Quick primer to VLANs

[firesong]

Thanks to @TanKianW who helped straighten out my misunderstanding, I've gotten my 802.1q VLAN info refreshed.

VLANs = Virtual LANs. Simplistically, it's a way to use the same hardware you have in place - including cabling, and subdivide it into smaller networks. Here are some reasons why people may want to do this at home.

• Some users want to divide servers (NAS, Printer, other servers) from other Client (PCs, Laptops, Tablets and Phones), Media (TVs, Playstation, Wireless speakers), IoT (Smart devices like Home surveillance cameras, Fridge, Washing Machine, Doorbell, Lightbulbs, etc...) This creates separate networks and improves privacy and protection as it isolates the various groups away from each other. Your firewall rules will decide who you allow to communicate to each other.
• VPN-on-Router setups. If you have your VPN configured on the router on its own VLAN, all devices on that VLAN share the same VPN connection. Since many VPN providers limit the number of client devices, the router itself is considered one connection instance - and you don't have to toggle on/off devices just to access the VPN - just connect to a different wireless SSID.
• Some may be renting a room or two out, and want to create separate networks for their tenants, so that their tenants cannot access their own personal computers/infrastructure. It also protects the tenants' privacy, so that's a good thing too.

There are 2 types of devices - VLAN aware and non-VLAN aware. VLAN aware devices include some Routers, Managed Switches, some APs, servers. We tag at the switch/infrastructure level, and usually do not 802.1q tag individual clients since it's too easy for users to change the configuration on their own PCs. But conversely, we configure tagging at the servers rather than on the switch ports - but it's your choice.

Terminology is confusing. Let's stick to Tagged (Cisco: Trunk), Untagged (Cisco: "Access"), Native, Default.

• DEFAULT VLAN = 1. We can't change it.
• The NATIVE VLAN is the only VLAN which is not tagged in a trunk.
  • It works as if there is no VLAN configured like in an unmanaged switch - native VLAN frames are transmitted unchanged.
  • It's set out-of-the-factory at 1, but can be changed by the user as needed.
  • In a corporate setting, it's usually changed out of 1 to something the network admins will internally know.
• The UNTAGGED VLAN is set at the port,
  • It is for devices that are not 802.1q capable. The device connected to this port is "set" on the VLAN.
  • For example, if I untag Port 4 as VLAN 88, it means that my computer plugged into Port 4 is on VLAN 88.
• The TAGGED port allows you to pass traffic for multiple VLANs. It is used to connect multiple VLAN-infrastructure devices like the Router, Switch, Access Point.
  • For example, if Port 8 on my Switch is to pass through VLANs 11, 22, 33, 44, 88, and 99, I have to tag port 8 for all these VLANs.

---

Practical example, an exaggeration of my case. (My own network has simplified from this - this was an early example, but it's good to show separation of networks into 5 levels to demonstrate the principles). Let's assume that we are using 2 of the cheapest VLAN capable switches on the market, the 8-port TP-Link SG108e. It's around $50 brand new, has simple management capabilities.

• I intend to have the following VLANs
  • 1 - Default. I leave my Router, both Switches SW01 & SW02, wireless Access Points wAP1, wAP2, wAP3 on this VLAN. 192.168.1/28, each device has its reserved IP. DHCP is on for 5 additional devices (nothing should be on this anyway). ARPwatch on.
  • 11 - Servers, for my NAS, Printer. 192.168.11/28, each device has reserved IP. DHCP off. ARPwatch on.
  • 22 - Clients. This is for all my computers, tablets, and phones 192.168.22/26, DHCP on
  • 33 - Media. This is for hall TV, parents room TV, Android TV box, Playstation, Google Home devices 192.168.33/28, DHCP on
  • 88 - Guests. This is for all other devices, including IoT. 192.168.88/24, DHCP on
  • (Optional) 77 - IPTV. This is to demonstrate a "private line" to connect a device, as if you physically lay a separate cable to connect the two ends. This is very useful to show that you can share a single laid physical cable for multiple networks.
• Assume all VLANs configured on router with Firewall rules established. That is a separate topic.

SW01 - Router/DB	Device	VLAN Tags		SW02 - Hall TV Area	Device	VLAN Tags
Port #1	wAP1	11U, 22T, 88T		Port #1	NAS	11T, 22U, 33U
Port #2	wAP2	11U, 22T, 88T		Port #2	Printer	11T, 22U, 88U
Port #3	wAP3	11U, 22T, 88T		Port #3	Android TV Box	33U
Port #4	Parents' Room TV	33U		Port #4	TV	33U
Port #5				Port #5	PS4	33U
Port #6	(Optional Singtel TV)	77U		Port #6	(Optional Singtel TV)	77U
Port #7	Connect to Sw02	11T, 22T, 33T, 88T(, 77T)		Port #7
Port #8	Connect to Router	11T, 22T, 33T, 88T(, 77T)		Port #8	Connect to Sw01	11T, 22T, 33T, 88T(, 77T)

So, the VLAN tags (T = Tagged, U = Untagged)

• Sw01, Sw02 - see table above. By convention, I use the last ports as uplink/downlink. Feel free to use from the first port if you feel better about it - just be aware which ports you have decided to use for whichever purpose.
• wAP
  • Wifi Network A - VLAN22
  • Wifi Network B - VLAN88

From the above table, all the media devices are in a world of their own (VLAN 33), and all the Guest+IoT devices are also in a world of their own (VLAN 88) - they only see each other and the Internet, but no other device on the LAN (except via the Internet). I even set them to use a different set of DNS servers (8.8.8.8 for Google) rather than share the DNS resolver on the router, to completely isolate them from the network.

If instead you were using it for Tenants, then VLAN22 is for Tenant 1 and VLAN 33 for Tenant 2... The Wifi SSIDs will be updated to reflect their own personal access, or you can plug in their own room Access Point to their assigned Switch Port (and you untag at the switch so that all their traffic going through that port is on that VLAN 22/33 respectively). No need to configure any VLAN tagging inside their own room APs. Just plug and play.

If I had SingtelTV, I could probably save one cable run and arbitrarily use Port #6 on both switches to a unique VLAN TAG (eg, VLAN 77, remember to also Tag Port 7/8 on the respective switches) and pass through SingtelTV rather than run an extra physical line from the DB box to the TV Switch.

Changelog:

• Simplified with Table.
• Added VLAN 77 to demonstrate a "private line" over a physical line using managed switches. Useful if you want to use it to run a separate line to connect a device, for example. Or if you feel like reorganising your hardware and moving it around your home to suit your deployment better - one managed switch in the DB box and one managed switch at a more accessible central location can do wonders - with just one physical cable laid in between the 2 points.

 

[xiaofan]

Some reference posts from brother TanKianW on the topic of VLAN

1) VLAN with pfSense
https://forums.hardwarezone.com.sg/threads/starting-pfsense-for-new-users.6390714/
2) VLAN with OpenWRT.
https://forums.hardwarezone.com.sg/...et-travel-router-for-new-users.6592979/page-2
3) Concept about VLAN switch and using TL-SG105E for Singtel ONT users
https://forums.hardwarezone.com.sg/...properly-singtel-asus-rt-ax86u.6564040/page-2
4) Mixing MR Intenet with Singtel TV Box (Singtel ONR, only Singtel TV, no Singtel internet) using VLAN capable switch
https://forums.hardwarezone.com.sg/threads/starting-pfsense-for-new-users.6390714/page-12

I managed to get my Singtel IPTV working with MyRepublic broadband via a common single LAN cable using two TP-Link smart switches. See diagram attached below.

VLAN 20, Priority=4, PVID=1, IGMP Snooping Enabled

May be useful for your configuration.

 

[xiaofan]

Application of using VLAN switch to mix Starhub Fibre TV and Fibre Internet
https://forums.hardwarezone.com.sg/threads/starhub-iptv-in-switched-network-help.5143406/page-4

Updated the diagram with revised PVID:

Potential solution of using VLAN switch for Starhub TV+ box Mediacorp FTA channels (but it is easier to use meWatch app): post #136
https://forums.hardwarezone.com.sg/threads/network-dilemma-on-starhub-tv.6380041/page-7

 

[xiaofan]

When we use simpler smart switches like TP-Link TL-SG105E, you will encounter PVID. It can be a bit confusing.

Ref: What is PVID?
https://www.megajason.com/2018/04/30/what-is-pvid/
It seems to me usually we will set the PVID value to be the same as the VLAN ID. But there are instances they can be different.

Ref: example use case for using different PVID and VLAN ID, when the connected device is doing the VLAN management.
https://forums.hardwarezone.com.sg/threads/starting-pfsense-for-new-users.6390714/post-139106277
*********** from the first link *****************
PVID is short for Port VLAN identifier.

The PVID of a port is the VLAN id that will be assigned to any untagged frames entering the switch on that port (assuming the switch is using port-based VLAN classification). This is a concept that is defined in IEEE 802.1Q.


For example, if you intend to connect a PC or a printer to a port, you would set the port as untagged in VLAN 10 and excluded from all other VLANS. The switch knows to only send VLAN 10 stuff to that port and to remove the VLAN tagging information before sending anything out.

But, what about untagged frames entering the switch from the PC or printer (They’ll be untagged because the PC or printer doesn’t know about VLAN). This is where PVID comes in. PVID tells the switch what to do with those untagged incoming frames. In this example, if the PVID doesn’t match the VLAN id, the PC won’t be able to communicate with anybody because the frames it sends into the switch will end up on the wrong VLAN.
**********************************************

 

[xiaofan]

Some success here under pfSense.
https://forums.hardwarezone.com.sg/threads/starting-pfsense-for-new-users.6390714/page-42

Read some of the articles about VLAN and PVID, I decided to treat Singtel Mesh Router and Huawei AX3 Quad Core version as dumb AP. In that case, I have moved to the following simpler settings and then both will work as expected. Singtel Mesh Router may know VLAN ID 10, 20, 30 and 40, so I move the VLAN IDs to 60 and 80, and use the simpler PVID=VLAN ID settings for the untagged ports.

When the APs connect to Port 2/3: 192.168.60.x IP address for VLAN60
When the APs connect to Port 4/5: 192.168.80.x IP address for VLAN80
When the APs connect to Port 6/7: 192.168.28.x IP address for LAN
When the APs connect to Port 8: 192.168.28.x IP address for LAN
TL-SG108E static IP: 192.168.28.2, so I can access the web GUI from wireless AP connected to Port 6/7/8.

I will learn more about Firewall rules from this base settings.

 

[xiaofan]

However, I can not replicate the same success under OpenWRT 21.02. The TL-SG108E settings are kept and I want to have similar outcome as the above pfSense case.

The documentations and Youtube tutorial seem to be a bit confusing.

OpenWRT: default br-lan (eth0) -- 192.168.48.1

Desired outcome:
When the APs connect to Port 2/3: 192.168.60.x IP address for VLAN60
When the APs connect to Port 4/5: 192.168.80.x IP address for VLAN80
When the APs connect to Port 6/7: 192.168.48.x IP address for LAN
When the APs connect to Port 8: 192.168.48.x IP address for LAN

Current out come:
When the APs connect to Port 2/3: not working, no DHCP address is given
When the APs connect to Port 4/5: not working, no DHCP address is given
When the APs connect to Port 6/7: 192.168.48.x IP address for LAN, this is working
When the APs connect to Port 8: 192.168.48.x IP address for LAN, this is working

I tried different methods based on the OpenWRT user guide and Youtube tutorial.
https://openwrt.org/docs/guide-user/network/dsa/converting-to-dsahttps://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial

 

[xiaofan]

By right, it should be simpler as there is no switch in my setup, only one eth0 (LAN) and one eth1 (WAN).

root@OpenWrt:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd72:ce53:b2a3::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.48.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '60'
        option name 'eth0.60'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '80'
        option name 'eth0.80'
        option ipv6 '0'

config interface 'VLAN60'
        option proto 'static'
        option device 'eth0.60'
        option ipaddr '192.168.60.1'
        option netmask '255.255.255.0'

config interface 'VLAN80'
        option device 'eth0.80'
        option proto 'static'
        option ipaddr '192.168.80.1'
        option netmask '255.255.255.0'

 

[lilycll]

By right, it should be simpler as there is no switch in my setup, only one eth0 (LAN) and one eth1 (WAN).

root@OpenWrt:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd72:ce53:b2a3::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.48.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '60'
        option name 'eth0.60'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '80'
        option name 'eth0.80'
        option ipv6 '0'

config interface 'VLAN60'
        option proto 'static'
        option device 'eth0.60'
        option ipaddr '192.168.60.1'
        option netmask '255.255.255.0'

config interface 'VLAN80'
        option device 'eth0.80'
        option proto 'static'
        option ipaddr '192.168.80.1'
        option netmask '255.255.255.0'

Did you check if DHCP Server is setup correctly to allocate IP Addresses to the VLAN60 or 80? Or if DHCP Relay Server is setup?

See example DHCP config file:

/etc/config/dhcp

config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option expandhosts '1'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.auto'
    option localservice '1'
    option sequential_ip '1'
    option filterwin2k '1'
    option local '/lan/'
    option domain 'lan'
    option strictorder '1'
    option dnsforwardmax '500'
    option cachesize '10000'
    option nonwildcard '1'
    list notinterface 'wan'
    list notinterface 'wan6'
    list interface 'lan'
    list interface 'wlan02'
    list interface 'wlan03'
    list interface 'lan4'

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '50'
    option leasetime '8h'
    option dhcpv6 'server'
    option ra 'server'
    option ra_management '1'

config dhcp 'lan4'
    option interface 'lan4'
    option start '100'
    option limit '50'
    option leasetime '8h'
    option dhcpv6 'server'
    option ra 'server'
    option ra_management '1'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

config dhcp 'wlan02'
    option start '100'
    option interface 'wlan02'
    option limit '50'
    option leasetime '8h'

config dhcp 'wlan03'
    option start '100'
    option interface 'wlan03'
    option limit '50'
    option leasetime '8h'

config odhcpd 'odhcpd'
    option maindhcp '0'
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'
    option loglevel '4'

 

[xiaofan]

Did you check if DHCP Server is setup correctly to allocate IP Addresses to the VLAN60 or 80? Or if DHCP Relay Server is setup?

I believe the DHCP server is set up correctly. Please refer to the /etc/config/dhcp file below.

I also tried the following using VLAN based on the br-lan and not eth0, and it did not work either.

root@OpenWrt:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd72:ce53:b2a3::/48'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.48.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '60'
        option name 'br-lan.60'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '80'
        option name 'br-lan.80'
        option ipv6 '0'

config interface 'VLAN60'
        option proto 'static'
        option device 'br-lan.60'
        option ipaddr '192.168.60.1'
        option netmask '255.255.255.0'

config interface 'VLAN80'
        option proto 'static'
        option device 'br-lan.80'
        option ipaddr '192.168.80.1'
        option netmask '255.255.255.0'
       
root@OpenWrt:/etc/config# cat dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        option noresolv '1'
        option doh_backup_noresolv '-1'
        list doh_backup_server ''
        list server '127.0.0.1#5054'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'VLAN60'
        option interface 'VLAN60'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config dhcp 'VLAN80'
        option interface 'VLAN80'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

 

[TanKianW]

You tried using the Luci interface?

It should be much easier and straight forward.

https://forums.hardwarezone.com.sg/...r-for-new-users.6592979/page-2#post-136729389

 

[xiaofan]

You tried using the Luci interface?
It should be much easier and straight forward.
https://forums.hardwarezone.com.sg/...r-for-new-users.6592979/page-2#post-136729389

Yes I am using the Luci interface and the files are the results.

Your example is on 19.07 and there are changes in 21.02 because of the DSA architecture.

 

[xiaofan]

Some success with a Linksys EA7500 v2 running OpenWRT 21.02.1 in AP mode.

WIth the Linksys EA7500 v2 being so cheap in Carousell (S$10 to S$20), it can actually be a cheap managed switch with wireless AP function by flashing the OpenWRT FW.

1) Upstream router: virtual pfSense vm running the pfSense CE 2.5.2 version
VLAN60 (vtnet0.60) -- 192.168.60.1
VLAN80 (vtnet0.80) -- 192.168.80.1
LAN (vtnet0.99) -- 192.168.28.1

2) Downstram AP: Linksys EA7500 v2 running OpenWRT 21.02.1 in AP mode (WAN port is now part of the LAN bridge), using the Bridge VLAN Filtering feature in OpenWRT21.02.1.

WAN port is acting as the trunk port.

Three wifi SSID:
OpenWRT -- 5GHz, attached to the LAN interface (br-lan.99)
OpenWRT60 -- 2.4GHz, attached to the VLAN60 interface (br-lan.60)
OpenWRT80 -- 5GHz, attached to the VLAN80 interface (br-lan.80)

3) Test results for the Linksys EA7500 v2 wireless clients
Wireless client on the OpenWRT SSID got 192.168.28.x IP address, same for LAN3/4 client
Wireless client on the OpenWRT60 SSID got 192.168.60.x IP address, same for LAN1 client
Wireless client on the OpenWRT80 SSID got 192.168.80.x IP address, same for LAN2 client

 

[xiaofan]

The Linksys EA7500 V2 OpenWRT AP is acting as a VLAN capable managed switch plus wireless AP in the above test.

I kind of using the following working TP-Link TL-SG108E smart switch setup as the guide (Port 1 and Port 8 as trunk port in this case). In fact, I connect the EA7500 v2 WAN port to the TP-Link TL-SG108E Port 8.

BTW, I decided not to use the default VLAN ID 1 as sometimes OpenWRT routers will reserver VLAN ID 1 and VLAN ID 2.

 

[xiaofan]

Some configuration files for reference (using the GUI to configure).

root@OpenWrt:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd82:7353:48a2::/48'
        option packet_steering '1'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.28.3'
        option gateway '192.168.28.1'
        option device 'br-lan.99'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '60'
        option name 'br-lan.60'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '80'
        option name 'br-lan.80'
        option ipv6 '0'

config interface 'VLAN60'
        option device 'br-lan.60'
        option proto 'dhcp'

config interface 'VLAN80'
        option device 'br-lan.80'
        option proto 'dhcp'

config bridge-vlan
        option device 'br-lan'
        option vlan '60'
        list ports 'lan1:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '80'
        list ports 'lan2:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'lan3:u*'
        list ports 'lan4:u*'
        list ports 'wan:t*'

config device
        option name 'br-lan.99'
        option type '8021q'
        option ifname 'br-lan'
        option vid '99'
        option ipv6 '0'

The remaining problem is on the OpenWRT router side (not as an AP).

I have not got success either with the virtual OpenWRT router (single LAN port), or with the real OpenWRT router with multiple LAN ports (Linksys EA7500 v2 and Linksys WRT 1900AC v1). I will try them later.

 

[xiaofan]

The remaining problem is on the OpenWRT router side (not as an AP).

I have not got success either with the virtual OpenWRT router (single LAN port), or with the real OpenWRT router with multiple LAN ports (Linksys EA7500 v2 and Linksys WRT 1900AC v1). I will try them later.

It seems to me the issue was that Luci failed to connect back and then revert the changes. The following is a working configuration. The extra untagged access port will allow laptop or dumb ap to directly connect to the port (when not connecting to the TP-Link TL-SG108E) to have access to the OpenWRT router web GUI.

The configuration file as the result is attached here for reference.

root@OpenWrt:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdfa:c3bb:5693::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option device 'br-lan.99'
        option ipaddr '192.168.99.1'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '60'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '80'
        list ports 'eth0:t'

config device
        option name 'br-lan.60'
        option type '8021q'
        option ifname 'br-lan'
        option vid '60'
        option ipv6 '0'

config device
        option name 'br-lan.80'
        option type '8021q'
        option ifname 'br-lan'
        option vid '80'
        option ipv6 '0'

config device
        option name 'br-lan.99'
        option type '8021q'
        option ifname 'br-lan'
        option vid '99'
        option ipv6 '0'

config interface 'VLAN60'
        option proto 'static'
        option device 'br-lan.60'
        option ipaddr '192.168.60.1'
        option netmask '255.255.255.0'

config interface 'VLAN80'
        option proto 'static'
        option device 'br-lan.80'
        option ipaddr '192.168.80.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        list ports 'eth0:u*'
        option vlan '28'

config device
        option name 'br-lan.28'
        option type '8021q'
        option ifname 'br-lan'
        option vid '28'
        option ipv6 '0'

config interface 'VLAN28'
        option proto 'static'
        option device 'br-lan.28'
        option ipaddr '192.168.28.1'
        option netmask '255.255.255.0'

 

[xiaofan]

It is very strange that the above method works under the OpenWRT VM under PVE (Proxmox 7.0) but not under the OpenWRT VM under ESXi 6.7. It seems to me VLAN info is not passed through to the TL-SG105E.

Then I tried on anothee pfSense VM under ESXi 6.7 and the issue is also present there. Strange. pfSense VM under PVE 7.0 works fine.

So it seems to me my struggling with the OpenWRT VLAN is actually not related to OpenWRT but rather with ESXi 6.7 environment. Anyway, I will probably stop here for a while and revisit this issue later.

 

[lilycll]

It is very strange that the above method works under the OpenWRT VM under PVE (Proxmox 7.0) but not under the OpenWRT VM under ESXi 6.7. It seems to me VLAN info is not passed through to the TL-SG105E.

Then I tried on anothee pfSense VM under ESXi 6.7 and the issue is also present there. Strange. pfSense VM under PVE 7.0 works fine.

So it seems to me my struggling with the OpenWRT VLAN is actually not related to OpenWRT but rather with ESXi 6.7 environment. Anyway, I will probably stop here for a while and revisit this issue later.

Check this link particularly mentioned 'The portgroups connected to the virtual switch must have their VLAN ID set to 0.'.

https://kb.vmware.com/s/article/1003806

 

[xiaofan]

Check this link particularly mentioned 'The portgroups connected to the virtual switch must have their VLAN ID set to 0.'.

https://kb.vmware.com/s/article/1003806

Thanks. It seems to me in this case, I should use "Virtual Guest Tagging (VGT)" mode as the VLAN is dealt by the OpenWRT/pfSense VM and then they are connected to the trunk port of the external VLAN switch. Let me try this to see if it works or not.

 

[xiaofan]

Thanks. It seems to me in this case, I should use "Virtual Guest Tagging (VGT)" mode as the VLAN is dealt by the OpenWRT/pfSense VM and then they are connected to the trunk port of the external VLAN switch. Let me try this to see if it works or not.

Yes, once I set up the Port Group to have VLAN ID of 4095, everything works fine under ESXi pfSense VM and OpenWRT VM.

Ref: https://kb.vmware.com/s/article/1004252
*******
To set a standard vSwitch portgroup to trunk mode:

Edit host networking via the Virtual infrastructure Client.
Navigate to Host > Configuration > Networking > vSwitch > Properties.
Click Ports > Portgroup > Edit.
Click the General tab.
Set the VLAN ID to 4095. A VLAN ID of 4095 represents all trunked VLANs.
Click OK.
********

 

[xiaofan]

Once I figured out on the PVE/ESxi OpenWRT VM, it is the same for OpenWRT physical router.
Here is the example with my old Linksys WRT1900AC v1 running OpenWRT 21.02.1 (in router mode, so WAN is not included in the br-lan bridge).