Sounds as if you simply want to isolate some of the RJ45 ports into separate interfaces which are not part of the generic LAN bridge. For that you wouldn't need any specific VLAN configuration. Removing the corresponding ports (I guess "lan2" for kids and "lan3" for guest) from the br-lan bridge should be sufficient. You can then create two new interfaces (e.g. named "kids" and "guest") and assign "lan2" and "lan3" as physical interface to them respectively.
When reconfiguring the ethernet switch/ports of a device I usually connect via wifi to the unit, this way intermittent ethernet disruptions do not interfere with the apply process.
And to allow cross "switch" traffic, e.g. lan2 (kids) over to static.ip on lan1 (home) this would be achieved through a couple simple firewall rules to cover traffic from each source interface/zone to the other?
Finally, is it then easy to setup multiple DNS (many dnsmasq?) now with DSA? So "kids" are on a filtered DNS provider?
I recall reading it was possible with swconfig to have multiple dnsmasqs however it had to be done via command to bind the dsnmasq instance to the interface - I did try but would get cross DNS leaks (for the lack of a better term) where sometimes my browsing would get incorrectly filtered/blocked.
PS @jow - thank you for your work on the DSA LuCI update.
Yes, exactly. From then on it is ordinary routing/firewalling between separate interfaces/networks.
I think multiple dnsmasq instances are not supported by LuCI, but apart from that it should be doable yes. Have one instance serving br-lan and two more instances serving kids (lan2) and guest (lan3) each. Maybe coupled with some firewall rules forcibly redirecting all TCP/UDP port 53 traffic from lan2/lan3 to the local dnsmasq in order to prevent clients from bypassing it by manually setting another NS.
Earlier in this thread you wrote that dnsmasq.conf harcodes interface=br-lan in this firmware. You'd need to remove that to allow the tamariki DHCP pool to work.
thank you @jow
This is why I should not do this so late at night, however the wife gets upset when the innernets are down. Hats off to you and everyone who keeps this project alive; and the many active contributors (looking at you @SkewedZeppelin too)
I am not sure if I should continue this here or move the LuCI testing thread. Let me know if I should move it.
However I am curious if anyone else is having this issue?
I still get the lan2 port becoming disabled when I bridge to 'kid' wifi. I even recreated the interface but as soon as there is a bridge created the interface port is gone. If I bridge the 'kid' wifi to br-lan it was all good.
I type "was" as I then added a couple wireless connections bridged to br-lan and a new interface guest (lan4); router dropped both the ports for 'kids' (lan2) and 'guest' (lan4), but clients could still connect to wifi.
I rebooted the router all ports lit up, then only lan4 remained lit - but I didn't test if it was working as I need to sleep now as I mistyped my wifi p/w connected to lan so I have to reset the config. Maybe I will try 21.02 then slowly work my way back up to this image.
A significant DSA roaming fix went into 21.02 branch yesterday for the MV88 switches in all mvebu routers (along with the new wireguard). It's in the new snapshots and will presumably be in this next build here. I wonder if that'll help some of these less common network setups people have here using external switches. Some really nice polishing is happening on 21.02 branch and it's starting to look like 21.02 will be a very solid release once its done.
Hello your link is broken, something about IT stack??
Anyways do you have a new build by any chance, hopefully it has wget-ssl, nano, and tcpdump-mini? A complete build if possible for WRT1900ACS V2. Very intrigued to test.
One thing I have immediately noticed is that with kernels 5.4.110 and 5.10.28 SQM w/ cake the throughput is slower for some reason.
My connection is 950/500 (fibre to the house)
kernel 4.14.x : 750-900 / 450-500
kernel 5.4 & 5.10 : 500-600 / 400-450
As soon as I disable SQM my speeds jump back to 880-950 / 450-500+
It does not matter what iface I use, as soon as cake is enabled it slows down. I tried fq_codel and whilst the speed was mostly back I had worse bufferbloat vs SQM disabled.
Is there anything I can do about this?
EDIT: by enabling this in ./network I was able to squeeze 60-80Mbps more on the download
option packet_steering '1'
EDIT2: I am getting this same behaviour on 21.02 so must be a kernel thing. Does cake get updated or has it been left too long and gone stale?
Cake is recommend it over anything else at this point they have even said fq_codel is obsolete, so hopefully cake gets updated/improved within OpenWrt:
Yes - I have cake tuned nicely on 19.07 w/ kernel 4.14.x. It's a shame I lose 200-300+Mbps download on kernel 5.x.
Looking at git it seems there have been changes related to cake made to the 5.x kernel over the past year and a bit ...???? I wish I understood this all better.
Might be worth submitting an OpenWrt bug report with these findings, that's a significant regression. Common understanding is almost no routers can do 800+Mbits with SQM cake and if these are in that category that's amazing. I always placed it around 600Mbtis but since my cable caps out at 500Mbits I never knew for sure.
If you are compiling from my guide, please make a test build with the defconfig hardening patches disabled:
0002-kernel-generic-5.4-config-hardening.patch
0003-kernel-generic-5.10-config-hardening.patch
they are fully expected to reduce performance at the benefit of security.
Yes, I'll I need to retest as I thought I had rolled a fresh 21.02 with all defaults but then realised if the firmware on the alternate partition does not have SQM then when I go back to my 19.07 it only has fq_codel available as a qdisc shaper. I thought I made another 21.02 image w/ SQM, but I need to improve my naming conventions as I cannot find it now.
@SkewedZeppelin Happy to make a 'soft' config test image. I have followed the steps in your build guide to a 'T' and I am hoping you could be so kind as to advise the best way to un-"git am" patches as it'll save me heaps of time searching the innerwebs. Thank you in advance.