DSA switch port vlan tagging - untagging

I am using OpenWRT 18.06 RC1 in my Turris Omnia and trying replicate my old swconfig configuration.

This is my old swconfig configuration:

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config interface 'dmz'
	option type 'bridge'
	option ifname 'eth1.2'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 4t 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4t 5t'

This is my new DSA configuration:

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 lan2 lan3 lan4.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

config interface 'dmz'
        option type 'bridge'
        option ifname 'lan4.2'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

From router, I have ping with the other device on both vlan:

# ping -c 3 192.168.1.5
PING 192.168.1.5 (192.168.1.5): 56 data bytes
64 bytes from 192.168.1.5: seq=0 ttl=64 time=0.434 ms
64 bytes from 192.168.1.5: seq=1 ttl=64 time=0.335 ms
64 bytes from 192.168.1.5: seq=2 ttl=64 time=0.333 ms

--- 192.168.1.5 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.333/0.367/0.434 ms

# ping -c 3 192.168.3.5
PING 192.168.2.5 (192.168.3.5): 56 data bytes
64 bytes from 192.168.3.5: seq=0 ttl=64 time=0.455 ms
64 bytes from 192.168.3.5: seq=1 ttl=64 time=0.341 ms
64 bytes from 192.168.3.5: seq=2 ttl=64 time=0.337 ms

--- 192.168.3.5 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.337/0.377/0.455 ms

But from other device connected to lan0 port I can't do ping, the firewall rules are same as the old configuration and I have reviewed. I think the trouble is with vlan tagging - untagging.

How can I tag, untag a vlan using DSA?

I have tried to install "bridge" package to get more information or try to do some. But I get next error:

# opkg install bridge
Installing bridge (1.5-5) to root...
Downloading http://downloads.openwrt.org/releases/18.06.0-rc1/packages/arm_cortex-a9_vfpv3/packages/bridge_1.5-5_arm_cortex-a9_vfpv3.ipk
Collected errors:
 * check_data_file_clashes: Package bridge wants to install file /usr/sbin/brctl
        But that file is already provided by package  * busybox
 * opkg_install_cmd: Cannot install package bridge.

You don't need to install bridge package, the functionality is provided by busybox package which is already installed.

root@LEDE:~# opkg list-installed | grep busybox
busybox - 1.28.3-4
root@LEDE:~# opkg list-installed | grep bridge
root@LEDE:~# ls -l /usr/sbin/brctl 
lrwxrwxrwx    1 root     root            17 Jun 22 20:22 /usr/sbin/brctl -> ../../bin/busybox

I was trying to get the command "bridge", but seems it is part of the package "ip-bridge" instead of the package "bridge".

But I can't get much more information with him:

# bridge vlan show 
port    vlan ids
lan0    None
lan1    None
lan2    None
lan3    None
br-dmz  None
lan4.2  None
br-lan  None
lan4.1  None
wlan0   None
wlan1   None

And I think I needs some kernel module to can use it:

# bridge vlan add vid 1 dev br-lan
RTNETLINK answers: Not supported
# bridge vlan add vid 1 dev br-lan untaged
RTNETLINK answers: Not supported

Summarizing, after some test more:

  • All work as expected in the next cases:
    • movile -> tun0 (openvpn) -> br-lan -> lan4.1 (part of br-lan) -> remote device
    • tablet -> wlan0 (part of br-lan) -> lan4.1 (part of br-lan) -> remote device
  • It do not work as expected in the next case:
    • PC linux -> lan0 (part of br-lan) -> lan4.1 (part of br-lan) -> remote device

I will try to open a bug...

Try cmd:
# uci show network

Thanks you, but this basically the same information I have settled in "/etc/config/network":

network.lan=interface
network.lan.type='bridge'
network.lan.ifname='lan0 lan1 lan2 lan3 lan4.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'

Are you sure your firewall config is correct?

iptables -S
iptables -t nat -S
iptables -t mangle -S
iptables -t raw -S
sysctl -a
ifconfig

Post the output of the commands above.

I think iptables do not work inside of a bridge. Inside of a bridge work ebtables and I don't have installed it. But here is the output of the commands.

iptables -S

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N forwarding_dmz_rule
-N forwarding_dn42_rule
-N forwarding_lan_rule
-N forwarding_rule
-N forwarding_wan_rule
-N input_dmz_rule
-N input_dn42_rule
-N input_lan_rule
-N input_rule
-N input_wan_rule
-N output_dmz_rule
-N output_dn42_rule
-N output_lan_rule
-N output_rule
-N output_wan_rule
-N reject
-N syn_flood
-N zone_dmz_dest_ACCEPT
-N zone_dmz_forward
-N zone_dmz_input
-N zone_dmz_output
-N zone_dmz_src_REJECT
-N zone_dn42_dest_ACCEPT
-N zone_dn42_forward
-N zone_dn42_input
-N zone_dn42_output
-N zone_dn42_src_REJECT
-N zone_lan_dest_ACCEPT
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_ACCEPT
-N zone_wan_dest_ACCEPT
-N zone_wan_dest_REJECT
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_REJECT
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i br-dmz -m comment --comment "!fw3" -j zone_dmz_input
-A INPUT -i eth2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun1 -m comment --comment "!fw3" -j zone_dn42_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i br-dmz -m comment --comment "!fw3" -j zone_dmz_forward
-A FORWARD -i eth2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun1 -m comment --comment "!fw3" -j zone_dn42_forward
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o br-dmz -m comment --comment "!fw3" -j zone_dmz_output
-A OUTPUT -o eth2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun1 -m comment --comment "!fw3" -j zone_dn42_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_dmz_dest_ACCEPT -o br-dmz -m comment --comment "!fw3" -j ACCEPT
-A zone_dmz_forward -m comment --comment "!fw3: Custom dmz forwarding rule chain" -j forwarding_dmz_rule
-A zone_dmz_forward -m comment --comment "!fw3: Zone dmz to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_dmz_forward -m comment --comment "!fw3: Zone dmz to dn42 forwarding policy" -j zone_dn42_dest_ACCEPT
-A zone_dmz_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_dmz_forward -m comment --comment "!fw3" -j zone_dmz_dest_ACCEPT
-A zone_dmz_input -m comment --comment "!fw3: Custom dmz input rule chain" -j input_dmz_rule
-A zone_dmz_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: dmz-input-icmp" -j ACCEPT
-A zone_dmz_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_dmz_input -m comment --comment "!fw3" -j zone_dmz_src_REJECT
-A zone_dmz_output -m comment --comment "!fw3: Custom dmz output rule chain" -j output_dmz_rule
-A zone_dmz_output -m comment --comment "!fw3" -j zone_dmz_dest_ACCEPT
-A zone_dmz_src_REJECT -i br-dmz -m comment --comment "!fw3" -j reject
-A zone_dn42_dest_ACCEPT -o tun1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_dn42_dest_ACCEPT -o tun1 -m comment --comment "!fw3" -j ACCEPT
-A zone_dn42_forward -m comment --comment "!fw3: Custom dn42 forwarding rule chain" -j forwarding_dn42_rule
-A zone_dn42_forward -m comment --comment "!fw3: Zone dn42 to dmz forwarding policy" -j zone_dmz_dest_ACCEPT
-A zone_dn42_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_dn42_forward -m comment --comment "!fw3" -j zone_dn42_dest_ACCEPT
-A zone_dn42_input -m comment --comment "!fw3: Custom dn42 input rule chain" -j input_dn42_rule
-A zone_dn42_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: dn42-input-icmp" -j ACCEPT
-A zone_dn42_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_dn42_input -m comment --comment "!fw3" -j zone_dn42_src_REJECT
-A zone_dn42_output -m comment --comment "!fw3: Custom dn42 output rule chain" -j output_dn42_rule
-A zone_dn42_output -m comment --comment "!fw3" -j zone_dn42_dest_ACCEPT
-A zone_dn42_src_REJECT -i tun1 -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to dmz forwarding policy" -j zone_dmz_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to dn42 forwarding policy" -j zone_dn42_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o 6in4-wan6 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o 6in4-wan6 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth2 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o 6in4-wan6 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: wan-input-bootpc" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: wan-input-icmp" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: wan-input-openvpn" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth2 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i 6in4-wan6 -m comment --comment "!fw3" -j reject

iptables -t nat -S

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N postrouting_dmz_rule
-N postrouting_dn42_rule
-N postrouting_lan_rule
-N postrouting_rule
-N postrouting_wan_rule
-N prerouting_dmz_rule
-N prerouting_dn42_rule
-N prerouting_lan_rule
-N prerouting_rule
-N prerouting_wan_rule
-N zone_dmz_postrouting
-N zone_dmz_prerouting
-N zone_dn42_postrouting
-N zone_dn42_prerouting
-N zone_lan_postrouting
-N zone_lan_prerouting
-N zone_wan_postrouting
-N zone_wan_prerouting
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i br-dmz -m comment --comment "!fw3" -j zone_dmz_prerouting
-A PREROUTING -i eth2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun1 -m comment --comment "!fw3" -j zone_dn42_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o br-dmz -m comment --comment "!fw3" -j zone_dmz_postrouting
-A POSTROUTING -o eth2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun1 -m comment --comment "!fw3" -j zone_dn42_postrouting
-A zone_dmz_postrouting -m comment --comment "!fw3: Custom dmz postrouting rule chain" -j postrouting_dmz_rule
-A zone_dmz_prerouting -m comment --comment "!fw3: Custom dmz prerouting rule chain" -j prerouting_dmz_rule
-A zone_dn42_postrouting -m comment --comment "!fw3: Custom dn42 postrouting rule chain" -j postrouting_dn42_rule
-A zone_dn42_postrouting -s 192.168.1.0/23 -m comment --comment "!fw3" -j MASQUERADE
-A zone_dn42_prerouting -m comment --comment "!fw3: Custom dn42 prerouting rule chain" -j prerouting_dn42_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule

iptables -t mangle -S

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A FORWARD -o eth2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o 6in4-wan6 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu

iptables -t raw -S

iptables v1.6.2: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

ifconfig

6in4-wan6 Link encap:IPv6-in-IPv4  
          inet6 addr: x:x:x:x::x/64 Scope:Global
          inet6 addr: fe80::51ac:2294/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:5548 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4224 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2405483 (2.2 MiB)  TX bytes:867794 (847.4 KiB)

br-dmz    Link encap:Ethernet  HWaddr D8:58:D7:00:60:C0  
          inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
          inet6 addr: x:x:x:x::x/64 Scope:Global
          inet6 addr: x:x:x:x::x/64 Scope:Global
          inet6 addr: fe80::da58:d7ff:fe00:60c0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:32 errors:0 dropped:0 overruns:0 frame:0
          TX packets:707 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6048 (5.9 KiB)  TX bytes:61154 (59.7 KiB)

br-lan    Link encap:Ethernet  HWaddr D8:58:D7:00:60:C0  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: x:x:x:x::x/64 Scope:Global
          inet6 addr: x:x:x:x::x/64 Scope:Global
          inet6 addr: fe80::da58:d7ff:fe00:60c0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10523 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18288 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1432006 (1.3 MiB)  TX bytes:16708127 (15.9 MiB)

eth1      Link encap:Ethernet  HWaddr D8:58:D7:00:60:C0  
          inet6 addr: fe80::da58:d7ff:fe00:60c0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:43858 errors:0 dropped:0 overruns:0 frame:0
          TX packets:56218 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532 
          RX bytes:3818452 (3.6 MiB)  TX bytes:19157727 (18.2 MiB)
          Interrupt:38 

eth2      Link encap:Ethernet  HWaddr D8:58:D7:00:60:C1  
          inet addr:x.x.x.x  Bcast:x.x.x.x  Mask:255.255.248.0
          inet6 addr: fe80::da58:d7ff:fe00:60c1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:171420 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14182 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532 
          RX bytes:26881653 (25.6 MiB)  TX bytes:2126770 (2.0 MiB)
          Interrupt:39 

ifb4eth2  Link encap:Ethernet  HWaddr EA:15:67:2B:C1:1D  
          inet6 addr: fe80::e815:67ff:fe2b:c11d/64 Scope:Link
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:171278 errors:0 dropped:0 overruns:0 frame:0
          TX packets:171278 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32 
          RX bytes:26850790 (25.6 MiB)  TX bytes:26850790 (25.6 MiB)

lan0      Link encap:Ethernet  HWaddr D8:58:D7:00:60:C0  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8286 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19137 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1103681 (1.0 MiB)  TX bytes:16295538 (15.5 MiB)

lan1      Link encap:Ethernet  HWaddr D8:58:D7:00:60:C0  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lan2      Link encap:Ethernet  HWaddr D8:58:D7:00:60:C0  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lan3      Link encap:Ethernet  HWaddr D8:58:D7:00:60:C0  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:35056 errors:0 dropped:1 overruns:0 frame:0
          TX packets:704 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1612576 (1.5 MiB)  TX bytes:149341 (145.8 KiB)

lan4      Link encap:Ethernet  HWaddr D8:58:D7:00:60:C0  
          inet6 addr: fe80::da58:d7ff:fe00:60c0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:516 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36377 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:137319 (134.1 KiB)  TX bytes:2408612 (2.2 MiB)

lan4.1    Link encap:Ethernet  HWaddr D8:58:D7:00:60:C0  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:483 errors:0 dropped:0 overruns:0 frame:0
          TX packets:35670 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:129075 (126.0 KiB)  TX bytes:2201950 (2.0 MiB)

lan4.2    Link encap:Ethernet  HWaddr D8:58:D7:00:60:C0  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:32 errors:0 dropped:0 overruns:0 frame:0
          TX packets:707 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6048 (5.9 KiB)  TX bytes:61154 (59.7 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:409 errors:0 dropped:0 overruns:0 frame:0
          TX packets:409 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:43802 (42.7 KiB)  TX bytes:43802 (42.7 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.2.1  P-t-P:192.168.2.1  Mask:255.255.255.0
          inet6 addr: x:x:x:x::x/64 Scope:Global
          inet6 addr: fe80::25d1:a928:8b96:7e01/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:152 (152.0 B)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:172.23.12.1  P-t-P:172.23.67.1  Mask:255.255.255.255
          inet6 addr: fe80::5226:eaea:a1bf:b28a/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:3026 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3027 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:464277 (453.3 KiB)  TX bytes:161044 (157.2 KiB)

wlan0     Link encap:Ethernet  HWaddr 04:F0:21:24:21:29  
          inet6 addr: fe80::6f0:21ff:fe24:2129/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:703 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:161817 (158.0 KiB)

wlan1     Link encap:Ethernet  HWaddr 04:F0:21:23:16:A8  
          inet6 addr: fe80::6f0:21ff:fe23:16a8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1753 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2202 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:223786 (218.5 KiB)  TX bytes:720114 (703.2 KiB)

The output of sysctl -a is too long for my console buffer. If you want a specific part I can filter with sysctl -a | grep xxx.

I have replaced all my public ipv4 with x.x.x.x and my global ipv6 with x:x:x:x::x.

Solved in part (for "br-lan", "br-dmz" continue pending).

First is required compile the kernel with the option "CONFIG_BRIDGE_VLAN_FILTERING" an install the package "ip-bridge". Then is needed change UCI configuration to use "lan4", with "lan4.1" it do not work:

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 lan2 lan3 lan4'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

To continue enabling vlan filtering in the "br-lan" bridge:

# echo "1" > /sys/class/net/br-lan/bridge/vlan_filtering

And finally, configure the vlan as tagged in the switch port:

# bridge vlan add vid 1 dev lan4 master

Getting:

# bridge vlan
port    vlan ids
lan0     1 PVID Egress Untagged

lan1     1 PVID Egress Untagged

lan2     1 PVID Egress Untagged

lan3     1 PVID Egress Untagged

lan4     1

br-lan   1 PVID Egress Untagged

veth0    1 PVID Egress Untagged

wlan1    1 PVID Egress Untagged

wlan0    1 PVID Egress Untagged

But now, How can I configure the second bridge "br-dmz" if I can't add the same interface "lan4" to two bridges and I can't use "lan4.1" and "lan4.2"?

PS: Opened bug.

Try @lan4.1 notation, such as

config interface 'vlan1000'
	option type 'bridge'
	option stp '1'
	option ifname 'eth0.1000 @gt95.1000 @gt96.1000 @gt97.1000 @gt98.1000'
	option proto 'none'
	option auto '1'
	option delegate '0'

Thanks you, but it do not do the trick.

Are the generated interface names too long? There is a 15-character limit. For example

gre4t-gt95.1000

is right at the limit, as OpenWRT adds the gre4t- prefix.

I used @lan4.1 and @lan4.2 and It is fully ignored. No interface is created *lan4.1 or *lan4.2 (gre4t-lan4.1 or similar).

I don't understand anything!!! It must be an bug somewhere.

If I boot with this config:

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 lan2 lan3 lan4.1'
        option proto 'static'
        [...]

config interface 'dmz'
        option type 'bridge'
        option ifname 'lan4.2'
        option proto 'static'
        [...]

Do not work, but if change the config, for example, to:

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 lan3 lan4'
        option proto 'static'
        [...]

config interface 'dmz'
        option type 'bridge'
        option ifname 'lan2'
        option proto 'static'
        [...]

Now I reload the network:

/etc/init.d/network reload

And I change the network configuration to the first configuration:

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 lan2 lan3 lan4.1'
        option proto 'static'
        [...]

config interface 'dmz'
        option type 'bridge'
        option ifname 'lan4.2'
        option proto 'static'
        [...]

Now I reload the network again:

/etc/init.d/network reload

All work ok (ping from Linux PC connected to lan0):

$ ping -c3 192.168.1.5
PING 192.168.1.5 (192.168.1.5) 56(84) bytes of data.
64 bytes from 192.168.1.5: icmp_seq=1 ttl=64 time=0.598 ms
64 bytes from 192.168.1.5: icmp_seq=2 ttl=64 time=0.576 ms
64 bytes from 192.168.1.5: icmp_seq=3 ttl=64 time=0.574 ms

--- 192.168.1.5 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2039ms
rtt min/avg/max/mdev = 0.574/0.582/0.598/0.029 ms

$ ping -c3 192.168.3.5
PING 192.168.3.5 (192.168.3.5) 56(84) bytes of data.
64 bytes from 192.168.3.5: icmp_seq=1 ttl=64 time=0.598 ms
64 bytes from 192.168.3.5: icmp_seq=2 ttl=64 time=0.576 ms
64 bytes from 192.168.3.5: icmp_seq=3 ttl=64 time=0.574 ms

--- 192.168.3.5 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2039ms
rtt min/avg/max/mdev = 0.574/0.582/0.598/0.029 ms

PS: To this workaround to work is required a kernel with CONFIG_BRIDGE_VLAN_FILTERING

I absolutely need vlan on my omnia. Any news on this?
I enabled CONFIG_BRIDGE_VLAN_FILTERING in my build of current master and I cannot even do this

echo "1" > /sys/class/net/br-lan/bridge/vlan_filtering
/bin/ash: can't create /sys/class/net/br-lan/bridge/vlan_filtering: Permission denied

nor

bridge vlan add vid 2 dev lan4
RTNETLINK answers: Not supported

or

 bridge vlan add vid 2 dev br-lan
RTNETLINK answers: Not supported

Where you enabled CONFIG_BRIDGE_VLAN_FILTERING?

My build is based in OpenWRT git tag v18.06.1 and I enabled CONFIG_BRIDGE_VLAN_FILTERING in openwrt/target/linux/generic/config-4.14

cat openwrt/target/linux/generic/config-4.14 | grep -i CONFIG_BRIDGE_VLAN_FILTERING
CONFIG_BRIDGE_VLAN_FILTERING=y

After enable it I need to do the workaround (DSA switch port vlan tagging - untagging) after each reboot.

PS: I have open a bug, but it haven't activity...

If you want to try it, I have uploaded my build to dropbox:

This are the changes respect to the official build:

CONFIG_TARGET_mvebu=y
CONFIG_TARGET_mvebu_cortexa9=y
CONFIG_TARGET_mvebu_cortexa9_DEVICE_turris-omnia=y

CONFIG_PACKAGE_kmod-fs-btrfs=y
CONFIG_PACKAGE_kmod-usb-hid=y

CONFIG_PACKAGE_6in4=y
CONFIG_PACKAGE_apcupsd=y
CONFIG_PACKAGE_birdc4=y
CONFIG_PACKAGE_birdc6=y
CONFIG_PACKAGE_block-mount=y
CONFIG_PACKAGE_btrfs-progs=y
CONFIG_PACKAGE_ca-certificates=y
CONFIG_PACKAGE_cfdisk=y
CONFIG_PACKAGE_dnsmasq=n
CONFIG_PACKAGE_gnupg=y
CONFIG_PACKAGE_gnupg-utils=y
CONFIG_PACKAGE_lxc-auto=y
CONFIG_PACKAGE_msmtp=y
CONFIG_PACKAGE_odhcpd=y
CONFIG_PACKAGE_odhcpd-ipv6only=n
CONFIG_PACKAGE_openvpn-openssl=y
CONFIG_PACKAGE_swap-utils=y
CONFIG_PACKAGE_unbound-control=y

CONFIG_PACKAGE_luci-app-ddns=y
CONFIG_PACKAGE_luci-app-lxc=y
CONFIG_PACKAGE_luci-app-openvpn=y
CONFIG_PACKAGE_luci-app-sqm=y
CONFIG_PACKAGE_luci-app-unbound=y
CONFIG_PACKAGE_luci-ssl-openssl=y

CONFIG_LXC_BUSYBOX_OPTIONS=y
CONFIG_LXC_KERNEL_OPTIONS=y
CONFIG_LXC_NETWORKING=y
CONFIG_LXC_SECCOMP=y

And of course, enable the kernel option CONFIG_BRIDGE_VLAN_FILTERING.

I am not using dnsmasq, so dhcp do not work out of the box. You will need configure /etc/config/dhcp and /etc/config/unbound: documentation

And you don't forget the workaround: DSA switch port vlan tagging - untagging

PS: If you will found a better method to work with VLANs in Turris Omnia please say me it.

I see that this hasn't got many replies. I have the same issue, but it is on the 4.19 kernel, on the 4.14 I had no issues. One thing I noted was that as soon as I disabled the symbol CONFIG_BRIDGE_VLAN_FILTERING=y the issue wasn't there anymore so I believe that this is a OpenWRT script issue that doesn't use the VLAN filtering stuff making tagged traffic not work.

Switch's upstream ports (CPU facing) 5 & 6 are not exposed by DSA and thus are not configurable since this not being necessary with DSA.

As far I can tell from the initial post you want a trunk port (expecting VLAN ID tagged from client on ingress and tagging VLAN ID on egress) on lan4 with VLAN ID 1. For that purpose just substitute lan4 with lan4.1 as you stated earlier

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 lan2 lan3 lan4.1'

In this case any client connecting on lan4 is now expected to provide VLAN ID 1 on ingress to that port, failing so the packets will be dropped.

That is expected since it would require:

  • client on lan0 to send a packet tagged with VLAN ID 1
  • lan0 to be a trunk (or hybrid) port that does not drop the VLAN ID on egress

If that is not fulfilled ingress packets at lan4(.1) will be dropped.


Now for the DMZ it would seem that you want clients also connecting on lan4. Is that port connected to a switch or do you change clients on that port (lan4) frequently? Else it would not seem to make sense.

Then, the first fault was assuming that VLAN 1 is the "native" or "untagged" VLAN as in Cisco devices.

I have two devices:

  • Turris Omnia (Actuating as WAN router with DSA)
  • Netgear wndr3700v2 (Actuating as switch with swconfig) pending to migrate to DSA

Turris wifi and ethernet ports 0 - 3 in LAN and port 4 is connected to Netgear with LAN and DMZ. So, the idea is that wifi of the netgear is the guest wifi in the DMZ while the ethernet ports of Netgear keep in LAN.

I do not know if I'm explaining myself well, I will try to find some online app to draw a network diagram.