The ports on this are then plugged into a netgear switch - running the manufacturers firmware...
tp port 1 is plugged into netgear port 19 vlan 10
port 2 is 20 vlan20
port 3 is 21 vlan30
port 4 is 22 vlan40
wan on tp link is on netgear port 23. - no vlan
If I plug in a laptop direct to TP on a port, i get an IP in the correct range based on DHCP for that port /vlan running on openwrt.
When i connect it to the netgear, i got confused in tagged/untagged and now regardless of what i set on netgear, my laptop will always get an IP from the core router dhcp rather then one from openwrt ( they are different ip ranges - core router is 192.168.1.x , the tplink port 1 is 192.168.10.x port 2 is 20.x and so on.
Where am i going wrong with tags?
in the images above, i want the device connected to netgear port 7 which is vlan 20, to get an ip from openwrt vlan 20 - which is port 20 on netger port 2 on the router?
You need to have VLAN 20 untagged on port 7. This means both setting port 7 to Untagged and setting the port 7 PVID to 20.
That said, there is no need to connect ports 2-4 from your OpenWrt router to the switch. Instead, you can use a trunk (one port/wire that carries multiple networks). Be sure to disconnect ports 2-4 so that only port 1 is connected to the switch (otherwise you will have switching loops that will break your network). Configure as follows on the switch (all of the below applies to port 19):
The AR7240 switch has some hardware limitations. It works best to plan and build your network with only VLAN numbers between 1 and 15 because the VLAN table in the switch has only 16 entries, not 4096 as a fully 802.3q capable switch would.
There is a way to work around this but I don't know if LUCI implements it.
Also the cable to the other switch (trunk port) should have all VLANs of interest tagged and none untagged. The whole point of VLAN tagging is to have multiple networks independently transported on one cable then separated back out by the switch at the other end.
I've changed things about a bit:
now:
on openWRT
I have WAN - connecting to my main router
interface = vlan = physical port on tp = physical port on netgear
WAN = WAN = Port WAN = Port 23
LAN = VLAN11, port 1 = port 22
VLAN2 = VLAN12, port 2 = port 21
vLAN3 = VLAN13 port 3 = port 20
vLAN4 = VLAN14 port 4 = port 19
Each has its own dhcp server.
How would I change the OPENWRT config to use the multiple DHCP servers but using only one connection between the openwrt router and the netgear? At the moment I was working along the lines of on the netgear I would only enable port 19 for vlan 14, port 20 for vlan 13 etc. notag/untag would mean its not on a vlan?
Sorry- new to openwrt and networking genrally so not understanding the concepts.
Are you able to send me a screenshot of a setup (if you have it setup!)?
the aim for the openwrt mainly is just to be DHCP server for the different vlans, I want to seperate out my normal devices (laptop comp etc), from my home automation stuff and so on. I'm happy (or fairly) to setup port forwards and firewalls but just getting the vlan setup between the tp-link and netgear is where I'm struggling!
The IP address and (optional) DHCP server are part of a network interface, which is a virtual thing in the kernel. (see Network--Interfaces page). Network interfaces can be named whatever you want (subject to rather strict limits on the length of the name and the characters allowed), and in some cases it is good to name them 'vlanN' but it may cause confusion to a beginner. Another convention is to name them by usage, such as 'trusted' vs. 'guest.'
.
The actual transport of packets from a network interface to the Ethernet device is done with a physical setting (physical settings tab under network interface edit) of 'eth1.X' where X is the VLAN number defined in the switch. This causes the packets tagged with that number to leave the CPU Ethernet port and enter the switch CPU port. These two bits of hardware are right next to each other on the same chip but logically the switch is a separate unit. So at this point you have different networks sharing the same very short single "cable" on the chip. This can be propagated out to an external cable by setting up the switch VLAN routing table properly.
Test your interfaces with wifi devices to make sure DHCP etc works. Go to Network Wireless and set up an AP attached to the network you're testing, then connect a laptop to that wifi it should get a DHCP address and be subject to the firewall rules you've configured. It will work the same for wired connections as well.
For the above to work the network interface should be defined as a bridge. In almost all cases you want to check the 'bridge' box on the physical page for LAN-like interfaces.
When I setup the openwrt, I did it wired, each port gave my laptop a different ip range as expected. sp if i plugged in to lan1 i got a 192.168.10.x ip, lan2 gave me a 192.168.20.x and so on. I understand that i didnt need to do it on a port basis, but in my mind it made it easier - each port is a different DHCP server and allocated to a different VLAN!
Where i then got stuck is connecting the ports from openwrt to the netgear to make the different ip dhcp servers available across my network
It sounds like you have everything in place on OpenWrt, except configure the switch to make the port connected to the Netgear managed switch tagged in all the VLANs. The other 3 external ports would remain untagged in only one VLAN (and off in the others) to connect directly to an endpoint device.
If you look back at my first response, I suggested that you use a single cable to connect your OpenWrt router and the switch and I described the way that the switch should be configured including one untagged network and 3 tagged networks on that port. @mk24 suggests that all networks should be tagged when part of a trunk -- this is a matter of personal preference/professional opinion, as the 802.1q standard does allow zero or one untagged networks and one or many tagged networks to be carried on a trunk. My suggestion was based on the OpenWrt configuration referenced in the OP.
I stand by my point that there only needs to be a single physical LAN connection between the two devices (this is the trunk), and I would suggest that you remove the connections on ports 2-4 (21-19). But you can make all networks tagged on the trunk if you want -- that would be as simple as setting all networks under LAN 1 as tagged on the OpenWrt side and the corresponding port on the switch to have all VLANs tagged there, too.
A note about the way that these Netgear switches work...
Making a VLAN tagged on a given port is really easy -- simply set the port association to Tagged for the VLAN of interest.
Making a VLAN untagged and active on a port -- this is called an "access port" -- requires 2 steps. You must first set the VLAN to Untagged on the port of interest, and then you must set the PVID to the VLAN ID you're working with. If you don't do both, the desired network will not show up on that port. If no PVID is set, the port may appear logically non-functional when a non-VLAN-aware device is connected.
In any VLAN setup where there are tagged networks, it is imperative that the VLAN IDs match on both pieces of equipment that are connected to each other via a cable. If the VLAN IDs are not the same, the network will not function.
Keep in mind that almost all end equipment (computers, STBs, game consoles, etc.) expect the network connection to be untagged. That is to say that you must have your switch ports configured as access ports (described above) for connecting most equipment (aside from VLAN aware network infrastructure type hardware such as your OpenWrt router, VLAN aware switches, and dedicated access points).
Hopefully this will get you farther, but I suspect that if you are still having issues, it is likely that the Netgear switch is not properly (or completely) configured. If that is the case, please provide the latest configuration information for both the OpenWrt device and the Netgear switch, as well as the wiring config.
I'm going to reset the openwrt router and start fresh using one port.
I just want to check, where I'm marking a port as tagged/untagged is that for data coming in or out or both that it is untagged?
And on the netgear i have this setup:
I rea this as any traffic on port 20 will be tagged, any traffic on port 7 will be untagged, and these are the only two ports which will work on this vlan (VLAN13)?
The core part of the switch can't know where to send a packet unless it is tagged. In other words all packets moving within the heart of the switch must be tagged.
The per-port PVID is the tag number to apply to a packet which arrives on that port untagged (from an ordinary endpoint device), so then it will be known to belong to that VLAN. That is all that setting does. But it is essential to make access ports work correctly.
If you want packets to remain tagged as they exit, that is the other page where you choose egress settings.
I'm starting to wander if i have mis-understood the numberings on the interface page!
So eth 0 is the lan side and eth 1 is wan side.
Then eth0.0 is the first port on the LAN side?
if I then add a VLAN interface should this show up as eth0.01?
Also I have Switch VLAN and Software VLAN:
Should i be using software or switch vlan?
Will shortly be resetting and starting afresh, just want to setup the interfaces correctly - noting that I am looking to host 4 DHCP servers on different vlans
This is just LUCI trying to organize things for you. If you have defined a VLAN number on the Switch page, LUCI will automatically add a "switch VLAN" to its list for easy selection on the network interfaces physical tab. "software vlan" is simply a reference found to eth0.X where X is unknown in the switch configuration, (and thus unlikely to work). There's no physical difference.
Connecting a network to eth0.X will cause a packet tagged with number X to leave the CPU and enter the switch-- what happens to it next depends on the switch configuration. Both have to be properly configured with a matching number.
Note that IP addresses and DHCP servers don't exist on "VLANs", you create them on network interfaces then attach the network interface to a physical port which tags it and sends it into VLAN-aware hardware.
You could for example have a guest network with DHCP server which only links to a wifi AP-- that is a separate network but not a VLAN, nothing is ever tagged in that case.
The Guest wifi example is exactly what i am trying to setup - but for lots more stuff.
so one wifi access point for guest - direct to the main router and out to the internet,
then another for wired and wireless home automation stuff,
third for home devices (laptop/pc etc)
and a 4th for comms between VM PC's and synology for storage...
I was going down the route of having a DHCP server for each VLAN, and each port on the TP-link its own ip range/DHCP server so i didnt have to figure out the trunking etc. But given I'll start afresh i should do it correctly!
The Netgear settings are basically correct there for VLAN 13 tagged on port 20 and untagged on port 7.
You do not need to set the PVID to 13 for port 20 (since PVID only applies to untagged networks), but you do have to set that value to something, so 13 is fine. You could make it PVID 1 as long as you exclude VLAN 1 from port 20 (your choices are U, T, or blank; blank is excluded). Or you could use a VLAN ID that is otherwise unused (recommended for that to also be excluded from that port).
Since you have a main router and this secondary router handling the VLANs, it might be a good idea to show us a diagram of your setup -- can you draw one up and post it here (a photo of a sketch on paper is sufficient)? Can you remove the main router and make your OpenWrt the only router in the system? That creates a better situation for most networks (no double NAT issues).
Apologies - i'll get something drawn up and then put online - tbh im not sure why it isnt working from what i can tell the netgear was tagged correctly as per your description on the previous post so I'm guessing something isnt set right on the tp-link -openwrt... Not got around to wiping it but thats on the list to do!
