Mt-6000 vlan

Routers
1

Having issues setting up VLANS on this router. Have tried multiple times from reset thru locking myself out. Have tried single VLAN, multiple VLANS. You name it. Here’s the details:

I have ISP router in bridge mode hooked to my MT-6000 thru the WAN port. I want 3 or 4 VLANS, call them 10, 20, 30 and 40. I’ve gone into LUCI and setup interfaces, devices, turned on VLAN filtering. Tried setting up just 1. In all cases the save/apply eventually fails and usually makes things inaccessible until I do a hard reset. I’m using static IP on the Router.

Absolutely NOT a network engineer. Would appreciate your help! Thanks.

2

Ah :slight_smile: , this issue is very known to me and the solution is very easy.

  1. No. you do not have to save and apply yet, instead save, as soon vlan filtering is checked device br-lan needs to be changed into br-lan.1 inside the lan interface, only then you can safely save and apply.

  2. For the other vlans, you also create other interfaces no?, make sure when you define it's own firewall zone, the input of this new zone in the firewall settings say ACCEPT, by default on creation it is DROP, and on normal OpenWrt REJECT, it follows the global settings on creation, but that will reject dhcp on your newly interfaces.

  3. On interface creation, I would strongly advise to uncheck this checkbox: Default Gateway it is inside the advanced tab, this is because you only want the router have one default route typically wan,wwan, otherwise traffic may leak through different interfaces, also for vpn policies this can be important.

If it still doesn't work please share your contents with us.

  • /etc/config/network
  • /etc/config/firewall
  • /etc/config/dhcp

Discard mac addresses, isp infos, and vpn keys.

3

I have an issue when modifying a bridge interface VLANs because of the confusion with the VLAN Filtering checkbox. So, you might be experiencing this same situation.

4

If I understood this post correctly, the filtering checkbox works as expected.

What you describe of not seeing 0 this is normal in OpenWrt, default values often have no entry at all inside the config to save on space, but one can also explicitly state '0', no entry is the same as default.

It is confusing because not all uci/config nodes operate the same, like on network on some protos this is not acceptable it is especially on the required options there is no default context, but on this context it is.

About the 90s no connection, I'm a little confused about this, did you also do this?

Otherwise this issue is new for me, since I leaved GL firmware, I did not expect this new issue also got added.

the only issue I do know existing is that the luci DSA implementation in gl firmware seem old (from early luci OpenWrt 21) and broken it has a visual ghosting bug when adding vlans with add button, you have to click save and then return to actually see the new vlan boxes otherwise if you spam the button you see 100 of vlan boxes after applying... just don't let this glitch think you need to apply it is pure visual issue in luci, the right box on top will show you the unsaved results if clicking on save, you will also see the addition of br-lan.1 if the vlan filtering checkbox has been checked :slight_smile:

5

I do not have a br-lan.1 device. I tried what you suggested by going into LAN interface and changing br-lan to br-lan.1 however…no such item exists. Is this a standard that is supposed to be there, in which case is this a problem with my router itself? Do I create it and if so, what values to I use?

you requested some info if I was still having issues so am including here:

JK_MT6000.Config.zip (2.3 KB)

6

I see you have more likely just the factory configuration, nothing points for me what you tried for vlans.

so since I sit on my pc now, I can help making a tutorial.

First we navigate to interfaces:

image
image1471×136 12.4 KB

image
image1543×292 30.1 KB

you will see something like:

image
image1533×946 88.1 KB

now click on Devices as shown here:

image
image1489×232 18.5 KB

this will result in something like this:

image
image1491×955 91.1 KB

on the left tree you can see how the device names are named, br- stanza means it is a bridge, for vlans we want to have bridge vlan filtering :slight_smile:

Lets edit br-lan by clicking on Configure...

you will see:

image
image1444×1143 84.9 KB

now click on tab Bridge VLAN filtering:

image
image1450×225 22.8 KB

and you will see this:

image
image1465×741 56.1 KB

great!, lets check Enable VLAN filtering but do not save yet.

Now click on Add and you will see:

image
image1444×718 51.1 KB

if not, it is a visual bug as part of the ancient luci by GL-iNet, click Save, scroll down and click again on Save, I can't stress this enough do not save and apply.

Now navigate back to Bridge VLAN filtering and you will see the expected result as of the image.

As for now without any untagged traffic or defined pvid (primary vlan id) this will not function, so lets fix it:

image
image1464×727 56.6 KB

Now vlan 1 is the default vlan on all ports, each port can only have 1 untagged vlan, and after the port vlan 1 will not traverse further and won't exist, untagged vlans are for the destination ports and not for passing through.

Okay great, click on save, and then navigate back to this page, again: DO NOT SAVE AND APPLY, because br-lan under interface lan needs to be changed into br-lan.1 so lets navigate back to this tab menu:

image
image1482×180 17.2 KB

and edit lan:

image
image1494×388 30.3 KB

you will see something like this:

image
image1432×1045 64.9 KB

note that your ip address might be different, just ignore that, lets only change this field:

image
image1432×1045 69.7 KB

and you will see:

image
image673×451 39.6 KB

Select br-lan.1, and now you can finally click save, scroll down and click on save and apply.

great we now got the pvid ready, and basic vlan filtering, now we want to add more vlans.

lets head back to Bridge vlan filtering when editing br-lan.

and add a few vlans like this...

image
image1503×970 62.2 KB

Okay, but how do I assign only one vlan to one port?, lets say port lan5 gets vlan 10.

Then we do:

image
image1401×928 59.2 KB

And what about multiple vlans on one port?:

Alright, in that case this is when tagged vlans (T) get used, tagged vlans can be added to untagged ports aswell and traverse further, note that you need a vlan aware device on the other end aswell, to either make the tagged vlan traverse further (through multiple switches), or to turn the tagged vlan into a untagged vlan to a final destination port, untagged is for final destination and won't exist anymore after the port, and tagged will traverse further and is not for destination.

So if you have a vlan aware managed switch, you could theoretically assign tagged vlans as untagged on other ports and have more ports :wink:

now click save, and here it is fine to also save and apply, it is only important to do not when configurating the managed vlan aka lan.

great we now got managed vlan working, we also have one port lan5 with default vlan 10, but now we need to assign vlan 10 to a actually network interface, lets do that now.

after we clicked on save and save and apply, lets navigate back to interfaces:

image
image1492×198 18.5 KB

scroll down until you see button:
image

this will result into:

image
image1494×495 33 KB

you can give it any name this is your own preference ;-), lets fill it in like this:

image
image1399×367 19.4 KB

and click Create interface

you will see this:

image
image1453×1192 68.5 KB

now you can fill this in like this:

image
image1408×1183 69 KB

as for ipv4 address you can use every ip here aslong it is rfc1918 compliant, do not fill in IPv4 gateway or broadcast the light greyed fields need to be empty.

now lets click on Advanced Settings:

image
image1423×161 12.7 KB

and uncheck this:

image
image1461×345 27.7 KB

this is so because you do not want the interface generate a default route, your default route should be wan, wwan or follow lan since it is a special interface, otherwise traffic could forward through different interfaces which is not good.

now lets click on Firewall Settings:

image
image1432×190 13.6 KB

and create a new firewall zone like this and click enter:

image
image1447×403 56.8 KB

now lets navigate to DHCP server:

image
image1426×324 25.6 KB

and click on Set up DHCP Server.

image
image1456×742 54.6 KB

you could change the start to 2 but you can also just click save.

Great, you got your first vlan created and assigned to a new interface, but you still have to do one configuration change, remember you created a new firewall zone vlan10?, by default this blocks input, and this prevents clients getting an ip address from dhcp.

so lets navigate to:

image
image1510×105 15.8 KB

and then to:

image
image1486×322 43 KB

you will see this:

image
image1608×1294 129 KB

and you want to turn this:
image

into this:

image
image1432×108 13.5 KB

click save and apply.

now edit vlan10, you will see this:

image
image1443×1168 104 KB

and you want to edit:

image
image1443×1183 112 KB

result:

image
image1449×112 12.8 KB

note, vpn policies or vpn might not work with this because the gl firmware is not made fully compatible with vlans you need to modify scripts, but this is how you would do it if it did worked, atleast it will have internet through wan.

As for some situations vlans may be not needed, in that case you want to create a new interface and instead of assigning br-lan you assign the port i.e lan2 you need to also remove lan2 from br-lan, if wifi also needs to be connected, then you must remove lan2 also from bridge br-lan and create another bridge with lan2, and have the checkbox Keep up empty bridge checked, then assign the new bridge to your new interface, for wifi bridges are required.

I hope this helps a bit, please take as much time as what you want :slight_smile:

theres no shame into this, I myself also started with zero knowledge so, feel free to ask if you have questions :wink:

edit:

here is a working example without a vm on proxmox just on my main router:

image
image1894×1768 268 KB

as you can see my default vlan for ports is 169, so instead of 1 I asigned br-lan.169 on lan it doesn't really mather for simplicity keep vlan 1, but what I wanted to show is what happens on lan3, lan3 does not use 169 but instead vlan 180 if you scroll down, on lan1 I have also multiple (T) tagged vlans these will reach my switch in where I untag ports, I hope this also awnsers some other questions :wink:

Edit 2:
I noticed lan4 having two untagged, I was experimenting there, if you watch carefully one has a * and set to primary, the other untagged packet is therefor discarded/not sent on the port :slight_smile:

3 Likes
7

Excellent! Thank you so much! I now have VLAN setup on my router. I’m now stuck getting my switches to behave downstream of this but the router finally made it all the way thru with your direction. I appreciate the help!

1 Like
8

you can always ask or ping me if you need help with this switch :slight_smile:

I gonna show a pic how I do it, this on a Zyxel GS1900-8hp.

image
image882×819 43.9 KB

as you can see, I tag back vlan 53 on the default trunk port (or 'wan' since switches don't technically own wan ports :slight_smile: )

on OpenWrt this looks like this:

image
image1549×820 87.3 KB

(this version of OpenWrt is newer because I compile OpenWrt without the gl firmware directly from github from the main branch)

9

I have a pair of TrendNET 3102WS. I setup what I thought was right but then my PC didn’t get an IP. Sort of problematic! I’m a developer from waaay back (now an exec so much less smart!). Networking never my gig but I’m trying!

So, my PC is plugged into port 1 of this switch. I setup VLAN 15 as “MAIN”, made sure Port 1 was untagged for that vlan, made sure the PVID was set to 15 for that port. It all spelled “C-A-T” until I tried and my PC essentially had some random IP from who-knows-where.

I’m sure the devil is in the tagging or some mysterious setting only known to “network” genies. Any clues?

An update…if PC plugged into port 1, no IP. If I plug it into another, say port 2, works fine but sets to subnet of router and switch (.10)

image
image1141×468 25.4 KB

10

hmm and where is the upstream cable to your OpenWrt router connected on this switch?

Usually since switches don't have a real 'wan' port, I just would use port 1 for 'wan', and connect your computer to port 2, this makes it alot easier have it abstract and visible :wink:

one issue is that switches often test ports, but it is not aware which port is the trunk port, now it may thinks your connected computer is 'wan', for redundancy I would always use the first port for 'wan'.

switches often iterate from 1 to more when testing who is upstream, because it is for redundancy reasons, in datacenters (which is in this situation out of scope), network engineers can attach another switch on port 2, if one cable breaks, it will not break the connection, because the switch changes to port 2.

this shows what I mean with images the first image is normal home user related, second image shows what the switch does i.e for datacenter purposes :wink:

you may want to reset it, otherwise it may be inaccesible :slight_smile:

if untagged, you don't have to set pvid on the pc, untagged means default vlan for that port, you only set the vlan in your pc if the vlan was tagged.

11

Xfinity bridge (ISP) > GL-iNET router (wan port)

Router port 1 > port 8 on the Trendnet switch

12

in that case on your switch:

you want to tag vlan 15 on port 8, and on port 1 of your switch untag vlan 15.

^ if for some reason it is not possible, then the switch hides tagging back to upstream, you may want to switch ports, port 8 must be 1, and port 8 must be pc or 2 but not 1, I have seen this phenomen also on Ubiquitti switches it is to make it easier but confuses users with raw vlan networking due the fact it hides tagging back :wink:

then use vlan 0 (or none vlans), on the pc.

tip:
also you don't need to tag the same vlan on a untagged port :slight_smile: this can cause a loop, other vlans are just fine, but OpenWrt can lock up because it sees packets with the same source address.

13

at your suggestion I changed the trunk into the switch to port 1. I think changed the VLAN setup to Tag port 2 to my VLAN and removed the untag from port 1. The problem just moved. Port 1 working as the trunk and port 2 gives the PC no IP. If I plug the PC into 3 (or other), works fine but resolves to default IP scheme.

14

ah, can you show the contents of:

  • /etc/config/firewall
  • /etc/config/network
  • /etc/config/dhcp

maybe this can tell me what is going on :slight_smile:

edit:

I took note of this screenshot:

if I'm correct looking at your screenshot, I see under the blue arrow 1-2-3 etc.

if I follow your old config a bit, under the category Untagged, you need to make 1:U for pc.
under category Tagged, you need to set port 8:t, your screenshot is exactly mirrored. :slight_smile:

I'd guess these two categorys can better be translated to: Tagged (upstream), and Untagged(downstream) since you have a secondary option to change U/T it isn't the correct terminology but it seems like that in your ui.

16

the configs seem incomplete, can you try using winscp this work similar as filezilla?

that would be much better :slight_smile:

17

files.zip (1.2 KB)

ran these out of WSL (busy box) and then copied them into notepad++. made me use uci show commands cause of security.

18

the files are incomplete, it is not the full network config or firewall.

19

config files.zip (2.4 KB)

20

when I looked at your network config I see:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

change this to:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u'
	list ports 'lan2:u'
	list ports 'lan3:u'
	list ports 'lan4:u'
	list ports 'lan5:u'

as for vlan 55, I also see no tagged list ports.

for the rest it seems ok, you may want to lowercase network interface MAIN as Linux is very case sensitive.

firewall seems also okay, if you plan to lowercase it you have to change the interface when editing the firewall zone.

the case sensitive part won't break though.

dhcp seem also fine.

21

I made all those vlans have lan1 U but didn’t change anything else. It saved and applied but still acts the same as before.

image
image902×641 27 KB