Hi Guys,

i am trying the following, but did not succeded. So i decided to write a post.

Hardware:
2 x TP-Link TL-WR841N/ND v9
Installed: OpenWrt Barrier Breaker 14.07-rc1 / LuCI Trunk (svn-r10457)

What i want to have at the end:

All Traffic from GAST WLAN shoud be routed into VLAN 12 and tagged on one Network port. At the second device. the tagged traffic should be received and translated into a second port but untagged. So i can connect the Port4 of my Fritz!Box to the second WR841N on Untagged VLAN 12 Port and the guest traffic will be routed tagged through the private network to the Access Point and its SSID GAST.

Fritz!Box [Port 4] <--> [Port 1 untagged VLAN 12] on receiving station (the second WR841N v9) [Port 4 untagged private and tagged VLAN 12] <--> [Port 1 untagged private and tagged VLAN 12] on WR841N v9 as Access Point <--> VLAN 12 untagged to SSID GAST

One TP-Link has to be an Access Point with 2 SSIDs: WLAN and GAST. This is not the ptoblem.

Now i created VLAN 12Interface:

I Created an own network interface called GAST and bridged the VLAN 12 (eth0.12) with wireless lan GAST

So every packet from WLAN GAST is bridged through eth0.12. And with the VLAn Config the Traffic from VLAN 12 is tagged to Port 1.

On the receiving station (the second WR841N v9) i configured like this:

I created VLAN 12 untagged on Port 1 to connect this to Fritz!Box Guest Port 4 and tagged to Port 4 on the receiving station  . This Port is myprivate network where the access point is connected.

My Problem: It will not work! What am i doing wrong?

Thank you for your help!

(Last edited by norcon on 23 Jul 2014, 09:07)

You need to add tagged CPU port to vlan12. Wifi is on CPU side and this is not connected to your switch0.

I am sorry, but now the system is not reachable anymore Other ideas?

(Last edited by norcon on 16 Jul 2014, 19:38)

try also set tagged CPU on vlan1.
Can you print network config file? /etc/config/network maybe you need also edit LAN network from eth0 to eth0.1

(Last edited by neryba on 16 Jul 2014, 19:48)

Which part does not work? You need to isolate each component seeing as this is a complicated setup.

I can not transfer data over VLAN 12. Everything else seems to work.

If i set  tagged CPU on vlan1, the system not not reachable anymore.

Here the config:

root@TP-Link1:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd5b:f5b0:f5f7::/48'

config interface 'lan'
        option ifname 'eth0'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.18'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'
        option dns '192.168.1.1'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 4'
        option vid '1'

config interface 'GAST'
        option proto 'none'
        option auto '1'
        option type 'bridge'
        option _orig_ifname 'wlan0-1'
        option _orig_bridge 'true'
        option ifname 'eth0.12'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4t'
        option vid '12'

I think this is right (edited)

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd5b:f5b0:f5f7::/48'

config interface 'lan'
        option ifname 'eth0.1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.18'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'
        option dns '192.168.1.1'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 1 2 3 4'
        option vid '1'

config interface 'GAST'
        option proto 'none'
        option auto '1'
        option type 'bridge'
        option ifname 'eth0.12'

config switch_vlan
        option device 'switch0'
        option vlan '12'
        option ports '0t 4t'
        option vid '12'

(Last edited by neryba on 16 Jul 2014, 21:01)

You are so right! The eth0.1 and untagged to tagged for CPU Port did the trick. Thank you man...

To help others, here my network config:

===================================================
AP System:
root@TP-Link1:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd5b:f5b0:f5f7::/48'

config interface 'lan'
        option ifname 'eth0.1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.18'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'
        option dns '192.168.1.1'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 1 2 3 4'
        option vid '1'

config interface 'GAST'
        option proto 'none'
        option auto '1'
        option type 'bridge'
        option ifname 'eth0.12'

config switch_vlan
        option device 'switch0'
        option vlan '12'
        option vid '12'
        option ports '0t 2t'

========================================================
Receiver Device

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9e:1018:5f93::/48'

config interface 'lan'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.16'
        option gateway '192.168.1.1'
        option dns '192.168.1.1'
        option _orig_ifname 'eth0 radio0.network1'
        option _orig_bridge 'true'
        option ifname 'eth0.1'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2 3 4'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '12'
        option ports '0t 1 4t'

config interface 'GAST'
        option ifname 'eth0.12'
        option _orig_ifname 'eth0.12'
        option _orig_bridge 'false'
        option proto 'none'

(Last edited by norcon on 16 Jul 2014, 21:34)

If I understand yours plan right, in receiver device you don't need interface GAST, and switch config could be

config switch_vlan
        option device 'switch0'
        option vlan '12'
        option vid '12'
        option ports '1 4t'

Because there NO network packets what need send to CPU

Thanks neryba, i changed it.

Now another problem. if i connect an pc to the untagged port of the receiving device, i got a ping and everything is fine. if i now connect the untagged port to port 4 of the fritz box and the tagged 1 and 12 port to a free port of the fritz box i get an loop.

Nothing is working anymore till i disconnect one of the both cables of the receiving device. Why? Tagged and untagged port should be isolated and a loop not possible.

Is there any option i missed?

Sorry I didn't understand topology from you post, can you create a picture?
Anyway you can add option stp to  lan inteface protect from looping

option stp      '1'

I tested it allready, but no chance. now i test to use the wan port (eth1) for the second connection to fritz!box

here what i want to realize in a map hope u understand:

With STP Option it is looping anyway.

Has your switch support vlan tagging/trunk? Network packet with vlan is bigger than typical network packet. So if your switch doesn't support that cannot send this packages, if yes, you don't need "receiving device" at all.
You can try connect cable from switch to port 3 on "receiving device" and from port 4 direct to "AP device". OR use for connecting from switch on "receiving device" eth1, then all traffic goes via CPU and stp command will help you.

Looks like you're getting a loop because you have a loop. Unless both the fritzbox and private network switch support VLANs properly you'll get random awkward behaviours.

But why? If i connect port 1 of receiving device to  fritz box port 4 it thould not cause a loop, because port 1 is untagged and so a loop should not be possible?!

A direct connection is not possible between AP and receiving device.

Any other ideas?

i think i get a loop packet, because port 1 to 4 is a built-in switch.

So another question. How to use eth1 (wan interface) as untagged vlan 12 port?

No chance. i got it, but i receive a loop to

try create this

config interface 'GAST'
        option proto 'none'
        option type 'bridge'
        option ifname 'eth0.12 eth1.1'
        option stp      '1'
        option auto '1'

config switch_vlan
        option device 'switch0'
        option vlan '12'
        option vid '12'
        option ports '0t 4t'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 1 2 3 4t'
        option vid '1'

Connect cable from main router to wan port. Also you need remove wan and wan6 intefaces. And enable receiving tagged vlan1 packages on AP.
But what main switch do you have? Can you give model name?

(Last edited by neryba on 18 Jul 2014, 21:29)

Because if the device is not designed to handle VLANs then any number of things can happen, most commonly treating tagged frames as untagged or vice versa.

How not? if they are both connected to the same switch unless the switch is hundreds of metres long I cannot see any reason why you can't connect the cables together.

Now i found a solution. But without openWRT and TP-Link System.
I used my Raspberry Pi with Raspbian and connected an addititional USB Ethernet Adapter. Now i have two MAC Addresses and a loop can't be created.

The one Port is untagged VLAN 12 and the other tagged 12 and untagged 1.

I am happy now!