GL-AX1800 Flint 1 strange issue with VLANs

OK, I have a very strange issue with the VLANs in Flint 1.
The device is configured as an AP, so no firewall, no DHCP as we should.

I have 3 VLANs configured. And I have 5 SSIDs (2 on 5Ghz and 3 on 2.4Ghz). WiFi works perfectly fine. All WiFi devices can access the Internet without issue.
Today I rebooted teh AP. And after the reboot, all the devices connected to eth ports cannot access anything on my LAN or the Internet!

I can access Flint without any issue, but all the devices connected to ETH ports are basically not working. Please note that the WiFI works just fine.

I checked the configuration again and I cannot find something wrong. Can someone help me on this?

/etc/config/network is the following:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8f:42a6:748e::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option igmp_snooping '1'
	list ports 'eth0'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'

config device
	option name 'eth0'

config device
	option name 'eth1'

config device
	option name 'eth2'

config device
	option name 'eth3'

config device
	option name 'eth4'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.0.253'
	option netmask '255.255.255.0'
	option dns '192.168.0.1'
	option gateway '192.168.0.254'
	option ip6assign '60'
	option isolate '0'
	option device 'br-lan.1'

config interface 'guest'
	option device 'br-lan.9'
	option force_link '1'
	option proto 'static'
	option ipaddr '10.1.9.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option multicast_querier '1'
	option igmp_snooping '0'
	option isolate '1'
	option disabled '0'

config rule 'policy_direct_rt'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule 'policy_default_rt_vpn'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule6 'policy_direct_rt6'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule6 'policy_default_rt_vpn6'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:t'
	list ports 'eth1:u*'
	list ports 'eth2:u*'
	list ports 'eth3:u*'
	list ports 'eth4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '9'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth0:t'

config interface 'iot'
	option force_link '1'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '10.1.1.2'
	option netmask '255.255.255.128'
	option ip6assign '60'
	option multicast_querier '1'
	option igmp_snooping '1'
	option disabled '0'


First delete these, these should not be defined like this but likely wont fix your problem.

When i look close to this section:

This looks correct, but in OpenWrt the wan interface serves as a special interface this correlate aswell with the default routes this might get into a conflict please restore eth0 into wan, then you may also aswell delete the br-lan vlan filtering options.

^ though it might just work fine, you can always restore this type of setup but also look my quote here below i think that might be the root cause.

I also see multiple similar configurations like these, but shouldn't these be dhcp clients or set to unmanaged?, your idea is to use the flint as dumbap right?, here aswell should option device 'br-lan.9' be replaced by either wan.9 or eth0.9.

Normally the most upstreamed router should handle the dhcp servers, all downstream vlan should use dhcp client or unmanaged, you can see a vlan like a tunnel everything gets encapisulated it makes no sense to force a dhcp server from down stream to upstream :slight_smile:, that would make it even worse if you had multiple tagged AP doing the same you would have a conflict.

you use bridge filtering only if you want to segment vlans further downwards in a tagged/trunked fashion like as a switch to a other ap, but if you dont want that or there is no need to, just use eth0.9 this essentially untags it to the port because the interface covers it and tags it upstream you might eventually want to get rid of vlan filtering too.

I hope this gives you some awnsers and explainations :slight_smile:

I don't want DHCP.
I only need it for Wi-Fi clients.
In my case what is not working is basically the PVID that is not assigned to any packet that is coming f rom the untagged ports. And since the switch wants tagged VLANS, blocks them.

However, I will check with eth1 as the main port.

In the mean time can you share what you propose? I was completely lost by your suggestions.
IIIRC you also use Flint 2 router <-> Zyxel <-> Flint 1 AP

i need to know what you want to do with these ports on the flint 1 first :slight_smile:

you want to also sent tagged packets on those ports aswell to sent them also to a other device i.e a other vlan aware ap, or managed switch?

Usually in DSA bridge vlan filtering is only for ingress, the vlans are sent ingress = going downwards, tagging is in often cases represented as a direct call to eth0.<vlan id> where eth0 is the wan port towards the upstream router.

On your upstream router... there vlan bridge filtering is more applicable because it goes downwards.

In some situations and that is why i need to understand your scope and topology, you can use the same setup you have now, but vlan 1 must have the local checkbox unchecked on the flint 1, but that is only if you also plan to traverse vlan further beyond your Flint.

Now about vlans itself...

because vlans merely work like a tunnel and vlans go downstream, using dhcp servers downstream to upstream is not advised, instead it need to be dhcp clients to see if the vlan work, and as protocol unmanaged is how it should be supposed.

here is a example to illustrate:

if you had a normal network without vlans:

192.168.1.1/24 -> 192.168.22.1/24 -> 192.168.8.1/24

And i would use a tracert my hops would go:
192.168.8.1 -> 192.168.22.1 -> 192.168.1.1

With vlan however it gets encapisulated the result looks like:
192.168.1.45 -> 192.168.1.1 it gets already directly on your main router.

So it makes more sense to do it there than on the down stream devices. :slight_smile:

so I have been dusting off my Flint 1 again to test your setup :slight_smile: because I really underestimated and i kept way too long thinking about my own setup (which doesn't use lan ports for this).

I came into some interesting facts:

the flint ui software requires the wan interface to be intact atleast that is what I suspect, if you decide to double reference eth0 then all traffic stops, so in my configuration I found this type of config work you can easily expand this further for your own reference:

root@GL-AX1800:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config device
        option name 'br-lan'
        option type 'bridge'
        option ipv6 '0'
        list ports 'eth0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option isolate '0'
        option device 'br-lan.2'

config switch
        option name 'switch0'
        option reset '0'
        option enable_vlan '0'

config interface 'tethering6'
        option device '@tethering'
        option proto 'dhcpv6'
        option disabled '1'

config interface 'guest'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option multicast_querier '1'
        option igmp_snooping '0'
        option isolate '0'
        option bridge_empty '1'
        option disabled '1'

config interface 'modem_1_1_2_6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@modem_1_1_2'

config rule 'policy_direct_rt'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule 'policy_default_rt_vpn'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

config rule6 'policy_direct_rt6'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule6 'policy_default_rt_vpn6'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

config rule 'policy_default_rt_vpn_ts'
        option lookup 'main'
        option priority '1099'
        option mark '0x80000/0xc0000'
        option invert '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0'

config interface 'pc'
        option device 'br-lan.50'
        option proto 'dhcp'
        option defaultroute '0'

config interface 'wan'
        option proto 'dhcp'
        option device 'br-lan.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'eth2:u*'
        list ports 'eth3:u*'
        list ports 'eth4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '50'
        list ports 'eth0:t'
        list ports 'eth1:u*'

please copy only the important bits of this config (I have deleted alot of GL interfaces too :stuck_out_tongue: )

basicly it comes down to that you use br-lan, and replace eth0 from wan by br-lan.1, this gives you the ability to add eth0 and tag it inside the br-lan bridge.

my topology:

Flint 2 (I sent it tagged) <-> Zyxel switch (here I untag pvid 1) <-> flint 1 (here i also untag it).

1 Like

Vlans work just fine. The fact that I get the WIFI working means that VLAN is OK.
What is not OK is the fact that untagged traffic is not sent from Flint 1 to Flint 2 as expected.
And here it's either the Zyxel between them that is not working properly, or the Flint 1 does not tag those packets with VLAN ID 1 as it should.

OK, so you use the switch configuration and you have PVID1 untagged in Zyxel.
That's what I was planning to test later today when work is finished

1 Like

yeah let me sent some screenshots too to make it more visible what I mean :slight_smile:

first wan looks like this:

but in order you first need:

then in bridge filtering:

now maybe vlan 2 to preserve lan is maybe not the best option for vlans :slight_smile: , but I was trying to hack it around a bit for some reason the firmware doesn't like double reference in any sort, I was also trying to have eth0.50 added to the bridge and then tag but no avail :stuck_out_tongue:

this is the full interface list:

theres probably less interfaces but you likely haven't to delete them I just did to make sure nothing could conflict with the default gateway checkbox :slight_smile:

Edit: i also tried a similar setup on my second Flint 2 but i notice the firewalls wan zone need to exist and masquarade for the wan interface or internet is not possible :slight_smile:

Great. I have a reference now (and looks relatively similar to what I have).

I remember your discussion about the air fryer :smile: and the bridges, so I tried to avoid to create bridges on top of bridges for the Guest and IOT Wifis. And thankfully it works.

Now, I am not even sure that the problem is Flint 1... I am totally confused. If I convert eth0 from

        option vlan '1'
        list ports 'eth0:t'

to

        option vlan '1'
        list ports 'eth0:u*'

it just works!

but it's definitely not what I had in my mind about PVIDs... I still try to figure out what is wrong with PVID etc...

1 Like

I experience the same, likely it is because they need to be from both sides tagged, so on the upstream side of things aswell instead of untagged.

What will fail is tagged on flint 1, and untagged upstream :wink:, i know from past experience with other setups it has to do with duplicate packets with the same source address as the upstream device which is never a good idea because the mac should be from the flint 1 :+1: but untagged to untagged is fine, and tagged to tagged aswell.

Yeah...
For now I am focusing more on the Zyxel.

There only 2 possible broken setups here:

Either Flint 1 doesn't convert the untagged packets to tagged with VLAN 1 when it sends them to Zyxel, or Zyxel doesn't tag them when it send it.

Now I have both Flints with Tagged VLANs and on the Zyxel I have port 5 (Flint 1) with untagged VLAN 1 and the rest as tagged.