Cannot get VLANing working on GL-inet Beryl (gl-mt1300)

jmacdonagh · September 10, 2022, 6:00pm

Hi, I’d like to set up my Gl-inet Beryl (gl-mt1300) so that the two LAN ethernet ports cannot directly communicate without going through the router first (i.e. I want to apply some firewall rules). I have gotten this to work in a Linksys MR8300 (using swconfig) but can’t achieve the same thing for this Gl-inet Beryl (which uses DSA).

I trust the hosts being plugged into the LAN ports, so I’m not worried about MAC spoofing.

I know the best way to achieve this is through VLANs. I know I could bypass VLANs and just have dnsmasq give out addresses for each host on a different subnet. The hosts would then reach out to the gateway (the router) to send a packet to another LAN host. I’ve also heard that having separate subnets on a single layer 2 link (e.g. the two switch ports on my router) can have unintended consequences.

As I said, I’ve achieved this on my Linksys MR8300 (which uses swconfig) by assigning each port to a separate VLAN (untagged) and ensuring the CPU port (port 0) is tagged:

config 'device'
    option 'name' 'br-lan'
    option 'type' 'bridge'
    list 'ports' 'eth0.11'
    list 'ports' 'eth0.12'
    list 'ports' 'eth0.13'
    list 'ports' 'eth0.14'

config 'interface' 'lan'
    option 'device' 'br-lan'
    option 'proto' 'static'
    option 'ipaddr' '192.168.68.1'
    option 'netmask' '255.255.255.0'

config 'switch'
    option 'name' 'switch0'
    option 'reset' '1'
    option 'enable_vlan' '1'

config 'switch_vlan'
    option 'device' 'switch0'
    option 'vlan' '11'
    option 'vid' '11'
    option 'ports' '0t 1'

config 'switch_vlan'
    option 'device' 'switch0'
    option 'vlan' '12'
    option 'vid' '12'
    option 'ports' '0t 2'

config 'switch_vlan'
    option 'device' 'switch0'
    option 'vlan' '13'
    option 'vid' '13'
    option 'ports' '0t 3'

config 'switch_vlan'
    option 'device' 'switch0'
    option 'vlan' '14'
    option 'vid' '14'
    option 'ports' '0t 4'

I also had to install the kmod-br-netfilter package to ensure the firewall could filter traffic between the LAN.

The Linksys is too big for what I need, and I thought the Beryl would work fine, but I can’t even get basic VLANing set up.

As a test, I flashed OpenWrt 22.03.0 r19685-512e76967f onto the Beryl. I connected my laptop to one of the LAN ports and (as a sanity check), set a static IP for my laptop’s Ethernet device to 192.168.1.2/24 (just in case some of the VLANing stuff I was doing would temporarily cause issues with dnsmasq).

Here’s what I’ve tried:

Do a full reset of the Beryl back to stock OpenWrt settings.
As a sanity check, I went to Network -> Interfaces -> Devices -> br-lan Configure -> Removed “lan2” from the Bridge Ports (I verified from the UI that my laptop was connected to lan1).
In the Bridge VLAN filtering tab, I enabled “Enable VLAN filtering”, added a row, set VLAN ID to “1”, Local checked, and set lan1 to “Egress untagged / primary VLAN ID” (u*).
Hit “Save”, started up a terminal with “ping 192.168.1.1”, then Save and Apply. The pings work until Save and Apply, then stop working with “ping: sendto: No route to host” (remember, I still have a static IP of 192.168.1.2/24 for my laptop)
Eventually the Luci interface will revert the changes and my pings return. I hit “dismiss” to keep my unsaved changes.
I go back to Network -> Interfaces -> Devices -> br-lan Configure, and change the Bridge Ports from “lan1” to “Software VLAN: ‘br-lan.1’” (removing lan1). Again, Save and Save and Apply. Pings stop working. Wait for Luci to revert.

I feel like I’ve tried every other combination and I can’t even get pings to the router to work:

Set the lan1 port to just “Egress untagged” (u)
Set the lan1 port to “Egress tagged / primary” (t*)
Set the lan1 port to “Egress tagged” (t)
Set the br-lan bridge ports to “br-lan.1, lan1”
Set the VLAN id to “3” and just have br-lan use the br-lan.3 as its bridge port

I feel like where I ended up at the last numbered step above is functionally identical to how the Linksys was configured (port is on a VLAN, bridge is set to bridge that VLAN port).

Any idea what I’m doing wrong? Thanks!

psherman · September 10, 2022, 6:10pm

Remove the dotted notation from eth0. Instead make it look like this:

config 'device'
    option 'name' 'br-lan'
    option 'type' 'bridge'
    list 'ports' 'eth0'

Then, look at this page for guidance:

In particular, this example shows that the dotted notation goes on the lan bridge on within the network interface definition.


config interface 'home'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config interface 'office'
	option device 'br-lan.2'
	option proto 'static'
	option ipaddr '192.168.13.1'
	option netmask '255.255.255.0'

jmacdonagh · September 11, 2022, 12:47am

Hi, thanks for the reply but this doesn't seem to address what I'm trying to do.

What you are suggesting is both VLANs get a separate interface (with a separate subnet). When I set up the Linksys all ports were on separate VLANs but I only had a single "lan" interface.

Why does this matter? I didn't want to complicate my original question, but I want this to work with Wifi clients as well. What I really want to do is this:

Router has a single 192.168.1.1/24 LAN interface
dnsmasq gives machines addresses from static leases (based on MACs)
Router is aware of all traffic going between LAN clients (including traffic between machines connected to the Beryl LAN ports)
Router can have appropriate firewall rules between LAN clients

So really it's the third bullet that is the sticking point. With the Linksys I was able to simply put each LAN port on a separate VLAN. This ensured the switching fabric would never send traffic without involving the router.

jmacdonagh · September 11, 2022, 2:01am

I might have found a solution. I’ll update tomorrow when I’ve had more time to test.

anomeome · September 11, 2022, 2:45am

Forget bridge config if you want packets to got through CPU.

psherman · September 11, 2022, 8:25pm

This is only possible for clients directly connected to the router. Any 2 or more devices connected to another switch or AP would not be filtered.

jmacdonagh · September 11, 2022, 11:48pm

Ok, I thought I had it but I'm still having problems.

Here's my config:

config device
        option name 'br-switch'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config device
        option type 'bridge'
        option name 'br-lan'
        list ports 'br-switch.11'
        list ports 'br-switch.12'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan'

config bridge-vlan
        option device 'br-switch'
        option vlan '11'
        list ports 'lan1:u*'

config bridge-vlan
        option device 'br-switch'
        option vlan '12'
        list ports 'lan2:u*'

Original br-lan renamed to br-switch
Did VLAN filtering on br-switch and set lan1 to VLAN 11 and lan2 to VLAN 12
Set up a new bridge interface br-lan which uses those two VLAN devices
Set lan interface to use br-lan.

So, when I do this I see LAN<->LAN traffic with tcpdump. In addition, I installed kmod-br-netfilter and was able to add a firewall rule to block ICMP from one LAN host on the switch from pinging the other.

However, if I start a ping and then enable the firewall rule the pings still work. If I stop the pings and start them up again, the firewall kicks in. In addition, the ARP cache on the host pinging shows that it knows the hardware address of the host being pinged (which I'm trying to firewall off). This is even after I cleared the cache.

So the packets are going to the router, but the hosts can still access each other on the L2 link.

anomeome · September 12, 2022, 1:32am

If you want all packets to go through CPU I think you should gash the bridge in DSA config, so each interface used individually, along the lines of:

/etc/config/network

config device
	option name 'wan'
	option macaddr 'xx:xx:xx:85:b5:25'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option name 'lan1'
	option macaddr 'xx:xx:xx:85:b5:26'

config device
	option name 'lan1.20'
	option macaddr 'xx:xx:xx:85:b5:16'

config device
	option name 'lan2'
	option macaddr 'xx:xx:xx:85:b5:27'

config device
	option name 'lan3'
	option macaddr 'xx:xx:xx:85:b5:28'

config device
	option name 'lan3.30'
	option macaddr 'xx:xx:xx:85:b5:18'

config device
	option name 'lan4'
	option macaddr 'xx:xx:xx:85:b5:29'

config interface 'lan'
	option device 'lan1'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'lan20'
	option device 'lan1.20'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'lan30'
	option device 'lan3.30'
	option proto 'static'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

DSA will offload VLAN bridge to the switch HW, filtering ON | OFF.

jmacdonagh · September 12, 2022, 6:57pm

Thank you all for the replies.

I still haven't gotten this to work but I wanted to explain what I'm trying to do.

I want a single subnet that all Ethernet and wifi clients would connect to. I want all traffic to go through the router for firewalling (I'm aware if I plugged in a switch to the router then I wouldn't see that traffic but that's not a concern of mine).

The problem is I have multiple Ethernet devices that I will be plugging / unplugging separately, and I don't want to have to worry about what port I plug them into. I want the firewall to handle any filtering between devices.

A lot of the solutions I've seen online and suggested in this forum post is that each VLAN would need a separate OpenWrt "interface" (meaning a separate subnet). That could work but it also complicates things because now I have to remember "ok, this ethernet device must go in port 1, this one must go in port 2". I will be traveling a lot and the ability to just "plug this device into whatever router port" would be super helpful.

Again, with the Linksys I simply made each port untagged in a different VLAN and it all magically worked. Maybe that was by chance and in reality I'm supposed to have separate subnets for each VLAN? Or maybe DSA simply does not support what I was able to do with swconfig with the Linksys?

Anyone super knowledgable about DSA and could provide some input? Thanks!

anomeome · September 12, 2022, 7:11pm

wiki dsa example 4 is exactly that, but, packets will stay on the switch.

jmacdonagh · September 12, 2022, 8:04pm

Unfortunately that didn't work for me. It wasn't really clear if it would apply to me, but what I did was:

VLAN 1: lan1: t, lan2: t
VLAN 11: lan1:u*, lan2: none
VLAN 12: lan1: none, lan2:u*

I then set the LAN interface to use br-lan.1. I couldn't access the router when applying those changes. Maybe I misunderstood?

jmacdonagh · September 13, 2022, 1:54am

I feel like I'm getting closer.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd4d:6bb2:1067::/48'

config device
	option name 'br-lan'
	option type 'bridge'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'br-switch'
	list ports 'lan1'
	list ports 'lan2'

config bridge-vlan
	option device 'br-switch'
	option vlan '11'
	list ports 'lan1:u*'

config bridge-vlan
	option device 'br-switch'
	option vlan '12'
	list ports 'lan2:u*'

config interface 'switch'
	option proto 'static'
	option device 'br-switch'
	option ipaddr '192.168.77.1'
	option netmask '255.255.255.0'

/etc/config/wireless

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'

What I did was:

Remove lan1/lan2 from br-lan
Kept lan interface 192.168.1.1/24
Added wifi AP bridged to lan network
Added br-switch with lan1/lan2
Set up VLAN filtering on br-switch. lan1 = VLAN 11 u*, lan2 = VLAN 12 u*
Added a switch interface with 192.168.77.1/24

I then installed ip-bridge and tcpdump. Connected my laptop via wifi to router and connected laptop to router via ethernet. I gave the ethernet adapter 192.168.77.20/24 with 192.168.77.1 as the router.

bridge vlan shows:

port              vlan-id  
lan1              11 PVID Egress Untagged
lan2              12 PVID Egress Untagged
br-switch         11
                  12
br-lan            1 PVID Egress Untagged

If I start pinging 192.168.77.1 from my laptop and listen on the router with tcpdump -i lan1 -e I see the ARP requests from my laptop but no replies (and obviously pings don't work):

listening on lan1, link-type EN10MB (Ethernet), capture size 262144 bytes
01:46:03.117438 MAC-LAPTOP (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 11, p 0, ethertype ARP, Request who-has 192.168.77.1 tell 192.168.77.20, length 46
01:46:04.334026 MAC-LAPTOP (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 11, p 0, ethertype ARP, Request who-has 192.168.77.1 tell 192.168.77.20, length 46

ip addr shows br-switch has 192.168.77.1. Is there something fundamental I'm not understanding or is there just one final piece of the puzzle?

Borromini · September 13, 2022, 3:37am

@anomeome Is this still necessary with a single port, on DSA? AFAIK something like this should suffice then:

config device
        option type '8021q'
        option ifname 'lan2'
        option vid '12'

No idea how to specify it's the default untagged VLAN this way though.

system · October 3, 2022, 1:00pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.