Assigning a local switch port to a guest network

tibbsbrookside · August 20, 2023, 12:51pm

Hi.

I have OpenWrt 22.03.5 installed on a Linksys MR8300.

It's basically a default configuration plus a guest network as per:

At the moment all the switch ports are assigned to the default "br-lan" device.

I can assign all the switch ports to the "br-guest" device and this works fine.

I would like to assign a single port to the "br-guest" device, leaving the rest assigned to the default "br-lan" device.

Network devices are as follows:

ls -l /sys/class/net
lrwxrwxrwx    1 root     root             0 Aug 20 12:26 br-guest -> ../../devices/virtual/net/br-guest
lrwxrwxrwx    1 root     root             0 Aug 20 12:26 br-lan -> ../../devices/virtual/net/br-lan
lrwxrwxrwx    1 root     root             0 Jan  1  1970 eth0 -> ../../devices/platform/soc/c080000.edma/net/eth0
lrwxrwxrwx    1 root     root             0 Jan  1  1970 eth1 -> ../../devices/platform/soc/c080000.edma/net/eth1
lrwxrwxrwx    1 root     root             0 Jan  1  1970 lo -> ../../devices/virtual/net/lo
lrwxrwxrwx    1 root     root             0 Aug 20 12:26 wlan0 -> ../../devices/platform/soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0/net/wlan0
lrwxrwxrwx    1 root     root             0 Aug 20 12:26 wlan0-1 -> ../../devices/platform/soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0/net/wlan0-1
lrwxrwxrwx    1 root     root             0 Aug 20 12:26 wlan1 -> ../../devices/platform/soc/a000000.wifi/net/wlan1
lrwxrwxrwx    1 root     root             0 Aug 20 12:26 wlan1-1 -> ../../devices/platform/soc/a000000.wifi/net/wlan1-1
lrwxrwxrwx    1 root     root             0 Aug 20 12:26 wlan2 -> ../../devices/platform/soc/a800000.wifi/net/wlan2
lrwxrwxrwx    1 root     root             0 Aug 20 12:26 wlan2-1 -> ../../devices/platform/soc/a800000.wifi/net/wlan2-1

Network configuration is as follows:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd82:73ef:4cc9::/48'

config device
	option name 'br-lan'
	option type 'bridge'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '9.9.9.9'
	list dns '149.112.112.112'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
	option reqaddress 'none'
	option reqprefix 'auto'
	list dns '2620:fe::fe'
	list dns '2620:fe::9'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0'

config device 'guest_dev'
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0'

config interface 'guest'
	option device 'br-guest'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

I believe I have to configure a new VLAN as per:

but everything I've tried results in all the switch ports becoming unusable.

This is my latest configuration attempt:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd82:73ef:4cc9::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '9.9.9.9'
	list dns '149.112.112.112'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
	option reqaddress 'none'
	option reqprefix 'auto'
	list dns '2620:fe::fe'
	list dns '2620:fe::9'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 0'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0'

config device 'guest_dev'
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.3'

config interface 'guest'
	option device 'br-guest'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '4 0'

This seems like such a basic request that I'm sure someone has already asked this question but, I've hunted high and low and cannot find an answer, so apologies if I've missed it.

If anyone can advise either that I'm going about this all wrong, or what I've misconfigured / not configured, it would be much appreciated.

Thanks in advance.

vgaetera · August 20, 2023, 1:59pm

Port 0 aka CPU is typically tagged on each VLAN, see:
https://openwrt.org/docs/guide-user/network/vlan/creating_virtual_switches

tibbsbrookside · August 20, 2023, 2:36pm

Thanks for the reply. I had initially used "0t" in the "switch_vlan" settings but that hadn't worked.

In the VLAN doco I linked to, I had read where it says:
" The CPU port (number 5 in our example) may be configured as tagged or untagged, it may even be omitted in the port configuration."
So my last configuration attempt had it untagged.

egc · August 20, 2023, 2:46pm

Did you try with tagged port 0 on all three config switch_vlan s and afterwards reboot?

tibbsbrookside · August 20, 2023, 3:41pm

I typically only restart the network service after making changes to /etc/config/network:
/etc/init.d/network restart

Setting port 0 to tagged on all three and rebooting appears to have gotten me one step forward.

The port assigned to the guest network now appears to work successfully.

If I run a network trace (tcpdump) against the "br-guest" device I see traffic flowing.

All the other ports still don't work.

If I run a network trace (tcpdump) against the "br-lan" device I don't see any traffic flowing at all.

tibbsbrookside · August 21, 2023, 11:01am

Following further testing, I have noticed one difference in the network traces.

Tracing the working connection on the port that is attached to the "br-guest" device shows the 802.1Q tag:

tcpdump -nn -i eth0 -e ether host d8:bb:c1:43:16:a0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:37:18.416179 d8:bb:c1:43:16:a0 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 341: vlan 3, p 0, ethertype IPv4, 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d8:bb:c1:43:16:a0, length 295

but tracing the non working connection on the other ports that are attached to the "br-lan" device shows no 802.1Q tags:

tcpdump -nn -i eth0 -e ether host 40:8d:5c:52:31:eb
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:33:15.144421 40:8d:5c:52:31:eb > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 337: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 40:8d:5c:52:31:eb, length 295

Shouldn't the traffic be tagged with "vlan 1"?

NPeca75 · August 21, 2023, 1:08pm

Hi

best practice is to

reset device to default
grab some old 100Mbps adapter
connect to OWRT with SSH
swconfig dev switch0 show

you will see something similar to

Port 5:
        disable: 0
        doubletag: 0
        untag: 0
        led: ???
        lan: ???
        recv_bad: ???
        recv_good: ???
        tr_bad: ???
        tr_good: ???
        pvid: 0
        link: port:5 link:up speed:1000baseT full-duplex

key is 1000baseT

only two port will be UP
one 100Mbps, this is PC, other 1000Mbps, this is CPU
every vlan on CPU port then need to be tagged (5t) for example

tibbsbrookside · August 21, 2023, 2:30pm

With all Ethernet cables disconnected, "swconfig dev switch0 show" returns:

Global attributes:
        enable_vlan: 1
        enable_mirror_rx: 0
        enable_mirror_tx: 0
        mirror_monitor_port: 0
        mirror_source_port: 0
        linkdown: ???
Port 0:
        mib: Port 0 MIB counters
RxBroad     : 10
RxPause     : 0
RxMulti     : 58
RxFcsErr    : 0
RxAlignErr  : 0
RxRunt      : 0
RxFragment  : 0
Rx64Byte    : 4
Rx128Byte   : 36
Rx256Byte   : 22
Rx512Byte   : 3
Rx1024Byte  : 1
Rx1518Byte  : 2
RxMaxByte   : 0
RxTooLong   : 0
RxGoodByte  : 11404
RxBadByte   : 0
RxOverFlow  : 0
Filtered    : 68
TxBroad     : 0
TxPause     : 0
TxMulti     : 0
TxUnderRun  : 0
Tx64Byte    : 0
Tx128Byte   : 0
Tx256Byte   : 0
Tx512Byte   : 0
Tx1024Byte  : 0
Tx1518Byte  : 0
TxMaxByte   : 0
TxOverSize  : 0
TxByte      : 0
TxCollision : 0
TxAbortCol  : 0
TxMultiCol  : 0
TxSingleCol : 0
TxExcDefer  : 0
TxDefer     : 0
TxLateCol   : 0

        pvid: 0
        link: port:0 link:up speed:1000baseT full-duplex txflow rxflow
Port 1:
        mib: Port 1 MIB counters
RxBroad     : 0
RxPause     : 0
RxMulti     : 0
RxFcsErr    : 0
RxAlignErr  : 0
RxRunt      : 0
RxFragment  : 0
Rx64Byte    : 0
Rx128Byte   : 0
Rx256Byte   : 0
Rx512Byte   : 0
Rx1024Byte  : 0
Rx1518Byte  : 0
RxMaxByte   : 0
RxTooLong   : 0
RxGoodByte  : 0
RxBadByte   : 0
RxOverFlow  : 0
Filtered    : 0
TxBroad     : 0
TxPause     : 0
TxMulti     : 0
TxUnderRun  : 0
Tx64Byte    : 0
Tx128Byte   : 0
Tx256Byte   : 0
Tx512Byte   : 0
Tx1024Byte  : 0
Tx1518Byte  : 0
TxMaxByte   : 0
TxOverSize  : 0
TxByte      : 0
TxCollision : 0
TxAbortCol  : 0
TxMultiCol  : 0
TxSingleCol : 0
TxExcDefer  : 0
TxDefer     : 0
TxLateCol   : 0

        pvid: 1
        link: port:1 link:down
Port 2:
        mib: Port 2 MIB counters
RxBroad     : 0
RxPause     : 0
RxMulti     : 0
RxFcsErr    : 0
RxAlignErr  : 0
RxRunt      : 0
RxFragment  : 0
Rx64Byte    : 0
Rx128Byte   : 0
Rx256Byte   : 0
Rx512Byte   : 0
Rx1024Byte  : 0
Rx1518Byte  : 0
RxMaxByte   : 0
RxTooLong   : 0
RxGoodByte  : 0
RxBadByte   : 0
RxOverFlow  : 0
Filtered    : 0
TxBroad     : 0
TxPause     : 0
TxMulti     : 0
TxUnderRun  : 0
Tx64Byte    : 0
Tx128Byte   : 0
Tx256Byte   : 0
Tx512Byte   : 0
Tx1024Byte  : 0
Tx1518Byte  : 0
TxMaxByte   : 0
TxOverSize  : 0
TxByte      : 0
TxCollision : 0
TxAbortCol  : 0
TxMultiCol  : 0
TxSingleCol : 0
TxExcDefer  : 0
TxDefer     : 0
TxLateCol   : 0

        pvid: 1
        link: port:2 link:down
Port 3:
        mib: Port 3 MIB counters
RxBroad     : 0
RxPause     : 0
RxMulti     : 0
RxFcsErr    : 0
RxAlignErr  : 0
RxRunt      : 0
RxFragment  : 0
Rx64Byte    : 0
Rx128Byte   : 0
Rx256Byte   : 0
Rx512Byte   : 0
Rx1024Byte  : 0
Rx1518Byte  : 0
RxMaxByte   : 0
RxTooLong   : 0
RxGoodByte  : 0
RxBadByte   : 0
RxOverFlow  : 0
Filtered    : 0
TxBroad     : 0
TxPause     : 0
TxMulti     : 0
TxUnderRun  : 0
Tx64Byte    : 0
Tx128Byte   : 0
Tx256Byte   : 0
Tx512Byte   : 0
Tx1024Byte  : 0
Tx1518Byte  : 0
TxMaxByte   : 0
TxOverSize  : 0
TxByte      : 0
TxCollision : 0
TxAbortCol  : 0
TxMultiCol  : 0
TxSingleCol : 0
TxExcDefer  : 0
TxDefer     : 0
TxLateCol   : 0

        pvid: 1
        link: port:3 link:down
Port 4:
        mib: Port 4 MIB counters
RxBroad     : 0
RxPause     : 0
RxMulti     : 0
RxFcsErr    : 0
RxAlignErr  : 0
RxRunt      : 0
RxFragment  : 0
Rx64Byte    : 0
Rx128Byte   : 0
Rx256Byte   : 0
Rx512Byte   : 0
Rx1024Byte  : 0
Rx1518Byte  : 0
RxMaxByte   : 0
RxTooLong   : 0
RxGoodByte  : 0
RxBadByte   : 0
RxOverFlow  : 0
Filtered    : 0
TxBroad     : 0
TxPause     : 0
TxMulti     : 0
TxUnderRun  : 0
Tx64Byte    : 0
Tx128Byte   : 0
Tx256Byte   : 0
Tx512Byte   : 0
Tx1024Byte  : 0
Tx1518Byte  : 0
TxMaxByte   : 0
TxOverSize  : 0
TxByte      : 0
TxCollision : 0
TxAbortCol  : 0
TxMultiCol  : 0
TxSingleCol : 0
TxExcDefer  : 0
TxDefer     : 0
TxLateCol   : 0

        pvid: 3
        link: port:4 link:down
Port 5:
        mib: Port 5 MIB counters
RxBroad     : 0
RxPause     : 0
RxMulti     : 0
RxFcsErr    : 0
RxAlignErr  : 0
RxRunt      : 0
RxFragment  : 0
Rx64Byte    : 0
Rx128Byte   : 0
Rx256Byte   : 0
Rx512Byte   : 0
Rx1024Byte  : 0
Rx1518Byte  : 0
RxMaxByte   : 0
RxTooLong   : 0
RxGoodByte  : 0
RxBadByte   : 0
RxOverFlow  : 0
Filtered    : 0
TxBroad     : 0
TxPause     : 0
TxMulti     : 0
TxUnderRun  : 0
Tx64Byte    : 0
Tx128Byte   : 0
Tx256Byte   : 0
Tx512Byte   : 0
Tx1024Byte  : 0
Tx1518Byte  : 0
TxMaxByte   : 0
TxOverSize  : 0
TxByte      : 0
TxCollision : 0
TxAbortCol  : 0
TxMultiCol  : 0
TxSingleCol : 0
TxExcDefer  : 0
TxDefer     : 0
TxLateCol   : 0

        pvid: 2
        link: port:5 link:down
VLAN 1:
        vid: 1
        ports: 0t 1 2 3
VLAN 2:
        vid: 2
        ports: 0t 5
VLAN 3:
        vid: 3
        ports: 0t 4

Which suggests to me that port 0 is the CPU and this is tagged on all VLANs.

mk24 · August 21, 2023, 3:12pm

That model has an ipq4019 chip, which has been buggy in swconfig and vlans. I think it has been fixed in 23.03 which uses DSA.

tibbsbrookside · August 21, 2023, 3:42pm

Ah! In that case I'll wait until 23.03 has been released and try again then.

I'll post the results here for the benefit of others.

Thanks for letting me know.

badulesia · August 21, 2023, 3:48pm

@mk24 Yes I've been able to do this easily on this device running 23.05 thanks to DSA.

@tibbsbrookside : as @mk24 wrote, yes ipq4019 is notoriously buggy with vlan.
Also be aware that performance with 23.05 are lower than with 23.02 precisely due to DSA.
Have a look at this thread.
https://forum.openwrt.org/t/re-distribute-dsa-across-2-different-cores-mr8300-snapshot/169000