RB750 + OpenWrt: Tagged & Untagged VLAN on the Same Port

I have installed OpenWrt on a MikroTik Routerboard RB750UP (AR7240 CPU with AR9330 built in switch). I have included additional details below, but my question is:

How do I configure an untagged and tagged vlan on the same port?

I have successfully configured non-tagged vlans and tagged vlans independently, but not for the same port. The reason why I want to do this is because I have a Ubiquiti NanoStation loco M2 plugged into a port providing a wireless lan (which requires untagged frames), but I also want to configure a tagged vlan for managing the loco (i.e. accessing its management ip via tagged van).

Here are some further details:

Hardware

• MikroTik RouterBoard RB750UP
• Ubiquiti NanoStation loco M2
  
  
  

# swconfig dev eth0 help
switch0: eth0(AR7240/AR9330 built-in switch), ports: 5 (cpu @ 0), vlans: 16
<snip>

Here’s a diagram of (what I believe to be) the layout of the AR7240/AR9330 switch in the RB750UP:

Operating System

OpenWrt BARRIER BREAKER (Bleeding Edge, r36085), built with a custom configuration

# uname -a
Linux OpenWrt 3.8.3 #3 Wed Mar 27 04:09:04 PDT 2013 mips GNU/Linux

Network Diagram

As the image shows, the NanoStation loco is plugged into port 3 and has a management IP of 192.168.20.10/24 configured on a vlan with vid=3. It also acts as a wireless bridge/access point for the 192.168.100.0/24 network.

Accordingly, port 3 on the router has an untagged vlan configured for the 192.168.100.0/24 network and a tagged vlan for the 192.168.20.0/24 management network (with vid=3).

Network Configuration

Here’s what I’m trying to achieve with the below config:

• Tagged VLAN 3 (vid=3) on port 3 (virtual interface eth0.3)
• Untagged VLAN 4 on port 3 (virtual interface eth0.4)
• Default vlan pvid=4 on port 3 (to handle incoming untagged frames)
  
  
  

# cat /etc/config/network

<snip>

config interface 'loco'
        option proto 'static'
        option ifname 'eth0.3'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'

config interface 'locolan'
       option proto 'static'
       option ifname 'eth0.4'
       option ipaddr '192.168.100.1'
       option netmask '255.255.255.0'

<snip>

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2 4'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0t 1'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0t 3t'

config switch_vlan
       option device 'switch0'
       option vlan '4'
       option vid '4'
       option ports '0t 3'

config switch_port
    option port '3'
    option pvid '4'

After rebooting the router, swconfig shows the following switch configuration. Note the missing ‘3t’ from VLAN 3.

# swconfig dev switch0 show
Global attributes:
    enable_vlan: 1
Port 0:
    pvid: 0
    link: port:0 link:up speed:1000baseT full-duplex txflow rxflow 
Port 1:
    pvid: 2
    link: port:1 link:up speed:100baseT full-duplex auto
Port 2:
    pvid: 1
    link: port:2 link:down
Port 3:
    pvid: 4
    link: port:3 link:up speed:100baseT full-duplex auto
Port 4:
    pvid: 1
    link: port:4 link:up speed:100baseT full-duplex auto
VLAN 0:
    vid: 0
    ports: 0t 
VLAN 1:
    vid: 1
    ports: 0t 2 4 
VLAN 2:
    vid: 2
    ports: 0t 1 
VLAN 3:
    vid: 3
    ports: 0t    <----- no tagged port 3!
VLAN 4:
    vid: 4
    ports: 0t 3

As a result, I cannot ping the loco’s management IP.

I’ve also tried manually configuring the vlan/port assignment and tags using ‘swconfig’, but in each permutation, it either leaves port 3 out of one of the vlans, or it forces port 3 to be tagged in both vlans.

Questions

1. How do I configure an untagged and tagged vlan on the same port?
2. Are there any known bugs/issues with swconfig or the AR7240/AR9330 OpenWrt switch driver that could be causing this? (None came up in my searches.)

God kills a kitten every time someone does that.

As far as I know, it is not possible. AR7240 switch chip does not support untagged and tagged vlan on the same port.

RouterOS is already doing this, though, on the RB750UP. Does it not actually have an AR7240 chip in it?

Hi,
I have a similar goal (the vlan question, not the kitten-killing as barkas mentions!). Does anyone know if there’s a model similar to the AR7240 that could support this out of the box?

Thanks!

The AR8316 switch chip hardware definitely supports it, as the documentation on the Wiki explains: [u]http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Example_-_802.1Q_Trunking_with_Atheros_8316[/u] Of course, just because there is a way to do it on RouterOS does not mean that the tools present in OpenWRT to manipulate switch chip functions is as mature as what is included in RouterOS, or that OpenWRT is capable of doing the same thing with the 8316 out-of-the-box.

The 8316 is only used on a handful of RouterBOARD models, and as far as I know, is the only switch chip that MikroTik has used which supports this feature. If you want something in the same form-factor as an RB750, then you should check out the RB450G, which has the 8316 chip. The RB750G also had that chip, but has been discontinued and replaced with the RB750GL, which uses something else.

– Nathan

Thanks for the help everyone.

I would like to clarify the end functional goal of the setup in my original post: I want to be able to plug an access point/wireless bridge (e.g. a NanoStation loco M2) into a port (e.g. port 3) and have that access point/port send/receive packets to/from vlan-unaware clients on the wireless network (e.g. 192.168.100.0/24). At the same time, I want to configure a tagged management vlan on the same port to allow me to access the management ip of the access point (e.g. 192.168.20.10, vlan tag 3).

We know that it’s possible to do this with RouterOS on the RB750, which has an AR7240 SoC with a built-in switch (we can just assign an ip from 192.168.100.0/24 to the ethernet interface for port 3 and then create a vlan with vlan id 3 on interface 3 and assign the virtual interface an ip from 192.168.20.0/24).

It is not possible to do this in the same way on OpenWrt, since OpenWrt does not see the switch ports as separate ethernet interfaces as RouterOS does. OpenWrt sees only the “actual” ethernet controllers on the AR7240 (eth0 and eth1, see the switch diagram in the original post) and thus we need to configure (in our case untagged) vlans in order to isolate ports on different subnets. As a result, if we want to assign the port to another (tagged) vlan but keep it untagged in the first vlan, the port would need to belong to two different VLANS and be tagged in one, and untagged in the other. I assumed this is what RouterOS was doing under the hood, but I now realize that this is not necessarily true.

Additionally, after doing some digging in the OpenWrt AR7240 switch driver code, it appears that it forces a port to be either tagged or untagged (e.g. it will actually remove a port from other vlans if it’s being set to untagged and appears in other vlans).

At this point, I have the following questions:

1. Is there anything in my above assessment that is incorrect?
2. Can anyone suggest a different solution (either configuration or software based) that doesn’t require tagged or untagged vlans that provides the goal functionality described above and depicted in the original post?

@smottish
You are right about AR7240 switch chip.
I can only add that AR7240 switch chip functionality in RouterOS is the same, traffic can be either tagged or untagged on egress ports. Your described configuration with VLAN interface on Ethernet interface works in RouterOS because it is processed by CPU and does not actualy use switch chip functionality.

Your assessment is right.
I have been using openwrt on TPlink WR741ND which has an AR7240 chip.
Early versions of openwrt did in fact support tagged and untagged VLAN support on same port (by supporting also the pvid setting option).
At some point pvid support was pulled (because it was claimed to not be working properly) and hence we lost the ability to be able to configure both tagged and untagged traffic on a port.
However there are workarounds if you can have your access point generate only tagged traffic (ex: VLAN 3 for management and VLAN 4 for wireless clients):

• One way is to use subinterfaces (eth0.3 eth0.4) to pickup the traffic from each VLAN at the CPU and then use software bridges or routing to manage the traffic.