How to make VLAN work again after update from TOS 5 to 6?

Software SW help
21

I want to emphasize how important this step is. Without doing it that way you will loose access via the LAN ports…

That is what I did and it works, to the point that I have access to the lan port via both a untagged interface and a tagged interface. The problem is that the untagged port br-lan.1 doesn’t seem to bridge correctly to the Wifi as the device on this port cannot reach any devices connected to a wifi added to the same interface (and vice versa ofc.).
Interestingly the tagged vlan on the same port does correctly bridge to the Wifi added to the same interface.

22

I was under the impression, that it’s not possible to mix tagged and untagged traffic on a port.

I also don’t see the point on having multiple wireless SSIDs belonging to the same network.

But I just glanced over this.

23

Usually native vlan on trunk port could be untagged.
Different SSIDs on the same vlan for example with different type of authentication or OTPs, etc.

24

I was under the impression, that it’s not possible to mix tagged and untagged traffic on a port.

This worked fine in TOS 5.0.

I also don’t see the point on having multiple wireless SSIDs belonging to the same network.

W1 and W2 are the same SSID, one on 2.4 and one on 5 GHz. W3 is the same network as W1 and W2 with a different SSID and different encryption for compatibility reasons with some old devices. W4 is a different network.

This whole configuration was done in TOS 5 in like 10 minutes.

Also not being able to have untagged and tagged VLAN on the same port would force me to introduce a tagged VLAN on the switched network that sits behind that port. Or it would require me to use a separate cable for the tagged VLAN which would then defeat the purpose of using a VLAN in the first place.

1 Like
25

It is possible to have both tagged and untagged traffic on the same port.

Could you share the screenshots of Interfaces and Devices tab in Networking, details of the bridges, wireless settings and details of the firewall zones?

26

Okay, the “good” news, it seems to be more consistent now. Now no device on a wireless network can talk to any wired device or the router itself when I use VLAN. Here are my configurations. The br-lan device:

image
image868×633 34.3 KB

image
image883×434 21.6 KB

The LAN interface:

image
image695×566 33.2 KB

image
image882×1043 74.3 KB

image
image890×222 19.9 KB

image
image883×450 24.4 KB

The DHCP server for this interface is running on 172.22.1.1 which is connected to br-lan.1.

The IOT interface:

image
image885×741 42.2 KB

image
image890×978 69.9 KB

image
image884×223 19.8 KB

image
image886×168 11.4 KB

This network is statically configured and doesn’t provide DHCP. I could not connect to the LAN network via Wifi since DHCP didn’t go through. It works without VLAN.

The wifi networks (I will only cover one of each network. The LAN network has multiple Wifi networks but they all behave the same (and are identically configured, except 2.4/5GHz and SSID/key).
LAN wifi:

image
image888×970 73.4 KB

image
image890×600 42.9 KB

image
image884×185 10.2 KB

image
image881×702 37.8 KB

image
image879×558 39.6 KB

IOT wifi:

image
image880×1072 85.6 KB

image
image878×709 50.2 KB

image
image882×155 8.1 KB

image
image882×677 34.9 KB

image
image886×575 39.7 KB

And my firewall configuration. Nothing special here:

image
image968×374 27.3 KB

lan:
image
image886×714 54 KB

image
image885×559 44.9 KB

image
image886×272 21.4 KB

image
image886×358 33.3 KB

iot:
image
image891×711 51.9 KB

the other three tabs are identical to lan
These are the traffic rules, I don’t think I changed anything here from the default:
image
image977×1236 140 KB

Other than that no custom rules, no NAT rules, no enabled port forwards.

That being said the VLAN itself works fine. I can confirm a working communication on both the tagged and the untagged VLAN via ethernet. I just cannot reach the wifi networks (and vice versa) from the VLAN (or even from the router itself).

These are my interfaces and routes:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1024
    link/ether xxx brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 qdisc mq state UP group default qlen 1024
    link/ether xxx brd ff:ff:ff:ff:ff:ff
    inet6 fe80::da58:d7ff:fe00:8cd9/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1024
    link/ether xxx brd ff:ff:ff:ff:ff:ff
    inet xxx/24 brd xxx scope global eth2
       valid_lft forever preferred_lft forever
5: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1000
    link/tunnel6 :: brd :: permaddr 21e:55d2:9749::
6: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
7: lan0@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
8: lan1@eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN group default qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
9: lan2@eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN group default qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
10: lan3@eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN group default qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
11: lan4@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
12: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
13: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
14: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
17: br-guest_turris: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
    inet 10.111.222.1/24 brd 10.111.222.255 scope global br-guest_turris
       valid_lft forever preferred_lft forever
25: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6f0:21ff:fe24:2543/64 scope link 
       valid_lft forever preferred_lft forever
36: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6f0:21ff:fe31:8e9f/64 scope link 
       valid_lft forever preferred_lft forever
37: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff permaddr xxx
    inet6 fe80::4f0:21ff:fe31:8e9f/64 scope link 
       valid_lft forever preferred_lft forever
38: wlan1-2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff permaddr xxx
    inet6 fe80::f0:21ff:fe31:8e9f/64 scope link 
       valid_lft forever preferred_lft forever
39: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
    inet6 fe80::da58:d7ff:fe00:8cd9/64 scope link 
       valid_lft forever preferred_lft forever
40: br-lan.1@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
    inet 172.22.1.254/24 brd 172.22.1.255 scope global br-lan.1
       valid_lft forever preferred_lft forever
    inet6 xxx::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::da58:d7ff:fe00:8cd9/64 scope link 
       valid_lft forever preferred_lft forever
42: br-lan.9@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether xxx brd ff:ff:ff:ff:ff:ff
    inet 172.21.1.254/24 brd 172.21.1.255 scope global br-lan.9
       valid_lft forever preferred_lft forever
    inet6 fe80::da58:d7ff:fe00:8cd9/64 scope link 
       valid_lft forever preferred_lft forever
       
default via xxx dev eth2 proto static src xxx 
10.111.222.0/24 dev br-guest_turris proto kernel scope link src 10.111.222.1 linkdown 
xxx dev eth2 proto kernel scope link src xxx 
172.21.1.0/24 dev br-lan.9 proto kernel scope link src 172.21.1.254 
172.22.1.0/24 dev br-lan.1 proto kernel scope link src 172.22.1.254

Maybe that’s any help.

I hope that gives you some information to work with. I have a workaround (which is not using the TO to provide the IOT wifi network at all) but I’m not really happy with that.

27

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.