config device
        option type 'bridge'
        option name 'br-vlan31'
        list ports 'eth0.31'

config interface 'vlan1'
	option device 'br-vlan1'
	option proto 'static'
	option ipaddr '192.168.2.100'
	option netmask '255.255.255.0'

config interface 'vlan31'
        option device 'br-vlan31'
        option proto 'none'

your description is confusing, but ...
this config
have untagged (native) vlan1 on LAN/WAN ports with 192.168.2.100 address
have tagged vlan31 on WAN port without address

so, vlan1 is management vlan

1 Like

I went ahead and tried that config, but unfortunately, the VLANs still did not work for me. So I took a step back, reset to factory settings, and tried the following:

  1. Started with a clean config, connected 4C (on the wan port) to router (pfsense) and it just worked, here is what that config looks like:
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'redacted'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr 'redacted'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

By it works I mean that the above config allowed me to connect to my 4C and access the internet. Although it's not shown here, you can see the dynamic ip address in this screenshot:

  1. So I went ahead and configured the VLAN, this produced the following config:
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'redacted'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr 'redacted'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

config switch_vlan
	option device 'switch0'
	option ports '1t 6t'
	option vlan '30'

And this caused the wan to lose connectivity, the ip is gone:

From the videos I watched I noticed that wan should not have lost its IP after I configured the VLAN.

Looking at the logs with the logread command I saw:

Sat Sep 30 09:42:22 2023 daemon.notice netifd: wan (11361): udhcpc: received SIGTERM
Sat Sep 30 09:42:22 2023 daemon.notice netifd: wan (11361): udhcpc: entering released state
Sat Sep 30 09:42:23 2023 daemon.notice netifd: wan (11361): Command failed: ubus call network.interface notify_proto { "action": 0, "link-up": false, "keep": false, "interface": "wan" } (Permission denied)
Sat Sep 30 09:42:23 2023 daemon.notice netifd: Interface 'wan' is now down
Sat Sep 30 09:42:23 2023 daemon.notice netifd: Interface 'wan' is setting up now
Sat Sep 30 09:42:23 2023 daemon.notice netifd: wan (11517): udhcpc: started, v1.36.1
Sat Sep 30 09:42:23 2023 daemon.notice netifd: wan (11517): udhcpc: broadcasting discover
Sat Sep 30 09:42:24 2023 daemon.warn odhcpd[1506]: No default route present, overriding ra_lifetime!
Sat Sep 30 09:42:26 2023 daemon.notice netifd: wan (11517): udhcpc: broadcasting discover
Sat Sep 30 09:42:29 2023 daemon.notice netifd: wan (11517): udhcpc: broadcasting discover
Sat Sep 30 09:42:40 2023 daemon.warn odhcpd[1506]: No default route present, overriding ra_lifetime!
Sat Sep 30 09:42:56 2023 daemon.warn odhcpd[1506]: No default route present, overriding ra_lifetime!

I did some digging here regarding the warning No default route present, overriding ra_lifetime! but as you can see below, I also do not have RA enabled:

Any thoughts? :thinking:

So, it is more confusing now
in your earlier post, you mentioned 192.168.2.x
config i sent you have static IP in 2.x range

ok, now, as i see on your picture, range is 10.37.37.x/24

this mean that i was right, management network 10.37.37.x is on native (access) port
so my config will work if you replace static IP with some IP from 10.37.37.x and set GW address

why static?
again, in earlier post, you stated that you need AP with vlans
so, my assumption is that you need

  1. DumbAP
  2. WAN port as trunk

now, if these assumptions are wrong ...
from my point of view, static addresses are used in managed DumbAP fleet, but .. if you wish to use dhcp for mgmn address, then replace static IP with dhcp

btw, i am using same 4c in my OWRT DumbAP fleet in (almost) same way.

Adding a VLAN on the wan port should not cause you to lose the upstream connection.

Just to make sure we've got the full context... were any other changes made in the process such as the physical connections or configs on the pfsense router or anything else? Is the 4C's wan port directly connected to the pfsense router (or is there something like a switch between the 4C and the pfsense port)?

IIRC driver for built-in switch of mt7628 don't support tagged and untagged VLAN on the same port (see port 1 config)

Hi @123serge123

it is not true

using same 4c
wan is trunk
vlan1 untagged for LLDP & MNDP
vlan2,100,200 for users
vlan250 for MGMN

so it is working

1 Like

Thanks everyone for your answers! Here are my responses:

@NPeca75 sorry for the confusion. I got confused myself, that is why I went back and reset everything to factory settings to start from a clean slate. Your assumptions are correct, such a set up is exactly what I wish to do, and thanks for the hint about static vrs dhcp.

@psherman no other changes were made on the pfsense side, and yes, the wan port on 4C is physically connected to the LAN on the pfsense port.

@123serge123 thanks for that hint, and based on what I've experienced so far, this seems to be the case. Though I haven't given up yet :wink:

So I went ahead and ran the following experiments:

  1. I saw @NPeca75 VLAN IDs and thought perhaps I should also use higher numbers, say 100 instead of 30, but this did not make any difference.

  2. I made wan static, so it would be impossible for it to lose upstream connectivity. I then added an interface for the VLAN, set its protocol as DHCP Client, and I got an IP address for the VLAN from pfsense. Connecting a client to this interface also gave it an IP all the way from pfsense. However, this client could not connect to the internet.

I added another VLAN to check if adding another VLAN as a DHCP client would work, and it did. Setting up wan back as DHCP Client did not affect the VLANs, but the wan still could not get an IP Address from pfsense.

I am not sure if the wan not having an IP or having a static IP would be the reason why the clients connected to the VLANs have no internet access. From the pfsense side, the VLANs are able to get to the internet. Any thoughts? :thinking:

@NPeca75 would you mind sharing your 4C /etc/config/network?

ok, here you go

vlan1 (native) is without address (used for LLDP/MNDP)
vlan100 is access (native) on LAN1/LAN2
vlan255 is mgmn
WAN is trunk

cat /etc/config/network 

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '6t 1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 1t'

config switch_vlan
        option device 'switch0'
        option vlan '100'
        option ports '6t 4 2 1t'

config switch_vlan
        option device 'switch0'
        option vlan '200'
        option ports '6t 1t'

config switch_vlan
        option device 'switch0'
        option vlan '255'
        option ports '6t 1t'

config device
        option type 'bridge'
        option name 'br-vlan1'
        list ports 'eth0.1'
        option macaddr '0e:00:02:01:01:07'

config device
        option type 'bridge'
        option name 'br-vlan2'
        list ports 'eth0.2'
        option macaddr '0e:00:02:02:01:07'

config device
        option type 'bridge'
        option name 'br-vlan100'
        list ports 'eth0.100'
        option macaddr '0e:00:02:03:01:07'

config device
        option type 'bridge'
        option name 'br-vlan200'
        list ports 'eth0.200'
        option macaddr '0e:00:02:04:01:07'

config device
        option type 'bridge'
        option name 'br-vlan255'
        list ports 'eth0.255'
        option macaddr '0e:00:02:05:01:07'

config interface 'vlan1'
        option device 'br-vlan1'
        option proto 'none'

config interface 'vlan2'
        option device 'br-vlan2'
        option proto 'none'

config interface 'vlan100'
        option device 'br-vlan100'
        option proto 'none'

config interface 'vlan200'
        option device 'br-vlan200'
        option proto 'none'

config interface 'vlan255'
        option device 'br-vlan255'
        option proto 'static'
        option ipaddr '169.254.2.107'
        option netmask '255.255.255.0'
        option gateway '169.254.2.1'
        option dns '169.254.2.1'
        option ip6addr 'fd00:2:255::107/64'
        option ip6gw 'fd00:2:255::1'
 cat /etc/config/wireless 

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option phy 'phy0'
        option country 'HU'
        option legacy_rates '0'
        option noscan '1'
        option txpower '20'
        option htmode 'HT20'
        option disabled '0'
        option distance 'auto'
        option channel '5'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option network 'vlan2'

...
config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option network 'vlan100'
...
config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option network 'vlan200'

I believe the 4C cannot handle VLAN tags above 15. Configuring a VLAN ID above 15 garbles the VLAN ID lookup table.

well ...
looks like we could throw out swconfig then ? :smiley:
look at port 2 & 4
pvid 100
and i am accessing AP on vlan255
but .. time for you and @123serge123 to take over this thread and help the OP

swconfig dev switch0 show
Global attributes:
        enable_vlan: 1
        alternate_vlan_disable: 0
        bc_storm_protect: 0
        led_frequency: 0
Port 0:
        disable: 1
        doubletag: 0
        untag: 0
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 0
        link: port:0 link:down
Port 1:
        disable: 0
        doubletag: 0
        untag: 0
        led: 5
        lan: 0
        recv_bad: 0
        recv_good: 995
        tr_bad: 0
        tr_good: 255
        pvid: 1
        link: port:1 link:up speed:100baseT full-duplex 
Port 2:
        disable: 0
        doubletag: 0
        untag: 1
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 100
        link: port:2 link:down
Port 3:
        disable: 1
        doubletag: 0
        untag: 0
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 0
        link: port:3 link:down
Port 4:
        disable: 0
        doubletag: 0
        untag: 1
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 100
        link: port:4 link:down
Port 5:
        disable: 1
        doubletag: 0
        untag: 0
        led: ???
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 0
        link: port:5 link:down
Port 6:
        disable: 0
        doubletag: 0
        untag: 0
        led: ???
        lan: ???
        recv_bad: ???
        recv_good: ???
        tr_bad: ???
        tr_good: ???
        pvid: 0
        link: port:6 link:up speed:1000baseT full-duplex 
VLAN 1:
        ports: 1t 6t 
VLAN 2:
        ports: 1t 6t 
VLAN 100:
        ports: 1t 2 4 6t 
VLAN 200:
        ports: 1t 6t 
VLAN 255:
        ports: 1t 6t

So this is the config that ended up working for me:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'redacted'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr 'redacted'

config interface 'wan'
	option device 'eth0.2'
	option proto 'static'
	option ipaddr '10.37.37.2'
	option netmask '255.255.255.0'
	option gateway '10.37.37.1'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

config switch_vlan
	option device 'switch0'
	option ports '1t 6t'
	option vlan '30'

config interface 'vlan1'
	option proto 'dhcp'
	option device 'vlan1'
	option type 'bridge'

config switch_vlan
	option device 'switch0'
	option ports '1t 6t'
	option vlan '31'

config interface 'vlan2'
	option proto 'dhcp'
	option device 'vlan2'
	option type 'bridge'

config device
	option type 'bridge'
	option name 'vlan1'
	list ports 'eth0.30'

config device
	option type 'bridge'
	option name 'vlan2'
	list ports 'eth0.31'

Whether wan was static or DHCP, did not seem to make a difference. After this I went ahead to configure the wireless and the only thing I noticed was that I had to enable/disable the default SSID so the other SSIDs worked properly. Other than that, it seems it's working as expected :slight_smile:

Thanks once again everyone for the help :handshake:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.