DSA: Switch configuration

Hi there,

I'm a little confused about DSA. I would like to use Netgear R6220 as 5 port switch + wifi AP, no routing, NAT, firewall, whatever. So, what is the proper way to get rid of wan interface and have a dumb 5 port switch? I use 21.02.3, so the switch configuration is already moved to DSA.

Thanks in advance for any help.

Give default configuration /etc/config/network

# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd39:1332:8046::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

Easiest way is through luci. Go to Network > Interfaces. Delete the wan and wan6 interfaces. Then click the tab for Devices. In the list of devices you want to configure br-lan and just add wan to the Bridge Ports using the dropdown. Remember to save+apply your changes.

Alternatively you can directly edit /etc/config/network by adding list ports 'wan' to the config device section and deleting the wan and wan6 sections. Then reload the network by running service network reload.

I followed the second option and it seems to work fine:

bridge name	bridge id		STP enabled	interfaces
br-lan		7fff.8c3bad4442b9	no		lan4
							lan2
							wlan0
							wan
							lan3
							wlan1
							lan1

According to my knowledge all devices in the bridge should get the same MAC address. But:

# ifconfig  | egrep 'Link|inet'
br-lan    Link encap:Ethernet  HWaddr 8C:3B:AD:44:42:B9  
          inet addr:192.168.0.126  Bcast:192.168.0.127  Mask:255.255.255.128
          inet6 addr: fe80::8e3b:adff:fe44:42b9/64 Scope:Link
eth0      Link encap:Ethernet  HWaddr 0A:89:CA:24:AE:B3  
          inet6 addr: fe80::889:caff:fe24:aeb3/64 Scope:Link
lan1      Link encap:Ethernet  HWaddr 0A:89:CA:24:AE:B3  
lan2      Link encap:Ethernet  HWaddr 0A:89:CA:24:AE:B3  
lan3      Link encap:Ethernet  HWaddr 0A:89:CA:24:AE:B3  
lan4      Link encap:Ethernet  HWaddr 0A:89:CA:24:AE:B3  
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
wan       Link encap:Ethernet  HWaddr 8C:3B:AD:44:42:B9  
wlan0     Link encap:Ethernet  HWaddr 8C:3B:AD:44:42:B8  
          inet6 addr: fe80::8e3b:adff:fe44:42b8/64 Scope:Link
wlan1     Link encap:Ethernet  HWaddr 8C:3B:AD:44:42:BC  
          inet6 addr: fe80::8e3b:adff:fe44:42bc/64 Scope:Link

MACs are different. Is it normal?
What is this eth0 interface?

OpenWrt is not for casual users who want their Wi-Fi to just work. It requires you to have networking and Linux knowledge.

For the networking part, the MAC address can be almost anything (except for some invalid 24-bit OUIs), as long as they are unique across a broadcast domain.

For the Linux part, the eth0 interface is the hardware interface, which sits right behind the Ethernet port of the CPU. You cannot see that Ethernet port, because it is inside the router -- it connects the CPU (or the operating system) to the 6-port switch (yes, it is 6). I know it is confusing but you need to understand the topology of your device before doing any configuration.

Talking about DSA, at first it complicates your configuration by adding an extra step of splitting your switch into multiple virtual switches, before you can split each switch into VLANs. The advantages over traditional uci and swconfig configuration is that you don't have to worry about tagging/untagging 802.1q packets which go in and out of the eth0. Again, you need to learn 802.1q first before you understand what it means.

I know what MAC is. My question was if it is normal that physical interfaces inside of one bridge interface have different MACs?

The part about eth0 is still confusing for me. Could you please share a link to some description of Netgear R6220 topology? Particularly networking part.

I know what MAC is. My question was if it is normal that physical interfaces inside of one bridge interface have different MACs?

A bridge interface with multiple slave interfaces works like a switch with multiple ports. I never take a look at the source code of Linux kernel, but from a logical view, an incoming Ethernet frame to the bridge is either:

1. destined to another device on the other end of another slave interface
2. destined to the bridge itself (in other word, to the operating system that owns the bridge)

That means slave interfaces do not need any MAC address. They neither send nor receive packets. So having a MAC address does not make any sense. Of course they can have MAC addresses before you add them into a bridge. But after they are added, their MAC addresses are useless.

The bridge itself, needs a MAC address to send/receive packets. In your case it is 8C:3B:AD:44:42:B9. If you do not want to receive any packets on the bridge, you can set option proto none under the bridge configuration. That disables Layer 3 protocols such as IPv4 or IPv6 from running above the bridge (I am not sure if the operating system can still participate in Layer 2 protocols with other devices). Packets destined for the bridge are simply dropped, while those destines for other devices are still forwarded normally.

The part about eth0 is still confusing for me. Could you please share a link to some description of Netgear R6220 topology? Particularly networking part.

Take a look here: https://openwrt.org/docs/guide-user/network/vlan/switch. It has almost the same topology like your device's.

R6220 has the very common MT7621 SoC, which is in a lot of models. All the Ethernet hardware is inside this chip so it is the same for all models. The R6220 does have the cut down MT7621ST, which has a single CPU core (2 threads) instead of the 2 cores 4 threads of the MT7621AT. This does not change the Ethernet logic at all.

DSA is supposed to abstract out the fact that the hardware is a single CPU port and a switch, instead of 5 independent CPU ports. It works by having the switch apply special vendor-specific tags to each packet that identify which port it was received on. The tags are then stripped off and analyzed in the kernel when packets arrive at eth0 they will be directed to one of the virtual ports like lan1 or wan.

There is no reason for the user to interact with the eth0 port. The data it carries is all specially tagged and can't be used directly anyway.

One more question, how to translate following configuration to DSA:

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 4t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 5'

This configuration is invalid.

I corrected the vlan id.
And yes, routing is done by the server, not the OpenWRT box. OpenWRT box joins internal (vlan 1, ports 0-3) and external (vlan 2, port 5) traffic and sends it to the server (two logical connections sharing one physical link on port 4). Server gets the public IP, does NAT, firewall etc.

Combining tagged and untagged on the same port (4) is not recommended. The "server" router connected to port 4 should be configured to use tagged in both VLANs.

Then you need to know the relation of the old port numbers to their new DSA names.

Put all the ports into one bridge and make two bridge-vlans with the ports listed either untagged or tagged.