Where you enabled CONFIG_BRIDGE_VLAN_FILTERING?
My build is based in OpenWRT git tag v18.06.1 and I enabled CONFIG_BRIDGE_VLAN_FILTERING in openwrt/target/linux/generic/config-4.14
cat openwrt/target/linux/generic/config-4.14 | grep -i CONFIG_BRIDGE_VLAN_FILTERING
CONFIG_BRIDGE_VLAN_FILTERING=y
After enable it I need to do the workaround (DSA switch port vlan tagging - untagging) after each reboot.
PS: I have open a bug, but it haven't activity...
If you want to try it, I have uploaded my build to dropbox:
This are the changes respect to the official build:
CONFIG_TARGET_mvebu=y
CONFIG_TARGET_mvebu_cortexa9=y
CONFIG_TARGET_mvebu_cortexa9_DEVICE_turris-omnia=y
CONFIG_PACKAGE_kmod-fs-btrfs=y
CONFIG_PACKAGE_kmod-usb-hid=y
CONFIG_PACKAGE_6in4=y
CONFIG_PACKAGE_apcupsd=y
CONFIG_PACKAGE_birdc4=y
CONFIG_PACKAGE_birdc6=y
CONFIG_PACKAGE_block-mount=y
CONFIG_PACKAGE_btrfs-progs=y
CONFIG_PACKAGE_ca-certificates=y
CONFIG_PACKAGE_cfdisk=y
CONFIG_PACKAGE_dnsmasq=n
CONFIG_PACKAGE_gnupg=y
CONFIG_PACKAGE_gnupg-utils=y
CONFIG_PACKAGE_lxc-auto=y
CONFIG_PACKAGE_msmtp=y
CONFIG_PACKAGE_odhcpd=y
CONFIG_PACKAGE_odhcpd-ipv6only=n
CONFIG_PACKAGE_openvpn-openssl=y
CONFIG_PACKAGE_swap-utils=y
CONFIG_PACKAGE_unbound-control=y
CONFIG_PACKAGE_luci-app-ddns=y
CONFIG_PACKAGE_luci-app-lxc=y
CONFIG_PACKAGE_luci-app-openvpn=y
CONFIG_PACKAGE_luci-app-sqm=y
CONFIG_PACKAGE_luci-app-unbound=y
CONFIG_PACKAGE_luci-ssl-openssl=y
CONFIG_LXC_BUSYBOX_OPTIONS=y
CONFIG_LXC_KERNEL_OPTIONS=y
CONFIG_LXC_NETWORKING=y
CONFIG_LXC_SECCOMP=y
And of course, enable the kernel option CONFIG_BRIDGE_VLAN_FILTERING.
I am not using dnsmasq, so dhcp do not work out of the box. You will need configure /etc/config/dhcp and /etc/config/unbound: documentation
And you don't forget the workaround: DSA switch port vlan tagging - untagging
PS: If you will found a better method to work with VLANs in Turris Omnia please say me it.
I see that this hasn't got many replies. I have the same issue, but it is on the 4.19 kernel, on the 4.14 I had no issues. One thing I noted was that as soon as I disabled the symbol CONFIG_BRIDGE_VLAN_FILTERING=y the issue wasn't there anymore so I believe that this is a OpenWRT script issue that doesn't use the VLAN filtering stuff making tagged traffic not work.
Switch's upstream ports (CPU facing) 5 & 6 are not exposed by DSA and thus are not configurable since this not being necessary with DSA.
As far I can tell from the initial post you want a trunk port (expecting VLAN ID tagged from client on ingress and tagging VLAN ID on egress) on lan4 with VLAN ID 1. For that purpose just substitute lan4 with lan4.1 as you stated earlier
config interface 'lan'
option type 'bridge'
option ifname 'lan0 lan1 lan2 lan3 lan4.1'
In this case any client connecting on lan4 is now expected to provide VLAN ID 1 on ingress to that port, failing so the packets will be dropped.
That is expected since it would require:
If that is not fulfilled ingress packets at lan4(.1) will be dropped.
Now for the DMZ it would seem that you want clients also connecting on lan4. Is that port connected to a switch or do you change clients on that port (lan4) frequently? Else it would not seem to make sense.
Then, the first fault was assuming that VLAN 1 is the "native" or "untagged" VLAN as in Cisco devices.
I have two devices:
Turris wifi and ethernet ports 0 - 3 in LAN and port 4 is connected to Netgear with LAN and DMZ. So, the idea is that wifi of the netgear is the guest wifi in the DMZ while the ethernet ports of Netgear keep in LAN.
I do not know if I'm explaining myself well, I will try to find some online app to draw a network diagram.
TO lan4 = TOLp4
Netgear wndr3700v2 = NG
NG port to TOLp4 = NGpT
NG lan ports = NGpL
NG Wlan ports = NGpW
TOLp4 <--- cat cable / VLAN trunk ----> NGpT
On the TO configure trunk ports
config interface 'lan'
option type 'bridge'
option ifname 'lan0 lan1 lan2 lan3 lan4.1'
config interface 'dmz'
option type 'bridge'
option ifname 'lan4.2'
On the NG (pardon I cannot assist with the exact config for it)
Maybe also have a look at this thread (towards the bootom or what is marked as solution) [Solved] Internet redudancy with two routers and two connections
Excuse me the late response, I have few time...
Then, this seems to work:
Turris Omnia.
config interface 'lan'
option type 'bridge'
option ifname 'lan0 lan1 lan2 lan3 lan4'
config interface 'dmz'
option type 'bridge'
option ifname 'lan4.1'
Netgear wndr3700v2 (This is a switch, don't have direct internet acces, it gets internet access through Turris Omnia)
config interface 'lan'
option type 'bridge'
option ifname 'eth0 eth1'
config device 'lan_eth0_dev'
option name 'eth0'
config device 'lan_eth1_dev'
option name 'eth1'
config interface 'dmz'
option type 'bridge'
option ifname 'eth1.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
I can't find documentation about config device 'lan_ethX_dev', only this.
I will need to test that networks are isolated really. And It looks to be some trouble with DNS resolution on devices connected to LAN on Netgear (I will need verify this).
I would like to meet your opinion about this config. Thanks.
see [1]
does not achieve anything, can be removed.
Which is somewhat odd since it seems that you wanted VID 1 for LAN and VID 2 for DMZ but now you set VID 1 for DMZ instead?
Do you have any port schematics/layout for the wndr3700v2? If I look this up it shows as Dualband-Gigabit-WLAN-Router instead but not a pure switch device, apparently with a build in switch (4 lan ports?). What are the eth0 (WAN?) and eth1 (CPU port facing the switch?) ports?
Never mind, just found[2]
On the NG turn off (to avoid duplicity and subsequent issues since all should be handled by the TO):
On the TO create and groom the DMZ firewall zone according to your requirements and assign the DMZ interface to that zone, e.g. lan4.2
Then what is your intention with eth1 (WAN) on the NG:
The UCI config for DSA is very limited. I don't care the VIDs, I want two isolated networks:
Yes, the Netgear is a router, but I am using it as a switch. I only have a internet connection with a only one ISP and it is connected to Turris.
The Netgear eth0 is the CPU port facing the switch and eth1 is the WAN.
This is the full configuration:
Turris /etc/config/network:
config interface 'lan'
option type 'bridge'
option ifname 'lan0 lan1 lan2 lan3 lan4'
config interface 'dmz'
option type 'bridge'
option ifname 'lan4.1'
config interface 'wan'
option ifname 'eth2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth2'
option proto 'dhcpv6'
Turris /etc/config/dhcp:
config dnsmasq
option local '/lan/'
option domain 'lan'
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
config dhcp 'dmz'
option interface 'dmz'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
Turris /etc/config/firewall:
config defaults
option input 'DROP'
option output 'DROP'
option forward 'DROP'
option drop_invalid '1'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'dmz'
list network 'dmz'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'dmz'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'dmz'
option dest 'wan'
config rule
option name 'dmz-input-icmp'
option src 'dmz'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'dmz-input-icmpv6'
option src 'dmz'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'dmz-forward-icmpv6'
option src 'dmz'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'wan-input-bootpc'
option src 'wan'
option proto 'udp'
option dest_port '68'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'wan-intput-dhcpv6client'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'wan-input-icmp'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'wan-input-icmpv6'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'wan-input-igmp'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'wan-input-mld'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'wan-forward-icmpv6'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
Netgear /etc/config/network:
config interface 'lan'
option type 'bridge'
option ifname 'eth0 eth1'
option gateway '<TURRIS_LAN_IP>'
config interface 'dmz'
option type 'bridge'
option ifname 'eth1.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
Netgear /etc/config/dhcp:
config dnsmasq
option local '/dmz/'
option domain 'dmz'
config dhcp 'lan'
option interface 'lan'
option ignore '1'
config dhcp 'dmz'
option interface 'dmz'
list dhcp_option '3,<TURRIS_DMZ_IP>'
option dhcpv6 'server'
option ra 'server'
Netgear /etc/config/firewall:
config defaults
option input 'DROP'
option output 'DROP'
option forward 'DROP'
option drop_invalid '1'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'dmz'
list network 'dmz'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'dmz'
config rule
option name 'dmz-input-icmp'
option src 'dmz'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'dmz-input-icmpv6'
option src 'dmz'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'dmz-input-bootps'
option src 'dmz'
option proto 'udp'
option dest_port '67'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'dmz-intput-dhcpv6server'
option src 'dmz'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '547'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'dmz-input-domain'
option src 'dmz'
option proto 'tcpudp'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'dmz-forward-icmpv6'
option src 'dmz'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
There should be only one instance in the network to handle
If you duplicate those it adds complexity and potential for issues. Why do you want DHCP server and Firewall, maybe even DNS server, on the NG?
Less workload to Turris, Netgear Is doing little and Turris will have two containers (yes, the firewall in Netgear can be redundant).
But no trouble in turn off DNS, DHCP and firewall in the Netgear. My main objective are the two isolated networks.
I have doubts, mainly if this:
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
should be:
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
but then it don't seems to work.
I will try to come up with something but I am not going through any Firewall and DHCP settings on the NG. Also not working in abstracts but specifics:
Yes, LAN port 4 on the TO is connected to WAN on the NG and working.
With this, all seems to work but I am not sure about of the isolation:
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
WAN port is labeled correctly and separately (yes, the switch LAN ports are inverted in the case labels)
PS: Thank you very much for your interest in this.
Suggest we take one step at time, skip the guest network for the moment, and use the Lan as stepping stone first.
On the TO:
config interface 'lan'
option ifname 'lan0 lan1 lan2 lan3 lan4.1'
check with bridge v that lan 0 - 3 are showing
lan0 1 PVID Egress Untagged
lan1 1 PVID Egress Untagged
lan2 1 PVID Egress Untagged
lan3 1 PVID Egress Untagged
If not then run from the cli
bridge v a dev lan0 vid 1 pvid untagged
bridge v a dev lan1 vid 1 pvid untagged
bridge v a dev lan2 vid 1 pvid untagged
bridge v a dev lan3 vid 1 pvid untagged
and check again with bridge v
On the NG
config interface 'wan'
option type 'bridge'
option proto 'dhcp'
option ifname 'eth1.1'
config interface 'wan6'
option proto 'dhcpv6'
option ifname '@wan'
option reqaddress 'try'
option reqprefix 'auto'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0u 1u 2u 3u 5t'
I will go to reset to default config, to start from zero.
In the meantime, NG eth1 is WAN so it is not affected by:
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0u 1u 2u 3u 5t'
hence
config interface 'wan'
option ifname 'eth1.1'
What I proabably missed on NG is
config interface 'lan'
option type 'bridge'
option proto 'dhcp'
option ifname 'lan0 lan1 lan2 lan3'
config interface 'lan6'
option proto 'dhcpv6'
option ifname '@lan'
option reqaddress 'try'
option reqprefix 'auto'
NG only has 2 interfaces (and it don't use DSA):
TO done:
# bridge v
port vlan ids
lan0 1 PVID Egress Untagged
lan1 1 PVID Egress Untagged
lan2 1 PVID Egress Untagged
lan3 1 PVID Egress Untagged
br-lan 1 PVID Egress Untagged
lan4.1 1 PVID Egress Untagged