How to make VLAN work again after update from TOS 5 to 6?

Hello! After updating from TOS 5 to 6, VLAN is not functioning.

LuCI still shows the VLAN interface but I cannot find it’s assigned ports (formerly unter “physical” tab) and I cannot reach the virtual network (one device has legs in both), and hosts inside the VLAN cannot connect to the Internet (which they need to via this one host that has legs in both nets).

What I try to accomplish is shown here in an old screenshot from TOS 3: Cannot recreate VLANs in 5.x

What would I need to to to have it working again? Thank you!

Edit: /etc/config/network

config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'

config globals 'globals'
option ula_prefix 'fdde:bf51:6ec6::/48'

config interface 'lan'
option force_link '1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '172.16.0.1'
option device 'br-lan'

config interface 'wan'
option proto 'dhcp'
list dns '172.16.0.26'
option peerdns '0'
option device 'eth2'

config interface 'wan6'
option _orig_ifname '@wan'
option _orig_bridge 'false'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
list dns 'fdde:bf51:6ec6::26'
option peerdns '0'
option device '@wan'

config interface 'VLAN'
option proto 'none'
option device 'br-VLAN'

config device 'br_lan'
option name 'br-lan'
list ports 'lan0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan4'
option type 'bridge'

config device 'br_VLAN'
option name 'br-VLAN'
list ports 'lan3'
list ports 'lan2.3'
option type 'bridge'

Hello! The recent update with packages named fix- did not work it out.

The device on lan2.3 receives an IP address like in version 5, but connecting there results in “no route to host”. It cannot connect to it’s destinations in the Internet.

Delete all the bridges you have created, except the br-lan.
Then do something like this:

image903×661 51.2 KB

image903×605 42.4 KB

Do not hit the Save & Apply button yet, go back to Interfaces and update the LAN interface with the correct interface name (in my case default is VLAN 1), like this:

image903×337 37.6 KB

And that’s it. Hit Save & Apply and wait for the settings to be applied.

I am very grateful for your instructions and screenshots, hagrid! I could recreate it with VLAN-IDs and such as needed here. Traffic is flowing again, I would have never found that by myself in only one day. Thank you!

I’m trying to set this up, too, but all I get is a timeout and a rollback. I intend to have a separate interface that is not connected to LAN, but reachable via a tagged VLAN from one of the ethernet ports. The same ethernet port is usable as non-VLAN port. This has worked with 5.x.

image883×372 19.3 KB

Just trying to apply this setup doesn’t work.

This is the interface that is supposed to use the VLAN:

image686×684 32.5 KB

And this is the regular LAN interface:

image611×586 31.9 KB

Even without adding the IOT interface, just setting the VLAN configuration I get a disconnect and a rollback.

The LAN interface would need to be br-lan.1, rather than just br-lan.

Sorry for the stupid questions, but how do I properly configure the VLAN then? My current configuration is

image877×383 19.2 KB

I have tried both “does not participate” and “untagged” for VLAN 1 but neither works.
My LAN config is now br-lan.1 as you suggested.

image640×579 31.8 KB

I still only get timeouts and rollbacks.

EDIT: I finally made it work. The important part is that the default network (br-lan.1 or VLAN 1) is set to untagged and primary VLAN ID.

Tbh I think this interface could need some documentation, at least I wasn’t able to find some.

Thanks for everyones help.

Sorry I am too late to write you this, but maybe it is good to have it, anyway. For reference a working example:

Bildschirmfoto_2022-10-21_11-24-301192×580 42 KB

What does your lan config look like? I noticed that now in my iot network wifi and wired devices can communicate. However in my lan they cannot. I removed the interface and added it again, I removed the wifi interfaces, added them again, no change, they cannot talk to each other. Then I noticed a difference. My iot interface seems to be a bridge while my lan interface doesnt. But I don’t understand why this is the case and where to configure it.

My config looks as follows:
config interface ‘IOT’
option device ‘br-lan.9’
option proto ‘static’
option ipaddr ‘172.21.1.254’
option netmask ‘255.255.255.0’
option type ‘bridge’
option defaultroute ‘0’

config interface ‘lan’
option device ‘br-lan.1’
option proto ‘static’
option ipaddr ‘172.22.1.254’
option netmask ‘255.255.255.0’

This is the generated config, note the option type bridge under iot.
I also noticed that when I edit the wifi networks, under iot it shows the wifi symbol:

While under lan it doesn’t show up even though I configured that wifi device to be in that network:

When I added the option type bridge manually to the network configuration they showed up in the symbols but it still didn’t work. So I suspect that there is a difference between those networks but I cannot find any on the luci config page.

I created both interfaces through luci, so I don’t understand why they’re different.

Also when I remove lan from the VLAN and just use br-lan directly adding the wifi networks works again. But then of course I can’t use the VLAN for my iot network anymore.

You are right, it doesn’t have the WIFI in my LAN bridge anymore, too. Haven’t noticed this, yet, but can confirm devices are not reaching each other from WIFI to LAN and vice versa. The lan section in the config looks like this now:

config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '172.16.0.1'
option device 'br-lan.1'

In my WIFI options at the network selection it looks like in your second screenshot from above.

At least someone else can reproduce my problem

I tinkered a bit with the options up to the point that I wasn’t able to remove the VLAN filter and then locking myself out of the router.

I restored the last checkpoint and was able to reproduce the problem. What really bugs me is that when I recreated the interfaces the iot interface would still have the bridge option and work. Yet any additional interfaces I created didn’t have this option. I really cannot tell what is different between those.

Once again, what is the problem? What is your goal?
I run several Wi-Fi networks in different VLANs and I don’t notice any problem.

root@staging-gw-prg:~# bridge link show
7: lan0@eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 master br-lan state disabled priority 32 cost 100 
8: lan1@eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 master br-lan state disabled priority 32 cost 100 
9: lan2@eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 master br-lan state disabled priority 32 cost 100 
10: lan3@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-lan state forwarding priority 32 cost 19 
11: lan4@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-lan state forwarding priority 32 cost 4 
33: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-lan state forwarding priority 32 cost 100 
86: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-lan state forwarding priority 32 cost 100 
87: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-lan state forwarding priority 32 cost 100 
root@staging-gw-prg:~# bridge vlan show
port              vlan-id  
lan0              1 PVID Egress Untagged
lan1              1 PVID Egress Untagged
lan2              1 PVID Egress Untagged
lan3              1 PVID Egress Untagged
lan4              42
                  2001
                  2006
                  2022 PVID Egress Untagged
wlan0             1 PVID Egress Untagged
br-lan            1
                  42
                  2001
                  2006
                  2022
wlan1             1 PVID Egress Untagged
wlan1-1           42 PVID Egress Untagged

image903×337 33.2 KB

image903×337 34.3 KB

image953×556 66.6 KB

I try to have a “regular” ethernet connection and a vlan on the same port. Each of those gets a separate wifi. When I configure “br-lan” with my lan network the lan network works with wifi but in the br-lan.9 vlan network (iot interface) wired devices cannot talk to wireless devices. When I use the solution proposed above by changing the lan interface to the br-lan.1 vlan and setting all ports to untagged, my iot network can suddently talk to wifi devices for some reason but now wired devices on br-lan.1 cannot talk to any wifi devices on wifis assigned to the lan network.

I quickly created a simple diagram that hopefully clarifies a bit. The server has a regular ethernet interface that does Internet, etc. It is connected to LAN (including the remaining ethernet ports) and Wifi1.
It also has a tagged VLAN on that same port that is connected to the IOT interface on the Turris. Added to this interface is a second Wifi interface. Both networks are separated.
This was a very simple setup on TOS 5. My naive approach was to simply add a vlan filter to br-lan that ONLY adds the tagged vlan on that port. But apparently this doesn’t work.
Tbh I don’t know how I make this setup work with the current version.

Can you paste the content of /etc/config/network and /etc/config/wireless?

For a better readability, please enclose the content with ``` on the first and last line.

I also got problem with my VLAN config on TOS 6. I can give more details later but its a pretty simple wlan VLAN iptv config that stopped working so I reverted to 5.x,

Okay, I tried two configurations. After the last update the my initial configuration with having vlan filtering enabled on a device and then using the device with and without vlan didn’t apply anymore (not that it worked in the first place).
The default configuration doesn’t have the iot network and works fine for all devices connected to br-lan and W1-W3.

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'xxx::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '172.22.1.254'
	option delegate '0'
	option device 'br-lan'

config interface 'wan'
	option proto 'dhcp'
	option ipv6 '0'
	option device 'eth2'

config interface 'wan6'
	option noserverunicast '1'
	option proto 'none'
	option device '@wan'

config interface 'guest_turris'
	option enabled '0'
	option proto 'static'
	option ipaddr '10.111.222.1'
	option netmask '255.255.255.0'
	option device 'br-guest_turris'

config device 'br_lan'
	option name 'br-lan'
	list ports 'lan0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option type 'bridge'

config device 'br_guest_turris'
	option name 'br-guest_turris'
	option bridge_empty '1'
	list ports 'guest_turris_0'
	list ports 'guest_turris_1'
	option type 'bridge'

config wifi-device 'radio0'
	option type 'mac80211'
	option country 'DE'
	option txpower '14'
	option macaddr 'xxx'
	option channel 'auto'
	option hwmode '11a'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option htmode 'HT40'
	option txpower '19'
	option country 'DE'
	option macaddr 'xxx'
	option channel '11'
	option cell_density '0'

config wifi-iface 'wifinet0'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option disabled '0'
	option ssid 'W1'
	option key 'xxx'
	option ieee80211w '1'
	option encryption 'psk2+ccmp'
	option hidden '0'
	option wpa_group_rekey '86400'

config wifi-iface 'guest_iface_1'
	option device 'radio1'
	option ssid 'W3'
	option encryption 'psk2'
	option mode 'ap'
	option network 'lan'
	option key 'xxx'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'ap'
	option ssid 'W2'
	option key 'xxx'
	option encryption 'psk2+ccmp'
	option wpa_group_rekey '86400'
	option network 'lan'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'W4'
	option ieee80211w '1'
	option key 'xxx'
	option encryption 'psk2'

I then added the vlans with tag 1 and 9. 1 is the “default” one that should make the switch ports behave as if there was no vlan, therefore it’s untagged. 9 is the vlan that is supposed to connect the lan port 4 and wifi W4 with the iot network:

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'xxx::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '172.22.1.254'
	option delegate '0'
	option device 'br-lan.1'

config interface 'wan'
	option proto 'dhcp'
	option ipv6 '0'
	option device 'eth2'

config interface 'wan6'
	option noserverunicast '1'
	option proto 'none'
	option device '@wan'

config interface 'guest_turris'
	option enabled '0'
	option proto 'static'
	option ipaddr '10.111.222.1'
	option netmask '255.255.255.0'
	option device 'br-guest_turris'

config device 'br_lan'
	option name 'br-lan'
	list ports 'lan0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option type 'bridge'

config device 'br_guest_turris'
	option name 'br-guest_turris'
	option bridge_empty '1'
	list ports 'guest_turris_0'
	list ports 'guest_turris_1'
	option type 'bridge'

config interface 'iot'
	option proto 'static'
	option ipaddr '172.21.1.254'
	option netmask '255.255.255.0'
	option device 'br-lan.9'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan0:u*'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '9'
	list ports 'lan4:t'

config wifi-device 'radio0'
	option type 'mac80211'
	option country 'DE'
	option txpower '14'
	option macaddr 'xxx'
	option channel 'auto'
	option hwmode '11a'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option htmode 'HT40'
	option txpower '19'
	option country 'DE'
	option macaddr 'xxx'
	option channel '11'
	option cell_density '0'

config wifi-iface 'wifinet0'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option disabled '0'
	option ssid 'W1'
	option key 'xxx'
	option ieee80211w '1'
	option encryption 'psk2+ccmp'
	option hidden '0'
	option wpa_group_rekey '86400'

config wifi-iface 'guest_iface_1'
	option device 'radio1'
	option ssid 'W3'
	option encryption 'psk2'
	option mode 'ap'
	option network 'lan'
	option key 'xxx'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'ap'
	option ssid 'W2'
	option key 'xxx'
	option encryption 'psk2+ccmp'
	option wpa_group_rekey '86400'
	option network 'lan'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'W4'
	option ieee80211w '1'
	option key 'xxx'
	option encryption 'psk2'
	option network 'iot'

With this configuration devices from br-lan.9 can talk to devices in W4. But devices in br-lan.1 CANNOT talk to devices in W1-3 which has worked fine before.

All configurations are generated by luci. I did not change any firewall rules.

In one of my earlier posts I mentioned that br-lan.9 had the bridge option set while br-lan.1 didn’t. Initially I thought this might be a reason that one works and the other doesn’t. However in this config neither has this option set and it still behaves in the same way.

I hope this clears things up a bit. If you need more information, please ask.

I want to emphasize how important this step is. Without doing it that way you will loose access via the LAN ports…

@hagrid maybe TOS could be changed to use br-lan.1 for the LAN-bridge by default to make it easier for users to enable VLANs? (This comment also applies to upstream OpenWrt, but that might be something where TOS is willing to use a different default than upstream?)

@moeller0 This is exactly what I suggested to my colleagues, but nobody saw it as important. We had several discussions around this earlier this year. @pepe @miska

I think I floated the same idea in the OpenWrt forum, but got zero feed-back. I guess someone should simply prepare a patch