VLAN tagging on OpenWRT/managed switches

By Atomstar on Wednesday 3 April 2019 20:31 - Comments (5)
Category: Smarthome, Views: 2.388

I wanted to place my router somewhere not in the meterkast, so I used VLAN tagging on a managed switch to get the WAN data to the router and my LAN data back on the same wire (but different VLAN) to distribute to the rest of the house.

VLAN in theory

VLANs (Virtual LAN) are a way of segregating traffic virtually without the need for separate cables. This can be very useful in business setup to separate different access/security zones (e.g. finance vs development departments). (Dutch) ISPs also use it to separate TV from Internet traffic. For example, Telfort uses VLAN 34 and XS4ALL uses VLAN 6.

VLAN in practice

VLAN network architecture
I use VLANs to forward all WAN traffic via a managed switch to my router which then NATs the connection and takes care of DHCP/DNS etc. I then return the LAN traffic from the router back to the switch over the same cable, but different VLAN, such that the switch can then distribute the LAN connection to further devices.

Hardware used:

Configuration on router and switch

On my switch, I receive WAN traffic (VLAN34) on port1, and use port2 to both forward the WAN traffic to my NAT'ing router, as well as receiving the LAN traffic back from the router:

VLAN config: which ports are part of which VLAN:
Netgear GS108E v3 VLAN config
VLAN membership: for each VLAN, should ports tag outgoing packets or not (redundant info with above)
Netgear GS108E v3 VLAN membership
Netgear GS108E v3 VLAN 34 membership
Port PVID: for incoming untagged packets, which VLAN should these be treated as?
Netgear GS108E v3 VLAN Port PVID

On the NAT'ing router, I configure the WAN port to handle both VLAN34 and VLAN1 traffic. Since this is going over one wire, the packets need to be tagged (else they could not be distinguished). The other ports are also part of VLAN1, but are untagged, such that clients do not notice anything of the VLAN, see below:
OpenWRT switch VLAN config Telfort

Once configured, the WAN traffic will arrive at the switch, be forwarded to the router, then go through NAT, after which they will go to the client, which could mean the packet travels back to the switch.

Volgende: Improving wifi roaming without mesh routers 05-04 Improving wifi roaming without mesh routers
Volgende: Crimping network cables 31-03 Crimping network cables

Comments



By Tweakers user Atomstar, Thursday 4 April 2019 07:43

Thanks, but if untrusted clients are connected to untagged ports, this should not happen right? The switch/router will reject the tagged packets as it expects untagged packets, or am I mistaken?

By Tweakers user vanaalten, Thursday 4 April 2019 08:08

On the switch, the 2nd picture (VLAN membership), you've set port 2 as tagged, 3...8 as untagged and port 1 not specified.

Why is 1 not specified as tagged/untagged? Could or should this have been set to untagged or tagged?

By Tweakers user Qwerty-273, Thursday 4 April 2019 12:44

I wanted to place my router somewhere not in the meterkast,
:Y) _O- :9B

By Tweakers user Atomstar, Friday 5 April 2019 22:03

vanaalten wrote on Thursday 4 April 2019 @ 08:08:
On the switch, the 2nd picture (VLAN membership), you've set port 2 as tagged, 3...8 as untagged and port 1 not specified.

Why is 1 not specified as tagged/untagged? Could or should this have been set to untagged or tagged?
Port 1 is not a member of VLAN 1, but only VLAN 34. I've added one screenshot I forgot earlier, showing the VLAN 34 port memberships. (However I don't think it really matters as LAN traffic with private IP address wil not likely be routed to the WAN port of my switch)

Comment form
(required)
(required, but will not be displayed)
(optional)