After my failed attempt to convert a swconfig to DSA, I read more about DSA, what it does and what it doesn't do. At this point my understanding is that VLANs on DSA in OpenWRT don't function the same as VLANs in the rest of the networking world. I want to get feedback from the community and see if I have a correct understanding here.
In the default networking world, a VLAN is a way of emulating 2 or more physical switches on the same hardware. Devices on one VLAN cannot ping another VLAN even if both are physically on the same switch, unless a routing rule is created to forward traffic. No firewall rules are required to prevent hosts on different VLANs from communicating.
In OpenWRT DSA networking VLANs are not isolated from each other in the same way. A host on one VLAN can ping another VLAN even without a defined route, because OpenWRT automatically creates routes between all VLANs.
I'm not really sure what the point of VLANs are in such a scenario. Just having different DHCP zones, I guess. I found it confusing because under the old swconfig VLANs did actually isolate traffic from one another, so I was expecting it to work the same with DSA. However my own testing showed that's not the case and other forum posts I have read indicate others also show the same behavior of being able to ping one VLAN from another.
So I just want to double check with the community if this is how DSA VLANs are supposed to work or if I am overlooking something.
Typically isolation is lacking if you do not enable vlans on the main bridge - you can kind of configure them on ports, but all frogs land in same pond.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Just to establish a baseline understanding, "convert" in this context only applies if:
You are moving between a device that uses swconfig to a new one that uses DSA
or
Your device is one that has an underlying transition of swconfig > DSA as a function of a major OpenWrt release.
You cannot use DSA syntax on a device that still uses swconfig, and vice versa.
This is true with OpenWrt (both swconfig and DSA), although there is more nuance to what VLANs enable than just this.
Again, there is more nuance, but yes, at layer 2 (switching), devices on different VLANs will not be able to connect to each other.
Layer 3 (routing) is where all the action is in terms of inter-vlan routing. The design of the firewall itself (speaking about the true firewall software layer, not a hardware appliance or the broad term for the router+firewall functions) will determine if rules are explicitly required to allow vs block inter-VLAN routing. And there is nuance with each, as well. With the zone based firewall in OpenWrt, additional firewall rules are not required to prevent inter-VLAN routing if the subnets are in different zones. But if they are in the same zone, that is first determined by the forward zone rule, and then possibly by other rules. There are non-ZBF systems that will route freely unless a ruleset is in place to block it. So... it depends.
Yes they are, assuming the VLANs and the firewall are correctly configured.
Routes yes, but firewall rules... again... it depends. This is happening at L3, whereas DSA and VLANS in general are actually L2 constructs.
If this is the behavior you are experiencing (and is not intended), it speaks to a misconfiguration of your system.
VLANs are the same, functionally, regardless of the use of swconfig vs DSA. It's basically just like two different languages achieving the same exact functionality and goals. You need to understand the languages, though, to properly achieve the goals.
At a low-level (i.e. the kernel) it is completely different because DSA abstracts the switch, providing a port-level view and handling the switch configuration under the hood.
At a middle-level (i.e. the configuration), it's a different syntax. You need to learn it, but once you understand it you'll be able to translate swconfig to DSA and vice versa such that implement VLANs properly that work across different devices (and yes, also across ecosystems -- the VLANs in OpenWrt are implemented with the same 802.11q tagging as the entire industry).
At a high level (i.e. the functional outcome), they are identical in the things that can be achieved.
If you're having issues, it's almost certainly a configuration related problem. That said, as requested in @brada4 's post, if you want help, reviewing your config is the best approach. It may also be helpful if you post your desired outcome on a per-port basis.
If you speak of a router then yes.
If you have an address on an interface you get a route for that subnet.
If your router is a router and has forwarding enabled, then yes the router can forward/route from one network to another network.
If you have a switch and on different interfaces you have different vlans AND because it's a switch has no addresses on these interfaces and/or has (layer 3) forward disabled, because it is a switch and not a router then the switch will not route/forward packets from one vlan with a network to another vlan with a different network...
Well, my config files are included in this thread. DSA VLAN help needed - #20 by psherman However, I bricked that router trying to upgrade. I haven't yet purchased a new one, and I'm trying to decide if I want to give OpenWRT another go or try DDWRT or another brand. Having full port isolation between switch ports is important to me, so that's why I am trying to figure out if that's something OpenWRT offers. There are no vlans on my previous setup because every time I enabled it I got locked out of the router and had to reset, though my old swconfig worked great with VLAN.
I'm glad to hear I was mistaken. I can consider giving Open WRT another shot then. It is important to me to have full isolation between VLANs because I don't like to rely totally on firewall rules. Firewalls can be accidentally misconfigured, temporary rules put in place for troubleshooting then forget to remove them, etc. My goal is to only allow access to the admin interface of the router from a single ethernet port and not any of the others and to have this port isolated with both firewall and VLAN. So now that I know OpenWRT supports VLAN isolation I can start looking at which hardware to replace my previous bricked Linksys router with. I will want to make sure full VLAN functionality is known to work on the specific model I choose. Are there models I should avoid for having known buggy VLAN functionality or other models that are known good I can aim for?
The vast majority of devices work without any issues. If you're obtaining a new device, you should first consider the rest of your requirements (ISP speed, cost, local availability, do you need SQM or other traffic shaping, number of ports and bandwidth of those ports, ethernet only or ethernet + wifi, etc.)
VLAN aka https://en.m.wikipedia.org/wiki/IEEE_802.1Q have nothing do with security.
It comes from an age when people used flat ipv4 /16 networks and put far to many hosts in it and you needed to group (synonym: seperate) these hosts.
Security which mostly refers to firewalling or network filtering is a layer 3 thing. Sure, even Linux can filter on raw packets and do analysis and even manipulate Ethernet frames, too.
When people nowadays talk about "vlan isolation" they are using weak terminology. In simple networks with only one central gateway, which most of time is also the one and only firewall, all networks from all vlans meet there. That's where the filtering happens.
If you now want a some kind of special management interface, which you usually find in enterprise grade hardware, you can that emulate with Linux and OpenWrt, too.
The easiest way in my opinion is:
Assign a vlan to a physical port
Use only IPv6 link local address to access the device
I disagree security only happens at layer 3. Every layer should have some type of security. Even if all traffic comes into a central gateway/firewall that gateway can do filtering on both layer2 VLAN and layer 3 IP firewall zones.
That pretty well describes most home networks also. Very few people have the funds for multiple routers. So by default it is a flat network. VLANs make sense in this environment.
Just because you set an VLAN id on one or another interface in your switch Asic, does not gives you security.
It just seperates or organizes hosts in groups.
If you need protection against attacks on layer2 then it's a whole different story.
vlans are iisolated partitions, switch or wire. cf having 2 subnets on same ethernet where they multicast to eachother.Setup can carry security filtering or not. Going to extremes 802.1ad aka qinq can support micro-segments, one per client machine.
