DSA switch port vlan tagging - untagging

Solved in part (for "br-lan", "br-dmz" continue pending).

First is required compile the kernel with the option "CONFIG_BRIDGE_VLAN_FILTERING" an install the package "ip-bridge". Then is needed change UCI configuration to use "lan4", with "lan4.1" it do not work:

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 lan2 lan3 lan4'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

To continue enabling vlan filtering in the "br-lan" bridge:

# echo "1" > /sys/class/net/br-lan/bridge/vlan_filtering

And finally, configure the vlan as tagged in the switch port:

# bridge vlan add vid 1 dev lan4 master

Getting:

# bridge vlan
port    vlan ids
lan0     1 PVID Egress Untagged

lan1     1 PVID Egress Untagged

lan2     1 PVID Egress Untagged

lan3     1 PVID Egress Untagged

lan4     1

br-lan   1 PVID Egress Untagged

veth0    1 PVID Egress Untagged

wlan1    1 PVID Egress Untagged

wlan0    1 PVID Egress Untagged

But now, How can I configure the second bridge "br-dmz" if I can't add the same interface "lan4" to two bridges and I can't use "lan4.1" and "lan4.2"?

PS: Opened bug.

Try @lan4.1 notation, such as

config interface 'vlan1000'
	option type 'bridge'
	option stp '1'
	option ifname 'eth0.1000 @gt95.1000 @gt96.1000 @gt97.1000 @gt98.1000'
	option proto 'none'
	option auto '1'
	option delegate '0'

Thanks you, but it do not do the trick.

Are the generated interface names too long? There is a 15-character limit. For example

gre4t-gt95.1000

is right at the limit, as OpenWRT adds the gre4t- prefix.

I used @lan4.1 and @lan4.2 and It is fully ignored. No interface is created *lan4.1 or *lan4.2 (gre4t-lan4.1 or similar).

I don't understand anything!!! It must be an bug somewhere.

If I boot with this config:

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 lan2 lan3 lan4.1'
        option proto 'static'
        [...]

config interface 'dmz'
        option type 'bridge'
        option ifname 'lan4.2'
        option proto 'static'
        [...]

Do not work, but if change the config, for example, to:

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 lan3 lan4'
        option proto 'static'
        [...]

config interface 'dmz'
        option type 'bridge'
        option ifname 'lan2'
        option proto 'static'
        [...]

Now I reload the network:

/etc/init.d/network reload

And I change the network configuration to the first configuration:

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 lan2 lan3 lan4.1'
        option proto 'static'
        [...]

config interface 'dmz'
        option type 'bridge'
        option ifname 'lan4.2'
        option proto 'static'
        [...]

Now I reload the network again:

/etc/init.d/network reload

All work ok (ping from Linux PC connected to lan0):

$ ping -c3 192.168.1.5
PING 192.168.1.5 (192.168.1.5) 56(84) bytes of data.
64 bytes from 192.168.1.5: icmp_seq=1 ttl=64 time=0.598 ms
64 bytes from 192.168.1.5: icmp_seq=2 ttl=64 time=0.576 ms
64 bytes from 192.168.1.5: icmp_seq=3 ttl=64 time=0.574 ms

--- 192.168.1.5 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2039ms
rtt min/avg/max/mdev = 0.574/0.582/0.598/0.029 ms

$ ping -c3 192.168.3.5
PING 192.168.3.5 (192.168.3.5) 56(84) bytes of data.
64 bytes from 192.168.3.5: icmp_seq=1 ttl=64 time=0.598 ms
64 bytes from 192.168.3.5: icmp_seq=2 ttl=64 time=0.576 ms
64 bytes from 192.168.3.5: icmp_seq=3 ttl=64 time=0.574 ms

--- 192.168.3.5 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2039ms
rtt min/avg/max/mdev = 0.574/0.582/0.598/0.029 ms

PS: To this workaround to work is required a kernel with CONFIG_BRIDGE_VLAN_FILTERING

I absolutely need vlan on my omnia. Any news on this?
I enabled CONFIG_BRIDGE_VLAN_FILTERING in my build of current master and I cannot even do this

echo "1" > /sys/class/net/br-lan/bridge/vlan_filtering
/bin/ash: can't create /sys/class/net/br-lan/bridge/vlan_filtering: Permission denied

nor

bridge vlan add vid 2 dev lan4
RTNETLINK answers: Not supported

or

 bridge vlan add vid 2 dev br-lan
RTNETLINK answers: Not supported

Where you enabled CONFIG_BRIDGE_VLAN_FILTERING?

My build is based in OpenWRT git tag v18.06.1 and I enabled CONFIG_BRIDGE_VLAN_FILTERING in openwrt/target/linux/generic/config-4.14

cat openwrt/target/linux/generic/config-4.14 | grep -i CONFIG_BRIDGE_VLAN_FILTERING
CONFIG_BRIDGE_VLAN_FILTERING=y

After enable it I need to do the workaround (DSA switch port vlan tagging - untagging) after each reboot.

PS: I have open a bug, but it haven't activity...

If you want to try it, I have uploaded my build to dropbox:

• https://www.dropbox.com/sh/fa20gz7typldxuf/AACqFxdiuavfEER5FARjld7Ja?dl=0

This are the changes respect to the official build:

CONFIG_TARGET_mvebu=y
CONFIG_TARGET_mvebu_cortexa9=y
CONFIG_TARGET_mvebu_cortexa9_DEVICE_turris-omnia=y

CONFIG_PACKAGE_kmod-fs-btrfs=y
CONFIG_PACKAGE_kmod-usb-hid=y

CONFIG_PACKAGE_6in4=y
CONFIG_PACKAGE_apcupsd=y
CONFIG_PACKAGE_birdc4=y
CONFIG_PACKAGE_birdc6=y
CONFIG_PACKAGE_block-mount=y
CONFIG_PACKAGE_btrfs-progs=y
CONFIG_PACKAGE_ca-certificates=y
CONFIG_PACKAGE_cfdisk=y
CONFIG_PACKAGE_dnsmasq=n
CONFIG_PACKAGE_gnupg=y
CONFIG_PACKAGE_gnupg-utils=y
CONFIG_PACKAGE_lxc-auto=y
CONFIG_PACKAGE_msmtp=y
CONFIG_PACKAGE_odhcpd=y
CONFIG_PACKAGE_odhcpd-ipv6only=n
CONFIG_PACKAGE_openvpn-openssl=y
CONFIG_PACKAGE_swap-utils=y
CONFIG_PACKAGE_unbound-control=y

CONFIG_PACKAGE_luci-app-ddns=y
CONFIG_PACKAGE_luci-app-lxc=y
CONFIG_PACKAGE_luci-app-openvpn=y
CONFIG_PACKAGE_luci-app-sqm=y
CONFIG_PACKAGE_luci-app-unbound=y
CONFIG_PACKAGE_luci-ssl-openssl=y

CONFIG_LXC_BUSYBOX_OPTIONS=y
CONFIG_LXC_KERNEL_OPTIONS=y
CONFIG_LXC_NETWORKING=y
CONFIG_LXC_SECCOMP=y

And of course, enable the kernel option CONFIG_BRIDGE_VLAN_FILTERING.

I am not using dnsmasq, so dhcp do not work out of the box. You will need configure /etc/config/dhcp and /etc/config/unbound: documentation

And you don't forget the workaround: DSA switch port vlan tagging - untagging

PS: If you will found a better method to work with VLANs in Turris Omnia please say me it.

I see that this hasn't got many replies. I have the same issue, but it is on the 4.19 kernel, on the 4.14 I had no issues. One thing I noted was that as soon as I disabled the symbol CONFIG_BRIDGE_VLAN_FILTERING=y the issue wasn't there anymore so I believe that this is a OpenWRT script issue that doesn't use the VLAN filtering stuff making tagged traffic not work.

Switch's upstream ports (CPU facing) 5 & 6 are not exposed by DSA and thus are not configurable since this not being necessary with DSA.

As far I can tell from the initial post you want a trunk port (expecting VLAN ID tagged from client on ingress and tagging VLAN ID on egress) on lan4 with VLAN ID 1. For that purpose just substitute lan4 with lan4.1 as you stated earlier

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 lan2 lan3 lan4.1'

In this case any client connecting on lan4 is now expected to provide VLAN ID 1 on ingress to that port, failing so the packets will be dropped.

That is expected since it would require:

• client on lan0 to send a packet tagged with VLAN ID 1
• lan0 to be a trunk (or hybrid) port that does not drop the VLAN ID on egress

If that is not fulfilled ingress packets at lan4(.1) will be dropped.

Now for the DMZ it would seem that you want clients also connecting on lan4. Is that port connected to a switch or do you change clients on that port (lan4) frequently? Else it would not seem to make sense.

Then, the first fault was assuming that VLAN 1 is the "native" or "untagged" VLAN as in Cisco devices.

I have two devices:

• Turris Omnia (Actuating as WAN router with DSA)
• Netgear wndr3700v2 (Actuating as switch with swconfig) pending to migrate to DSA

Turris wifi and ethernet ports 0 - 3 in LAN and port 4 is connected to Netgear with LAN and DMZ. So, the idea is that wifi of the netgear is the guest wifi in the DMZ while the ethernet ports of Netgear keep in LAN.

I do not know if I'm explaining myself well, I will try to find some online app to draw a network diagram.

TO lan4 = TOLp4
Netgear wndr3700v2 = NG
NG port to TOLp4 = NGpT
NG lan ports = NGpL
NG Wlan ports = NGpW

TOLp4 <--- cat cable / VLAN trunk ----> NGpT

On the TO configure trunk ports

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 lan2 lan3 lan4.1'

config interface 'dmz'
        option type 'bridge'
        option ifname 'lan4.2'

On the NG (pardon I cannot assist with the exact config for it)

• configure NGpT as trunk port (tagged) with VLAN ID 1 and 2
• configure NGpL as access ports (untagged) with VLAN ID 1
• configure NGpW as access ports (untagged) with VLAN ID 2

Maybe also have a look at this thread (towards the bootom or what is marked as solution) [Solved] Internet redudancy with two routers and two connections

Excuse me the late response, I have few time...

Then, this seems to work:

Turris Omnia.

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 lan2 lan3 lan4'

config interface 'dmz'
        option type 'bridge'
        option ifname 'lan4.1'

Netgear wndr3700v2 (This is a switch, don't have direct internet acces, it gets internet access through Turris Omnia)

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0 eth1'

config device 'lan_eth0_dev'
        option name 'eth0'

config device 'lan_eth1_dev'
        option name 'eth1'

config interface 'dmz'
        option type 'bridge'
        option ifname 'eth1.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5'

I can't find documentation about config device 'lan_ethX_dev', only this.

I will need to test that networks are isolated really. And It looks to be some trouble with DNS resolution on devices connected to LAN on Netgear (I will need verify this).

I would like to meet your opinion about this config. Thanks.

see ^[1]

does not achieve anything, can be removed.

Which is somewhat odd since it seems that you wanted VID 1 for LAN and VID 2 for DMZ but now you set VID 1 for DMZ instead?

Do you have any port schematics/layout for the wndr3700v2? If I look this up it shows as Dualband-Gigabit-WLAN-Router instead but not a pure switch device, apparently with a build in switch (4 lan ports?). What are the eth0 (WAN?) and eth1 (CPU port facing the switch?) ports?

^[1] /etc/config/network: config device section

Never mind, just found^[2]

• switch port 5 <---> CPU port eth0
• CPU port eth1 <---> WAN

^[2] https://openwrt.org/toh/netgear/wndr3700

On the NG turn off (to avoid duplicity and subsequent issues since all should be handled by the TO):

• DHCPv4 server
• DHCPv6 server
• DNS server
• Firewall

On the TO create and groom the DMZ firewall zone according to your requirements and assign the DMZ interface to that zone, e.g. lan4.2

Then what is your intention with eth1 (WAN) on the NG:

• leverage it as upstream port/link to the TO and thus have all four LAN ports at disposal, which increases CPU cycles? or
• forgo the port and connect to the TO from a Lan port instead, with less CPU cycles?

The UCI config for DSA is very limited. I don't care the VIDs, I want two isolated networks:

• LAN: Turris wifi + Turris ports + Netgear ports with my devices (PC, TV, mobile, etc) and one LXC container (samba, minidlna, etc) in the Turris.
• DMZ: Netgear wifi with guest devices (mobile of friends, etc) and one LXC container (transmission, etc) in the Turris.

Yes, the Netgear is a router, but I am using it as a switch. I only have a internet connection with a only one ISP and it is connected to Turris.

The Netgear eth0 is the CPU port facing the switch and eth1 is the WAN.

This is the full configuration:

Turris /etc/config/network:

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 lan2 lan3 lan4'

config interface 'dmz'
        option type 'bridge'
        option ifname 'lan4.1'

config interface 'wan'
        option ifname 'eth2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth2'
        option proto 'dhcpv6'

Turris /etc/config/dhcp:

config dnsmasq
        option local '/lan/'
        option domain 'lan'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'dmz'
        option interface 'dmz'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

Turris /etc/config/firewall:

config defaults
        option input 'DROP'
        option output 'DROP'
        option forward 'DROP'
        option drop_invalid '1'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'dmz'
        list network 'dmz'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'dmz'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'dmz'
        option dest 'wan'

config rule
        option name 'dmz-input-icmp'
        option src 'dmz'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'dmz-input-icmpv6'
        option src 'dmz'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'dmz-forward-icmpv6'
        option src 'dmz'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'wan-input-bootpc'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'wan-intput-dhcpv6client'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'wan-input-icmp'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'wan-input-icmpv6'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'wan-input-igmp'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'wan-input-mld'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'wan-forward-icmpv6'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

Netgear /etc/config/network:

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0 eth1'
        option gateway '<TURRIS_LAN_IP>'

config interface 'dmz'
        option type 'bridge'
        option ifname 'eth1.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5'

Netgear /etc/config/dhcp:

config dnsmasq
        option local '/dmz/'
        option domain 'dmz'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'

config dhcp 'dmz'
        option interface 'dmz'
        list dhcp_option '3,<TURRIS_DMZ_IP>'
        option dhcpv6 'server'
        option ra 'server'

Netgear /etc/config/firewall:

config defaults
        option input 'DROP'
        option output 'DROP'
        option forward 'DROP'
        option drop_invalid '1'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'dmz'
        list network 'dmz'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'dmz'

config rule
        option name 'dmz-input-icmp'
        option src 'dmz'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'dmz-input-icmpv6'
        option src 'dmz'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'dmz-input-bootps'
        option src 'dmz'
        option proto 'udp'
        option dest_port '67'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'dmz-intput-dhcpv6server'
        option src 'dmz'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '547'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'dmz-input-domain'
        option src 'dmz'
        option proto 'tcpudp'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'dmz-forward-icmpv6'
        option src 'dmz'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

There should be only one instance in the network to handle

If you duplicate those it adds complexity and potential for issues. Why do you want DHCP server and Firewall, maybe even DNS server, on the NG?