Products > Networking & Wireless

Off Topic: Networking and VLANs

(1/3) > >>

paulca:
I know this is off topic, but to be honest I expect I will get better discussion and answers here than on most IT forums.

My network currently is 100% the same subnet, same Ethernet broadcast domain with the only exception being Guest WIFI provided by 2 out of 3 access points.

I have a new requirement to provide at least 1 wired Ethernet port on the Guest network.  Thus, as I'm not going to run separate cables and switches for this wired guest network, I need to VLAN it.

I understand what VLANs are and the basics of how to use them.  I'm just struggling to fit this into my current setup with minimal impact / reconfiguring.

I "believe" I have everything I need, the access switch is managed and supports VLANs and the "Main" router is OpenWRT v21 and supports VLANs.  They are connected by a single CAT5e giga ethernet.

I choose VLAN 1 = LAN,   VLAN 3 = Guest.  (2 was already there for WAN which I am not yet using).

So I set the access switch port 8 to be Untagged on VLAN 3 and removed VLAN 1 from port 8.  This had the expected effect of isolating the machine on port 8 entirely.

This is where it goes wrong.  I then added VLAN 3 as "Tagged" on the trunk link (port 4) to the Main 'switch/router' downstairs.  I added a virtual interface on VLAN 3 and gave it a static IP.  I statically assigned the Guest machine a fixed IP and tried to ping the remote VLAN 3 interface.  Nothing happened.

The issue may be that Port 4 (the trunk link) has to also carry VLAN 1 which it currently does as Untagged.  I feel that while the NetGear switch will allow me to have an Untagged VLAN 1 and a Tagged VLAN 3 down the same port, it's not a correct config.   Basically VLAN 1 continues to work, but VLAN 3 doesn't.... or it appears not to, as I'm not sure about either ends setup.

I tried a few times to Tag both VLAN1 and VLAN3 on port 4, but as I am on the remote end of that trunk link, any mistake removes access to the admin page on the main router.  I have to swap the VLANs around to get access to it again.

Part of the problem is that OpenWRT just went through a major shift in underlying tech, from Linux swconfig to Linux DSA.  This renders a lot of terminology and YouTube guides/howtos out of date and confusing.

I don't want to break my network too much as I need it.  So I am hoping to maybe get an other OpenWRT router (cheap) and set up this guest network on the "unused" side of the switch, not the Main switch in the hallway!  If that makes sense.

I expect I need to make that trunk link Tagged on both VLAN1 and VLAN3 and put associated VLAN devices with interfaces on router and bridge these appropriately with the gateway network.   There are a lot of pieces to get into place and working currently without locking myself out of parts of my network.

Any thoughts, guidance?   Anyone familiar with OpenWRT v21 or DSA switching and vLANs?

Miyuki:
In my experience, if you combine tagged and untagged traffic you end up with a mess
Plus this is the main reason why is good practice to have a separate management interface/VLAN or whatever

NiHaoMike:
https://goughlui.com/2018/08/17/tested-vlans-in-the-home-through-dumb-switches/
Quick summary is that mixing tagged and untagged VLANs work just fine, just not the most secure. In your case, the devices on the untagged network are "trusted" so it shouldn't be much of an issue.

Also, have you considered using a Torbox to provide the guest network? Could be a good idea for particularly untrustworthy guests.
https://www.torbox.ch/

magic:

--- Quote from: paulca on December 01, 2021, 11:19:55 am ---Part of the problem is that OpenWRT just went through a major shift in underlying tech, from Linux swconfig to Linux DSA.  This renders a lot of terminology and YouTube guides/howtos out of date and confusing.

--- End quote ---
:wtf: |O
Typical Loonix, just as something starts to work alright they go and fuck it up.
I really don't get the point of this change at all, the old system was very simple and easy to understand and to configure. The new system apparently just obscures the internal structure of the router behind some useless abstraction of an "external port" (and of course changes all the config tools) :palm:

Anyway, it seems you could follow example 4 from here:
https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial
Switch the LAN interface from br-lan to br-lan.1 (be sure not to leave WiFi out, what a fucking trainwreck) and create a new interface ("GUEST") on br-lan.3.
 :-//

Or downgrade to OpenWRT 20 :-DD


--- Quote from: NiHaoMike on December 01, 2021, 12:59:26 pm ---Quick summary is that mixing tagged and untagged VLANs work just fine, just not the most secure. In your case, the devices on the untagged network are "trusted" so it shouldn't be much of an issue.

--- End quote ---
In OP's case the devices on the mixed link are both managed switches so there is no trust issue as long as the two ends are configured correctly.

newbrain:
I cannot be of much help as I have different equipment (EdgeRouter-X and a D-Link managed switch), but the setup on my LAN is very similar:
A trunk from the router with untagged frames + VLAN10 tagged ones, and the same on the switch where 6 ports get only the untagged frames, and 2 ports only the VLAN 10 tagged ones.
Different networks (10.x.x.x and 192.168.x.x), DHCP on both from the router, no other services on VLAN 10 (e.g. DNS, WAN access etc).

No problems in what is now ~5 years - apart the initial learning curve to set it up.

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version