OpenWrt Forum Archive

Topic: VLAN through 2 OpenWRT routers

The content of this topic has been archived on 8 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello,

I have two Openwrt routers in my house: one in the attic and the other in the basement.
The one in the attic is the "main" router: Gateway to internet, Firewall, DHCP, NTP, DNS server, etc. It has its WAN port connected to the internet provider's router. This means there is a LAN (192.168.1.0/24) between my home LAN (192.168.2.0/24) and the internet.

In that intermediate LAN (192.168.1.0/24) I've wired (Ethernet) some devices that are outdoors and if someone access it (take the cable and connect a laptop, for instance), the security risk would be small because they would be outside my LAN.

The OpenWRT router in the basement is acting as a 5 port switch (the WAN port is configured as another LAN port). Any device connected to it receives its IP address from the router in the attic.

Now I'd like to connect other device outdoors, but connected to the router in the basement. However, if I connect with the configuration that I have today, that device will receive an IP from my attic's OpenWRT router and would be "inside" my LAN (huge security risk).

So, I though creating a VLAN towards the intermediate network (192.168.1.0/24) and somehow configure it in both OpenWRT routers. The idea would be to assign a port of the basement router to that VLAN so that any device connected to it would get an IP from the 192.168.1.0/24 network.

A diagram with the above:
http://picpaste.com/vlan-yYsGIQyS.jpg

I've tried a few VLAN configurations in the attic router but I always loose access to the internet and have to put it back.

Any ideia if this would be possible and if so, any suggestion on how to make it work?

Thanks,
Jabss

(Last edited by jabss on 28 Feb 2015, 16:15)

I don't think that you can run VLAN tagged traffic through an unmanaged switch.  Is there a way to connect the two routers directly?

If you do that--

Attic router:  interconnect port tagged in both your WAN (2) and LAN (1) VLANs.
Basement router: interconnect port tagged in the lan VLAN (1) -- this makes the connection to the attic router's lan.  And also make a VLAN 2, make one of the other ethernet ports untagged in VLAN2, this port will be linked to the attic router's WAN.

Hello,

Thank you for your reply.
I also had that "unmanaged switch VLAN forwarding" concern in mind, and found a very logical explanation in this blog:

Wait a second, you say…. unmanaged switches can’t do trunk ports. How can an unmanaged switch understand VLAN frames?

It doesn’t need to. What is an 802.1q tagged frame, other than a standard 802.3 ethernet frame with four additional bytes inserted? These four additional bytes are the 802.1q VLAN ID field and 802.1p CoS field. As long as the unmanaged switch does not truncate frames to the 802.3 standard 1518 bytes, it will happily forward the 1522-byte 802.1q tagged frames just like any other.

My L2 Switch is a DGS-1008D G2 that supports jumbo frames (up to 9000 bytes, if not mistaken), so most likely, the problem is not from here.

If the problem is not from the L2 unmanaged switch, it should be like the routers are connected directly.
I'll try your suggestion and come back. EDIT: I realized that is not possible.

Any other idea?

Thanks,
Jabss

(Last edited by jabss on 1 Mar 2015, 02:27)

The attic router would be basically a stock configuration except you tag the cable to the basement and include both VLANs 1 and 2.

On the basement router you would delete the WAN network so nothing is connected to VLAN2 (eth0.2).  You should also remove VLAN2 from the CPU port, as the only use of VLAN2 is to go from the camera to the attic.  Also in the switch you would move the port(s) for the camera(s) to VLAN2 (untagged) and tag the interconnect cable the same as in the attic.

I don't know if or how you could also make untagged traffic on the interconnect cable so that ordinary users of the switch will be able to connect.

(Last edited by mk24 on 1 Mar 2015, 19:14)

Hi,

There were some discussions about mixing tagged/untagged traffic on the same port, but it seems its working on TP-1043ND routers (coincidentally my model).

Meanwhile, with testing, I found out this:
In the attic router (TP-1043ND V2), every time I tag any VLAN into the port towards the basement (as well as the L2 Switch) all devices in the intermediate L2 switch lose connectivity.
If I tag any VLAN in the basement router (TP-1043ND V1) into the port towards the attic, all devices continue having connectivity.
What I conclude with this is that the L2 switch can in fact forward mixed traffic and my LAN devices are OK with that, but there is some extra configuration that I need to do in the attic router.

Should I create a specific interface for the VLAN (sorry, I don't understand very well what is the purpose of creating interfaces for VLANs, but I've seen some cases in the net).

Getting closer, but still far... :-)

Any ideas?

Thanks,
Jabss

That makes sense, as you need untagged packets in/out of the attic router from the lan network to go through the unmanaged switch to the users plugged in there that are expecting untagged.  In order to do this, you're needing the switch hardware to look at the destination MAC, and not just the VLAN number, to decide whether to send a VLAN 1 packet out of the port tagged or untagged.  The examples in the bug discussion don't try to do that.

It may work to make all VLAN1 untagged on the interconnect cable, then put the basement router in mixed mode as well so that untagged packets arriving on the port are by default re-tagged 1 and then sent to the CPU.

I don't think you need to create any new interfaces since you already have two networks going.  Eventually instead of the double routing using the modem/router, a more conventional setup involves making a new network called "unsecure" or "guest" etc for devices that you only want to see the Internet and not your LAN.  This doesn't have anything to do with the layer 2 flow of packets though so get that working first.

(Last edited by mk24 on 2 Mar 2015, 01:53)

Hello,

Some more developments:

Both my routers are TP-1043ND, but the attic one is V2 and the basement is V1.There are some differences between the two in terms of radio and switch chipset.

The V2 has a switch chipset based on Atheros AR8327N-BL1A and while the V1 is RealTek RTL8366RB based.

There are some reports that the mixed tagged/untagged traffic works on the RTL8366RB (V1 - basement) but doesn't work on the AR8327N-BL1A (V2 - attic). Not sure if that is the reality in Barrier Breaker, but let's assume so.

I have the possibility to add one more connection from the attic router to the L2 switch by using half of an ethernet cable (4 conductors), but I really don't have a way of doing the same from the L2 switch to the basement router. Therefore, I'll try this configuration:

Attic router V2 (supposed to NOT support mixed VLAN traffic)
VLAN 1 (0, 1, 2, 4) - took out the port 3, it will be a VLAN2 tagged port
VLAN 2 (3t, 5, 6) - added port 3 as tagged
|  |
100mbps cable with tagged VLAN2 and 1gbps with untagged VLAN1
|  |
L2 Switch (should forward tagged traffic to all ports)
|
1gbps with tagged and untagged cable
|
Basement router - V1 (supposed to support mixed VLAN traffic)
VLAN 1 (1, 2, 3, 4, 5t)  - By default port 5 (CPU) comes tagged. Don't know why...
VLAN 2 (3t, 0) - supposedly will get the tagged traffic from the por 3 and deliver it untagged on port 0

I still haven't tried this, because it requires some plug adptation and will take some time.
However, I've configured both routers with these configurations, rebooted and things seem stable (connection within and towards internet).

So, before I cut and strip the current cabling, :-) do you think this may work?

EDIT: I was reviewing this post and realized I have a double path between swicthes, that may cause an infinite loop. This can't work, right?

Thanks,
Jabss

(Last edited by jabss on 3 Mar 2015, 01:14)

I don't know what happens when an L2 switch sees the same MAC address on two ports.  That is one of those "Not supposed to Happen" things.

Why not put another switch next to the attic router to combine the ports?  Logically its the same as what you are trying but requires no rewiring.

Though if the rules of this game allow bringing in more hardware, the obvious thing is a managed switch or another router at the midpoint.

O/T, but from my experiences dealing with cameras/outdoor cabling, it is better to put these devices in a sandbox, rather than give them internet access. IE, construct a VLAN that can only access the camera server, and have no internet access.

When someone wanders up and plugs their laptop into the cable, if they get internet access, their more apt to stick around and get into other stuff (from wasting your bandwidth, to initiating DoS attacks, to poking around other servers/systems attached to the network). If they plug in, but can't access anything, their more apt to wander off and bother someone else.

Back on topic; it might be easier/simpler to just use a VPN (specifically an IPIP bridge) between your attic router's wan port, and a specific port in the basement.


V/r,
Conjur

jabss wrote:

There are some reports that the mixed tagged/untagged traffic works on the RTL8366RB (V1 - basement) but doesn't work on the AR8327N-BL1A (V2 - attic). Not sure if that is the reality in Barrier Breaker, but let's assume so.

Just for clarity: correct, Barrier Breaker does not support tagged+untagged on the same port on AR8327N (or other switches using the ar8216 driver). This is supported in trunk, but the changes have not been backported to BB branch.

Hey there.

I must confess I don't completely get what you're trying to do.

First of all, vlan tags are just a couple of bytes of payload.  They have a special meaning in terms of vlan, but for every device that isn't aware of vlan those are just payload.
Have a look at this image:
http://de.wikipedia.org/wiki/Virtual_Lo … tpaket.svg

A L2 switch which doesn't know anything about vlans most likely starts reading the source mac address, continues reading the target mac address and treats everything that comes after src and dst mac as "payload" which is to be transfered unchanged to the target.

So a L2 switch that doesn't know anything about vlans is likely to just act as having all tagged ports.

So my guess would be:
Make one of each of your routers ports "tagged". Like you did, you used port 3 on both devices. Connect those ports trough a dumb wire. This should work. Now cut the wire and put your router in between. This sould work, too.

The only thing is: The remaining ports of your L2 switch will distribute tagged data as well. So you cannot simply hook a computer up to that L2 as long as that computer isn't aware of vlan itself.

I really don't want to reproduce your setup in detail, so plase take this only as an example.
I assume port 5 being CPU on both of your devices. Since that can be different on all devices and even v1 and v2 of several devices have slightly different specs that can even be different here ... just take this as an example and look up yourself if v1 and v2 of 1043 have both CPU port 5 big_smile.

Router 1:
* vlan1 (0, 1, 4t, 5t)
* vlan2 (2, 3, 4t, 5t)

Router 2:
* vlan1 (0, 1, 4t, 5t)
* vlan2 (2, 3, 4t, 5t)

Interconnect both port4s with either a dumb wire or your L2 switch, doesn't matter.
Now
* vlan 1 consists of router 1 port 0 and 1 as well as router 2 port 0 and 1
* vlan 2 consists of router 1 port 2 and 3 as well as router 2 port 2 and 3
* Both routers are (through 5t) connected to both vlans, so you can create local traffic or firewall/routing from both of your routers to both of your vlans

Regards,
Stephan.

Hello all,

I have just tested my last configuration and its working! The device connected to the port 0 of the basement switch have DHCP-received an IP from the intermediate lan (192.168.1.0/24), and all other devices connected to the L2 Switch have internal/external connectivity. The devices connected to the basement router (other than the on connected to the port 0) have also DHCP-received IP's from the attic OpenWRT router (192.168.2.0/24) and have both internal/external connectivity.

I was just coming to the forum to report my success and noticed these new posts.

I admit my solution is far from elegant, but it accomplishes my primary goal and it's working with stock BB. Maybe with CC I'll be able to take the second cable out (between the attic router and L2 switch), our use an even better solution. The sandbox idea seems good, I'll investigate further.

Here are the details of my configuration:

Internet provider router
|
1 gbps cable (network 192.168.1.0/24)
|
Attic router - TP-1043ND V2 - AR8327N-BL1A (supposed to NOT support mixed VLAN traffic in BB)
VLAN 1 (0, 1, 2, 4) - took out the port 3, it will be a VLAN2 tagged port
VLAN 2 (3t, 5, 6) - added port 3 as tagged
|  |
100mbps cable - port 3 - with tagged VLAN2 (network 192.168.1.0/24) and 1gbps cable - port 1 - with untagged VLAN1 (network 192.168.2.0/24)
|  |
L2 Switch (maybe its not forwarding tagged traffic to all ports, because apparently I don't have L2 loops)
|
1gbps cable with tagged and untagged traffic
|
Basement router - TP-1043ND V1 - RTL8366RB - (supposed to support mixed VLAN traffic)
VLAN 1 (1, 2, 3, 4, 5t)  - By default port 5 (CPU) comes tagged. Don't know why...
VLAN 2 (3t, 0) - supposedly will get the tagged traffic from the port 3 and deliver it untagged on port 0

The switch configuration:

Attic router - TP-1043ND V2 - AR8327N-BL1A (supposed to NOT support mixed VLAN traffic in BB)

Port 5 - WAN port
Ports 1-4  - LAN ports (p2 has the "untagged cable" towards the switch, p3 has the "tagged cable" towards the switch)
Ports 0, 6 - CPU ports
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxxxxx'

config interface 'lan'
        option ifname 'eth1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'
        option gateway '192.168.1.1'
        option broadcast '192.168.2.255'
        option dns '192.168.1.1'
        option stp '1'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'
        option hostname 'xxxxx'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 1 2 4'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '3t 5 6'

config interface 'vpn0'
        option ifname 'tun0'
        option proto 'none'

Basement router - TP-1043ND V1 - RTL8366RB - (supposed to support mixed VLAN traffic in BB)

Port 0 - WAN port  (where the external device connects)
Port 1-4 - LAN ports 
Port 5 - CPU port
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxxxxxx'

config interface 'lan'
        option ifname 'eth0.1'
        option force_link '1'
        option type 'bridge'
        option proto 'dhcp'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option enable_vlan4k '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 2t'

Thank you all for your help,
Jabss

(Last edited by jabss on 4 Mar 2015, 13:09)

Hello,

Just a brief update. I've just installed CC-RC1 in my attic router and the VLAN tagging is working as it should be, so no need to have a second cable.

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option mirror_source_port '0'
        option mirror_monitor_port '0'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 1 2 4'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '1t 5 6'

Cheers,
Jabss

(Last edited by jabss on 31 May 2015, 12:29)

The discussion might have continued from here.