Configuring multiple VLANs on the WAN side with DSA

martdj · April 29, 2024, 1:37pm

I recently moved to a new Internet provider that uses VLANs on the WAN side:
VLAN ID 100 for Internet traffic
VLAN ID 101 for IPTV

Certain IP ranges should be tagged with VLAN 101, while everything else should go to VLAN 100.

My router is an Edgerouter-X, so it's using DSA. I've looked at the documentation and searched for forum topics, but I haven't been able to find a good explanation on how to achieve this. Is there anyone who can give me some pointers?

psherman · April 29, 2024, 1:41pm

Because of the architecture of the er-x, you will probably need to put all ports into the same bridge (br-lan) and then use bridge VLANs to handle all of the networks.

Post your current /etc/config/network file and we can advise from there.

Also necessary is the port mappings you want for the additional VLANs - please tell us port by port what each one does.

martdj · April 29, 2024, 5:47pm

Thanks for your reply.
This is my current /etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd89:69dd:4313::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        list dns_search 'olympus.lan'
        list ipaddr '192.168.7.1/24'

config interface 'wan'
        option device 'eth0.100'
        option proto 'dhcp'
        option ifname 'eth0.100 eth0.101'

config interface 'wan6'
        option device 'eth0.100'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config vlan 'vlan100'
        option device 'eth0'
        option vid '100'

config vlan 'vlan101'
        option device 'eth0'
        option vid '101'

Currently, eth0 is linked to my modem/WAN. eth1 is going to my switch. I have my iptv device linked to eth4.

These are the ranges which should go to VLAN 101:
62.45.57.34/32
62.45.57.0/24
62.45.59.0/24
62.45.76.0/24
62.45.58.226/32
62.45.45.150/32
62.45.49.0/24
212.115.196.0/25
217.63.90.128/25
217.63.91.0/26
62.45.61.32/27
62.45.61.16/28
62.45.61.64/28
217.102.255.57/32

psherman · April 29, 2024, 6:16pm

Your current config is invalid.

Delete this:

Add eth0 to br-lan:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

Add this:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth1:u*'
        list ports 'eth2:u*'
        list ports 'eth3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '101'
        list ports 'eth0:t'
        list ports 'eth4:t'

Edit:

config interface 'wan'
        option device 'br-lan.100'
        option proto 'dhcp'

config interface 'wan6'
        option device 'br-lan.100'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

Add:

config interface 'iptv'
        option device 'br-lan.101'
        option proto 'none'

I’m pretty sure you don’t need to do anything here.

martdj · April 29, 2024, 8:26pm

Thanks for your effort!
This config does trash the router though, so there's something which is not right. If I go through Luci and I create a bridge-VLAN for br-lan, I'm losing my network. Apparently, it doesn't like that. Do you have an idea what could be the cause?

mk24 · April 29, 2024, 8:40pm

As it's now running VLANs inside br-lan, you also have to set the lan interface's device from br-lan to br-lan.1 matching the bridge-vlan numbered 1 that goes untagged to the eth ports that serve as lan. Do all of this at the same time or you'll lose lan access.

As @psherman said, the OpenWrt kernel does not need to know any IPTV addresses or process any IPTV packets, as VLAN 101 is switched to the TV box by hardware and the TV box will be able to reach TV servers directly. All of OpenWrt's use of the Internet is through the wan interface on VLAN 100.

When using port 4 on an Edgerouter-X, be sure to keep PoE out turned off. Enabling the passive PoE to a non-PoE device is likely to result in hardware damage.

psherman · April 29, 2024, 8:53pm

Sorry about that. I missed one edit. You may already have seen @mk24 ‘s response.

Edit lan to use br-lan.1:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ip6assign '60'
        list dns_search 'olympus.lan'
        list ipaddr '192.168.7.1/24'

martdj · April 29, 2024, 9:22pm

Thanks you both! With that change, my network is indeed working.
Also thanks for the reminder on the PoE. Though my current power adapter doesn't support PoE on eth4, I already played it safe by swapping eth4 for eth3 for the IP TV box.
I have one more challenge left. Though the routes I mentioned earlier for VLAN 101 would indeed be covered by the fact that all traffic from eth3 is now going to VLAN ID 101, there's actually one range, 62.45.57.36/32, which is supposed to go from the IP TV box over VLAN ID 100.
How would one configure that?

Edit:
I guess this should do the trick. Is that correct?
config route
option interface 'wan'
option target '62.45.57.36/32'

psherman · April 29, 2024, 9:28pm

The iptv box transparently moves through the switch. There is no routing for it on your er-x. All routing is handled by the isp (upstream).

system · May 9, 2024, 9:31pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.