pleased wrote

Which brings up a question: My (cheap) WGR614v8 supports port-based VLANs but I don't know if it supports 802.1Q based VLANs. I hope I can do a "trunk" on one router LAN port connected to the SG108e port configured to output 802.1Q VLAN tags (as you seem to have done?)

The WGR614 should support 802.1Q VLANs under DD-WRT, although it's noted '?' in the table below.

See http://www.dd-wrt.com/wiki/index.php/VLAN_Support and the post here: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=489960#489960

At least the chip used in WGR614 supports 802.1Q: http://www.ok1mjo.com/all/wifi/Asus_WL-520GU/BCM5354_cipset.pdf

But it seems it's really very old gear. It isn't listed anymore in Netgear's archive for old devices with DD-WRT support.

This contradicts my observation and diagnosis. My theory is that the inbound traffic is broadcast because it's destination port is not known to be among the ports with the same PVID as the inbound port, thus the blinkenlights. Either there was something about your setup that didn't match mine or my theory needs tweaking.

I did the speed tests with ports 7 of VLAN 3 (PVID=3) and had another device at port 2 of VLAN 2 (PVID=2). There were some regular broadcasts originating from my network on Port 1, but nothing unusual. Anyway, if you use a true trunk port and separate subnets, the problem should be gone.

pleased wrote

a), I wonder if theWGR614v8 is rejecting these packets for that reason, and b) why didn't this cause problems for you, R1D2?

Regarding a): No idea. There are indeed devices with the BCM 5354 for which the driver in DD-WRT supports 802.1Q, such as the Asus WL520, so I see no reason that the BCM 5354 driver should not be able to support them also on other devices - except it has been explicitly disabled by the person doing the port. You have to ask in the DD-WRT forum.

As for b): The VLAN field is inserted in the data part of an Ethernet packet, there is no such thing as "VLAN length field". There are just 4 additional bytes in the data part of an Ethernet frame. Maybe, wireshark can't handle this and indicates an invalid Ethernet package because of the additional 4 bytes? See the screenshot from CocoaPacketAnalyzer below, it indicates VLAN ID correctly, there are absolutely no errors in TP-Link's implementation (VID was 2 coming from TL-SG108E in this quick test, laptop was connected to trunk port, data comes from an EAP120 on an untagged port with PVID=2, laptop also did send something on DefaultVLAN):





Setup of a VLAN trunk ports in OpenWRT (and hence also in DD-WRT) should be straight-forward. Following shows the default setup of the config file /etc/config/networks on a TL-WDR4300 running OpenWRT. This router has a built-in switch with five physical Ethernet ports. The port labelled " Internet" on the box is internally assigned port #1. The four LAN ports labelled "1" to "4" are internally assigned port #2 to #5. Port #0 is the CPU trunk, an internal (virtual) connection between the Ethernet chip and the CPU of the router.

By default, all ports #1 to #5 are access ports (1x for WAN, 4x for LAN). Internal CPU port #0 already has VLAN tagging turned on, so that the CPU is able to direct traffic from WAN and from LAN into the appropriate networks. Since both networks are on the same physical switch ( eth0), even in default setup there must be VLAN tags enabled for the internal CPU connection (routers with two separate built-in switches for the WAN and LAN ports don't need this). The LAN interface of TL-WDR4300 is also bridged with a WiFi interface (not defined in network section except for the bridge option).

To create a VLAN, the VID is just appended to the name of the interface ( eth0) separated by a dot. So we have the following default setup of TL-WDR4300 (note that each option line must be intended by starting with blanks or tabs, which are stripped away from the forum SW, so I have used ༺ here for a TAB :)):

# LAN network including WiFi
config interface 'lan'
༺ option ifname 'eth0.1' [FONT=arial]# virtual network LAN (VLAN-ID 1)[/FONT]
༺ option type 'bridge'
༺ option proto 'static'
༺ option ipaddr '192.168.1.1' # router's static IP in LAN network
༺ option netmask '255.255.255.0'

# WAN network (port labelled "Internet" on the case)
config interface 'wan'
༺ option ifname 'eth0.2' [FONT=arial]# virtual network WAN (VLAN-ID 2)[/FONT]
༺ option proto 'dhcp' [FONT=arial]# uses DHCP, i.e. IP assigned from ISP[/FONT]

# Global switch settings such as interface name
config switch
༺ option name 'eth0'
༺ option reset '1'
༺ option enable_vlan '1'

# VLAN/port assignment for network LAN
config switch_vlan
༺ option device 'eth0'
༺ option vlan '1' [FONT=arial]# VLAN ID 1: LAN[/FONT]
༺ option ports '2 3 4 5 0t' [FONT=arial]# ports 1-4 (internally #2-#5): access ports, port #0: internal CPU trunk[/FONT]

# VLAN/port assignment for network WAN
config switch_vlan
༺ option device 'eth0'
༺ option vlan '2' [FONT=arial]# VLAN ID 2: WAN[/FONT]
༺ option ports '1 0t' [FONT=arial]# port "Internet" (internally #1): access port, port #0: internal CPU trunk[/FONT]

As you can see, internal port #0 is a member of both VLANs and it is a tagged port (the 't' or sometimes a '*' like in DD-WRT specifies tagged port).

Now we want to add another guest network with real (physical) tagged port to connect it with TL-SG108E and a second (untagged) port for local access to the guest network through the TL-WDR4300's switch. On the TL-WDR4300 we need to create a new network interface and a new VLAN:

# Guest network
config interface 'guest'
༺ option ifname 'eth0.3' [FONT=arial]# this interface name actually creates the new VLAN interface with ID 3[/FONT]
༺ option proto 'static'
༺ option ipaddr '192.168.16.1' [FONT=arial]# router's static IP in guest network[/FONT]
༺ option netmask '255.255.255.0'

# VLAN/port assignment for guest network
config switch_vlan
༺ option device 'eth0'
༺ option vlan '3' [FONT=arial]# VLAN ID 3: guest network[/FONT]
༺ option ports '2t 3 0t' [FONT=arial]# Port #2: VLAN trunk (tagged), port #3: access port for guest network (untagged)[/FONT]

We need to change the entry for the LAN interface, so traffic from/to LAN goes to the trunk port also (changes highlighted):

# VLAN/port assignment for network LAN
config switch_vlan
༺ option device 'eth0'
༺ option vlan '1' [FONT=arial]# VLAN ID 1: LAN[/FONT]
༺ option ports '2t 4 5 0t' [FONT=arial]# port #2: VLAN trunk, [/FONT] ports #4 and #5: still LAN access ports

That's it. Setup of DHCP and firewall rules for the guest network is left as an exercise for the reader. Every setting could be made through the web UI also and with this background it's very easy to do so using the web UI. Finally, a reboot might be required, if the Ethernet chip must be re-programmed for the VLANs by the driver at boot time. Then connect TL-SG108E's VLAN trunk port to port 1 (#2) of the TL-WDR4300 switch and enjoy LAN/guest network distribution to the TL-SG108E.

No magic here. If you can't get it going on your WGR614, do yourself a favor and replace the ancient Netgear router by a cheap, used one from the bay such as Netgear WNDR3700/3800 or TP-Link TL-WDR4300 or even an old, but legendary Linksys WRT54 :) - all of them and 7 other models I used in last years support 802.1Q VLAN tagging under OpenWRT. Of course, you could also choose a modern router supported by latest versions of OpenWRT, DD-WRT or Gargoyle.

pleased wrote

I've got it working with DD-WRT - two trunked VLANs going to one port in the WGR614v8. I have yet to isolate the Apartment VLAN in the routing/firewall tables and will get my steam up again before I dig into that.

Glad to hear that it worked out for you! Firewall settings are no big deal either. Just create a new zone for the guest network and set default policy to ACCEPT for input/output to the WGR614 itself (so devices in this network can communicate with the services of the router) and to REJECT for forwarding packets (to isolate the network from all others). Again, this can be done using the web UI, which then will set following config in /etc/config/firewall:

config zone
༺ option name 'guest' # the zone's name
༺ option network 'guest' # the network this zone is assigned to
༺ option input 'ACCEPT'
༺ option output 'ACCEPT'
༺ option forward 'REJECT'

Then define one forwarding rule from the guest network to the WAN network if guests should have access to the Internet:

config forwarding
༺ option src 'guest' # source
༺ option dest 'wan' # destination
༺ option family 'any' # protocol family (ipv4, ipv6 or any)

That's it! Additionally you could add rules to forward traffic from guest to LAN for specific services such as access to an internal web service running on some of your systems, printer sharing etc. See https://wiki.openwrt.org/doc/uci/firewall for an overview of possible settings.

In addition, everyone prefers recipes rather than explanations - this is the standard and crappy way most infotech publications are written -

Very true! I'm autodidact since I was a teenager, so I always wanted to understand things rather than only being able to follow recipes. Luckily UNIX, the predecessor of Linux, was very well structured and easy to understand at this time, while today's Linux is huge, but extremely powerful and flexible in every aspect. Welcome to a real operating system, which lets you do almost anything you want with your WGR614. So you managed the first step of the stage to a Linux Guru, whose most special skills is the knowledge of how many steps needs to be climbed to become one! :D

I have reported to TP-Link that they might have implemented the SG108e VLAN switching better. Too late for me to benefit and there'll probably be few attempting to do what I was anyway.

Yes, but on the other hand this has forced you to install Linux for yourself on your router instead of using a down-stripped Netgear Linux. Don't forget to have a look at the thousands of useful software packages you now can install on your router! Also, if you get used to the console (shell) interface of your router (via ssh or it's little OPEN/DD-WRT brother dropbear aka PuTTY on Windows), you could get things done in a fraction of time compared to the web UI - and also in comparison to Windows, haha.

Was a real pleasure for me to dig into these issues together with you, I learned something about VLANs on TL-SG108E, too.
Please mark this thread as 'solved', so others experiencing the same problem could benefit from it, too.

All the best and have a lot of fun with DD-WRT (I'm sure you will)!