Wan offline with VLAN added

Hi,

I use OpenWRT 21.02 on my FritzBox 4040 and all is working fine.. I use a 4G dongle as a failsafe managed with mwan3.. working fine too, when Plugged in WAN it is surfing with WAN-IP, when disconnected it surfs with 4G-IP..

BUT last days I wanted to set up a VLAN for ESX training purposes and when I add VLAN, regardless there is something connected to VLAN, my WAN is disabled and I use internet on 4G!
I checked everything an can´t find the problem..

VLAN-config:

VLAN1 (default): eth0 tagged / eth1 untagged / eth2 untagged / eth3 off / eth4 untagged
VLAN11 (ESX) eth0 tagged / eth1 & 2 off / eth3 untagged / eth4 off

As far as I understand, eth0 have to have tagged VLAN1 & 10, so I can connect via VPN, but it also makes no difference to switch eth0 to off on Vlan11.. only WAN is back up again, when I delete Vlan11

Which ethernet port is used as an uplink to the ISP? eth0?
What is connected to eth0?

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
uci export mwan3

eth0 is the uplink, there is another router/modem from my landlord connected with dhcp-IP.. like 4G is also dhcp-IP.. thats why I don´t understand the problem.. it just kicks wan on eth0 when Vlan11 is running

Then you certainly cannot use tagged frames on eth0.

shouldn´t be the problem..

VLAN1 be default is also tagged on eth0.. equaly if VLAN11 is active or not, eth0 is always tagged on eth0.. on VLAN11 it is tagged, because I need internet on vlan11 for VPN and VMs reaching internet.. it works also when Vlan11 is active, but then eth0 is down for no reason

Does your landlord's router expect tagged frames from your router? If yes, is it configured to accept tagged frames in vlan11?

the landlords router has nothing to do with it, my 404 creates the vlan11 and vlan1 is default on openwrt, atleast on the fritzbox 4040.

it has to do with the 2 wan-interfaces.. 4g and ethernet.. because adding vlan disables wan-ethernet (eth0)..

i try rename vlan1 to vlan 0, maybe this helps out

You cannot just tag frames nor change vlan ids randomly.
First of all post the diagnostics mentioned here.

        "kernel": "5.4.143",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "AVM FRITZ!Box 4040",
        "board_name": "avm,fritzbox-4040",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.0",
                "revision": "r16279-5cc0535800",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 21.02.0 r16279-5cc0535800"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf8:3656:8091::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '192.168.190.1/23'
        list ipaddr '192.168.11.1/23'

config interface 'wan'
        option proto 'dhcp'
        option metric '9'
        option device 'eth1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 1 2 4'

config interface 'LTE'
        option proto 'dhcp'
        option metric '50'
        option device 'eth2'

config device
        option name 'eth2'

config device
        option name 'zthnhpr2my'

config interface 'ZT0'
        option device 'zthnhpr2my'
        option proto 'dhcp'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '8'
        option name 'eth0.3'

config interface 'VLAN11'
        option proto 'static'
        option device 'eth0.11'
        option ipaddr '192.168.11.1'
        option netmask '255.255.255.0'
        option gateway '192.168.190.1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '11'
        option ports '0t 3'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'AnyConnect'
        option interface 'AnyConnect'
        list ra_flags 'none'

config dhcp 'LTE'
        option interface 'LTE'
        option ignore '1'
        list ra_flags 'none'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'VLAN11'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'LTE'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config zone 'vpn_zone'
        option name 'zerotier'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'ACCEPT'
        list device 'zt+'

config forwarding
        option dest 'zerotier'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'zerotier'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group defaul                                                                                                                                                             t qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group defa                                                                                                                                                             ult qlen 1000
    inet 172.16.3.112/24 brd 172.16.3.255 scope global eth1
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP grou                                                                                                                                                             p default qlen 1000
    inet 192.168.8.133/24 brd 192.168.8.255 scope global eth2
       valid_lft forever preferred_lft forever
11: zthnhpr2my: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 qdisc fq_codel state                                                                                                                                                              UNKNOWN group default qlen 1000
    inet 10.147.17.245/24 brd 10.147.17.255 scope global zthnhpr2my
       valid_lft forever preferred_lft forever
25: eth0.11@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state                                                                                                                                                              UP group default qlen 1000
    inet 192.168.11.1/24 brd 192.168.11.255 scope global eth0.11
       valid_lft forever preferred_lft forever
26: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP gr                                                                                                                                                             oup default qlen 1000
    inet 192.168.190.1/23 brd 192.168.191.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet 192.168.11.1/23 brd 192.168.11.255 scope global br-lan
       valid_lft forever preferred_lft forever
default via 172.16.3.254 dev eth1 table 1 proto static src 172.16.3.112 metric 9                                                                                                                                                             
10.147.17.0/24 dev zthnhpr2my table 1 proto kernel scope link src 10.147.17.245
172.16.3.0/24 dev eth1 table 1 proto static scope link metric 9
192.168.10.0/23 dev br-lan table 1 proto kernel scope link src 192.168.11.1
192.168.11.0/24 dev eth0.11 table 1 proto kernel scope link src 192.168.11.1
192.168.190.0/23 dev br-lan table 1 proto kernel scope link src 192.168.190.1
default via 192.168.8.1 dev eth2 table 2 proto static src 192.168.8.133 metric 5                                                                                                                                                             0
10.147.17.0/24 dev zthnhpr2my table 2 proto kernel scope link src 10.147.17.245
85.220.252.114 via 192.168.8.1 dev eth2 table 2 proto static metric 50
192.168.8.0/24 dev eth2 table 2 proto static scope link metric 50
192.168.10.0/23 dev br-lan table 2 proto kernel scope link src 192.168.11.1
192.168.11.0/24 dev eth0.11 table 2 proto kernel scope link src 192.168.11.1
192.168.190.0/23 dev br-lan table 2 proto kernel scope link src 192.168.190.1
default via 172.16.3.254 dev eth1 proto static src 172.16.3.112 metric 9
default via 192.168.8.1 dev eth2 proto static src 192.168.8.133 metric 50
10.147.17.0/24 dev zthnhpr2my proto kernel scope link src 10.147.17.245
85.220.252.114 via 192.168.8.1 dev eth2 proto static metric 50
172.16.3.0/24 dev eth1 proto static scope link metric 9
192.168.8.0/24 dev eth2 proto static scope link metric 50
192.168.10.0/23 dev br-lan proto kernel scope link src 192.168.11.1
192.168.11.0/24 dev eth0.11 proto kernel scope link src 192.168.11.1
192.168.190.0/23 dev br-lan proto kernel scope link src 192.168.190.1
broadcast 10.147.17.0 dev zthnhpr2my table local proto kernel scope link src 10.                                                                                                                                                             147.17.245
local 10.147.17.245 dev zthnhpr2my table local proto kernel scope host src 10.14                                                                                                                                                             7.17.245
broadcast 10.147.17.255 dev zthnhpr2my table local proto kernel scope link src 1                                                                                                                                                             0.147.17.245
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0                                                                                                                                                             .1
broadcast 172.16.3.0 dev eth1 table local proto kernel scope link src 172.16.3.1                                                                                                                                                             12
local 172.16.3.112 dev eth1 table local proto kernel scope host src 172.16.3.112                                                                                                                                                             
broadcast 172.16.3.255 dev eth1 table local proto kernel scope link src 172.16.3                                                                                                                                                             .112
broadcast 192.168.8.0 dev eth2 table local proto kernel scope link src 192.168.8                                                                                                                                                             .133
local 192.168.8.133 dev eth2 table local proto kernel scope host src 192.168.8.1                                                                                                                                                             33
broadcast 192.168.8.255 dev eth2 table local proto kernel scope link src 192.168                                                                                                                                                             .8.133
broadcast 192.168.10.0 dev br-lan table local proto kernel scope link src 192.16                                                                                                                                                             8.11.1
broadcast 192.168.11.0 dev eth0.11 table local proto kernel scope link src 192.1                                                                                                                                                             68.11.1
local 192.168.11.1 dev eth0.11 table local proto kernel scope host src 192.168.1                                                                                                                                                             1.1
local 192.168.11.1 dev br-lan table local proto kernel scope host src 192.168.11                                                                                                                                                             .1
broadcast 192.168.11.255 dev eth0.11 table local proto kernel scope link src 192                                                                                                                                                             .168.11.1
broadcast 192.168.11.255 dev br-lan table local proto kernel scope link src 192.                                                                                                                                                             168.11.1
broadcast 192.168.190.0 dev br-lan table local proto kernel scope link src 192.1                                                                                                                                                             68.190.1
local 192.168.190.1 dev br-lan table local proto kernel scope host src 192.168.1                                                                                                                                                             90.1
broadcast 192.168.191.255 dev br-lan table local proto kernel scope link src 192                                                                                                                                                             .168.190.1
0:      from all lookup local
1001:   from all iif eth1 lookup 1
1002:   from all iif eth2 lookup 2
2001:   from all fwmark 0x100/0x3f00 lookup 1
2002:   from all fwmark 0x200/0x3f00 lookup 2
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
3001:   from all fwmark 0x100/0x3f00 unreachable
3002:   from all fwmark 0x200/0x3f00 unreachable
32766:  from all lookup main
32767:  from all lookup default
package mwan3

config globals 'globals'
        option mmx_mask '0x3F00'

config interface 'wan'
        option enabled '1'
        list track_ip '8.8.4.4'
        list track_ip '8.8.8.8'
        list track_ip '208.67.222.222'
        list track_ip '208.67.220.220'
        option family 'ipv4'
        option reliability '2'
        option initial_state 'online'
        option track_method 'ping'
        option count '1'
        option size '56'
        option max_ttl '60'
        option check_quality '0'
        option timeout '4'
        option interval '10'
        option failure_interval '5'
        option recovery_interval '5'
        option down '1'
        option up '1'
        list flush_conntrack 'ifup'
        list flush_conntrack 'ifdown'
        list flush_conntrack 'connected'
        list flush_conntrack 'disconnected'

config member 'wan_m1_w3'
        option interface 'wan'
        option metric '1'
        option weight '3'

config member 'wan_m2_w3'
        option interface 'wan'
        option metric '2'
        option weight '3'

config policy 'wan_only'
        list use_member 'wan_m1_w3'
        option last_resort 'default'

config policy 'wanb_only'
        list use_member 'LTE_m1_w3'
        option last_resort 'unreachable'

config policy 'wan_wanb'
        list use_member 'wan_m1_w3'
        list use_member 'LTE_m2_w3'
        option last_resort 'unreachable'

config policy 'wanb_wan'
        list use_member 'wan_m2_w3'
        list use_member 'LTE_m1_w3'
        option last_resort 'unreachable'

config rule 'default_rule_v4'
        option dest_ip '0.0.0.0/0'
        option family 'ipv4'
        option proto 'all'
        option sticky '0'
        option use_policy 'wan_wanb'

config rule 'default_rule_v6'
        option dest_ip '::/0'
        option family 'ipv6'
        option proto 'all'
        option sticky '0'
        option use_policy 'wan_wanb'

config interface 'LTE'
        option enabled '1'
        option initial_state 'online'
        option family 'ipv4'
        option track_method 'ping'
        option count '1'
        option size '56'
        option max_ttl '60'
        option check_quality '0'
        option timeout '4'
        option interval '10'
        option failure_interval '5'
        option recovery_interval '5'
        list track_ip '8.8.4.4'
        list track_ip '8.8.8.8'
        list track_ip '208.67.222.222'
        list track_ip '208.67.220.220'
        option reliability '2'
        option down '1'
        option up '1'
        list flush_conntrack 'ifup'
        list flush_conntrack 'ifdown'
        list flush_conntrack 'connected'
        list flush_conntrack 'disconnected'

config member 'LTE_m1_w3'
        option interface 'LTE'
        option metric '1'
        option weight '2'

config member 'LTE_m2_w3'
        option interface 'LTE'
        option metric '2'
        option weight '2'

Some remarks:

  1. Your uplink to the ISP is eth1, not eth0. Eth0 is the switched interface .
  2. The CPU must always be tagged. The ports usually not.
  3. Vlans 1 and 2 are treated specially by the hardware and you should not mess with them. Check the examples in the wiki for working configurations.
  4. There is subnet conflict of 192.168.11.0/24 in vlan11 interface and ip alias 192.168.11.1/23 in lan interface.
  5. gateway of vlan11 is wrong and unnecessary.

to 1. ok, I saw that in between too ^^.. but it doesn´t matter.. eth1 is disconnected when a 2nd vlan is added
to 2. CPU is tagged in vlan1 and vlan11
to 3. Vlan1 is default, Vlan2 isn´t there by default, so I used to call it vlan 11 because it´s on IP-Range 192.168.11.0
to 4. no conflict.. vlan11 is local network and lan is connected with zerotier and have to use /23 to work probably
to 5. gateway is set only for test, I´m aware of that :smiley:

Have a read at

or pull the DSA patches to fix the issues for good

1 Like