DSA switch port vlan tagging - untagging

TO lan4 = TOLp4
Netgear wndr3700v2 = NG
NG port to TOLp4 = NGpT
NG lan ports = NGpL
NG Wlan ports = NGpW


TOLp4 <--- cat cable / VLAN trunk ----> NGpT

On the TO configure trunk ports

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 lan2 lan3 lan4.1'

config interface 'dmz'
        option type 'bridge'
        option ifname 'lan4.2'

On the NG (pardon I cannot assist with the exact config for it)

  • configure NGpT as trunk port (tagged) with VLAN ID 1 and 2
  • configure NGpL as access ports (untagged) with VLAN ID 1
  • configure NGpW as access ports (untagged) with VLAN ID 2

Maybe also have a look at this thread (towards the bootom or what is marked as solution) [Solved] Internet redudancy with two routers and two connections

Excuse me the late response, I have few time...

Then, this seems to work:

Turris Omnia.

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 lan2 lan3 lan4'

config interface 'dmz'
        option type 'bridge'
        option ifname 'lan4.1'

Netgear wndr3700v2 (This is a switch, don't have direct internet acces, it gets internet access through Turris Omnia)

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0 eth1'

config device 'lan_eth0_dev'
        option name 'eth0'

config device 'lan_eth1_dev'
        option name 'eth1'

config interface 'dmz'
        option type 'bridge'
        option ifname 'eth1.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5'

I can't find documentation about config device 'lan_ethX_dev', only this.

I will need to test that networks are isolated really. And It looks to be some trouble with DNS resolution on devices connected to LAN on Netgear (I will need verify this).

I would like to meet your opinion about this config. Thanks.

see [1]

does not achieve anything, can be removed.


Which is somewhat odd since it seems that you wanted VID 1 for LAN and VID 2 for DMZ but now you set VID 1 for DMZ instead?

Do you have any port schematics/layout for the wndr3700v2? If I look this up it shows as Dualband-Gigabit-WLAN-Router instead but not a pure switch device, apparently with a build in switch (4 lan ports?). What are the eth0 (WAN?) and eth1 (CPU port facing the switch?) ports?


[1] /etc/config/network: config device section

Never mind, just found[2]

  • switch port 5 <---> CPU port eth0
  • CPU port eth1 <---> WAN

[2] https://openwrt.org/toh/netgear/wndr3700

On the NG turn off (to avoid duplicity and subsequent issues since all should be handled by the TO):

  • DHCPv4 server
  • DHCPv6 server
  • DNS server
  • Firewall

On the TO create and groom the DMZ firewall zone according to your requirements and assign the DMZ interface to that zone, e.g. lan4.2


Then what is your intention with eth1 (WAN) on the NG:

  • leverage it as upstream port/link to the TO and thus have all four LAN ports at disposal, which increases CPU cycles? or
  • forgo the port and connect to the TO from a Lan port instead, with less CPU cycles?

The UCI config for DSA is very limited. I don't care the VIDs, I want two isolated networks:

  • LAN: Turris wifi + Turris ports + Netgear ports with my devices (PC, TV, mobile, etc) and one LXC container (samba, minidlna, etc) in the Turris.
  • DMZ: Netgear wifi with guest devices (mobile of friends, etc) and one LXC container (transmission, etc) in the Turris.

Yes, the Netgear is a router, but I am using it as a switch. I only have a internet connection with a only one ISP and it is connected to Turris.

The Netgear eth0 is the CPU port facing the switch and eth1 is the WAN.

This is the full configuration:

Turris /etc/config/network:

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 lan2 lan3 lan4'

config interface 'dmz'
        option type 'bridge'
        option ifname 'lan4.1'

config interface 'wan'
        option ifname 'eth2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth2'
        option proto 'dhcpv6'

Turris /etc/config/dhcp:

config dnsmasq
        option local '/lan/'
        option domain 'lan'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'dmz'
        option interface 'dmz'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

Turris /etc/config/firewall:

config defaults
        option input 'DROP'
        option output 'DROP'
        option forward 'DROP'
        option drop_invalid '1'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'dmz'
        list network 'dmz'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'dmz'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'dmz'
        option dest 'wan'

config rule
        option name 'dmz-input-icmp'
        option src 'dmz'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'dmz-input-icmpv6'
        option src 'dmz'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'dmz-forward-icmpv6'
        option src 'dmz'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'wan-input-bootpc'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'wan-intput-dhcpv6client'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'wan-input-icmp'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'wan-input-icmpv6'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'wan-input-igmp'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'wan-input-mld'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'wan-forward-icmpv6'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

Netgear /etc/config/network:

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0 eth1'
        option gateway '<TURRIS_LAN_IP>'

config interface 'dmz'
        option type 'bridge'
        option ifname 'eth1.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5'

Netgear /etc/config/dhcp:

config dnsmasq
        option local '/dmz/'
        option domain 'dmz'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'

config dhcp 'dmz'
        option interface 'dmz'
        list dhcp_option '3,<TURRIS_DMZ_IP>'
        option dhcpv6 'server'
        option ra 'server'

Netgear /etc/config/firewall:

config defaults
        option input 'DROP'
        option output 'DROP'
        option forward 'DROP'
        option drop_invalid '1'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'dmz'
        list network 'dmz'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'dmz'

config rule
        option name 'dmz-input-icmp'
        option src 'dmz'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'dmz-input-icmpv6'
        option src 'dmz'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'dmz-input-bootps'
        option src 'dmz'
        option proto 'udp'
        option dest_port '67'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'dmz-intput-dhcpv6server'
        option src 'dmz'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '547'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'dmz-input-domain'
        option src 'dmz'
        option proto 'tcpudp'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'dmz-forward-icmpv6'
        option src 'dmz'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

There should be only one instance in the network to handle

If you duplicate those it adds complexity and potential for issues. Why do you want DHCP server and Firewall, maybe even DNS server, on the NG?

Less workload to Turris, Netgear Is doing little and Turris will have two containers (yes, the firewall in Netgear can be redundant).

But no trouble in turn off DNS, DHCP and firewall in the Netgear. My main objective are the two isolated networks.

I have doubts, mainly if this:

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5'

should be:

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

but then it don't seems to work.

I will try to come up with something but I am not going through any Firewall and DHCP settings on the NG. Also not working in abstracts but specifics:

  • Lan port 4 on the TO still to be connected to the NG?
  • you want eth1 on NG to connect to the TO or any Lan port on NG, and if latter which of the Lan ports - this would be important since the outside Lan labelling appears oddly inverted to the switch port naming, least the way it is depicted

Yes, LAN port 4 on the TO is connected to WAN on the NG and working.

With this, all seems to work but I am not sure about of the isolation:

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5'

WAN port is labeled correctly and separately (yes, the switch LAN ports are inverted in the case labels)

PS: Thank you very much for your interest in this.

Suggest we take one step at time, skip the guest network for the moment, and use the Lan as stepping stone first.


On the TO:

config interface 'lan'
        option ifname 'lan0 lan1 lan2 lan3 lan4.1'

check with bridge v that lan 0 - 3 are showing

lan0 1 PVID Egress Untagged
lan1 1 PVID Egress Untagged
lan2 1 PVID Egress Untagged
lan3 1 PVID Egress Untagged

If not then run from the cli

bridge v a dev lan0 vid 1 pvid untagged
bridge v a dev lan1 vid 1 pvid untagged
bridge v a dev lan2 vid 1 pvid untagged
bridge v a dev lan3 vid 1 pvid untagged

and check again with bridge v


On the NG

config interface 'wan'
        option type 'bridge'
        option proto 'dhcp'
        option ifname 'eth1.1'

config interface 'wan6'
        option proto 'dhcpv6'
        option ifname '@wan'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0u 1u 2u 3u 5t'

I will go to reset to default config, to start from zero.

In the meantime, NG eth1 is WAN so it is not affected by:

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0u 1u 2u 3u 5t'

hence

config interface 'wan'
        option ifname 'eth1.1'

What I proabably missed on NG is

config interface 'lan'
        option type 'bridge'
        option proto 'dhcp'
        option ifname 'lan0 lan1 lan2 lan3'

config interface 'lan6'
        option proto 'dhcpv6'
        option ifname '@lan'
        option reqaddress 'try'
        option reqprefix 'auto'

NG only has 2 interfaces (and it don't use DSA):

  • eth1 -> WAN
  • eth0 -> LAN switch port 5

TO done:

# bridge v
port    vlan ids
lan0     1 PVID Egress Untagged

lan1     1 PVID Egress Untagged

lan2     1 PVID Egress Untagged

lan3     1 PVID Egress Untagged

br-lan   1 PVID Egress Untagged

lan4.1   1 PVID Egress Untagged

Right, so then perhaps it makes sense

config interface 'wan'
        option ifname 'eth1.1 eth0'

Not good - please remove that one since it has to be tagged - being the trunk port to the NG

It is being taken care of with

config interface 'lan'
        option ifname 'lan0 lan1 lan2 lan3 lan4.1'

Currently.

NG (I am using LAN and not WAN because the default firewall drop SSH on WAN):

config interface 'lan'                         
        option type 'bridge'                   
        option ifname 'eth0 eth1.1'            
        option proto 'static'                  
        option ipaddr '192.168.1.2'            
        option netmask '255.255.255.0'    
        option ip6assign '60'

config interface 'wan'                    
        option ifname 'eth1.2'              
        option proto 'dhcp'

config interface 'wan6'                        
        option ifname 'eth1.2'                 
        option proto 'dhcpv6'

TO:

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 lan2 lan3 lan4.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

but:

port    vlan ids
lan0     1 PVID Egress Untagged

lan1     1 PVID Egress Untagged

lan2     1 PVID Egress Untagged

lan3     1 PVID Egress Untagged

br-lan   1 PVID Egress Untagged

lan4.1   1 PVID Egress Untagged

TO:
ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: seq=0 ttl=64 time=0.682 ms
64 bytes from 192.168.1.2: seq=1 ttl=64 time=0.350 ms
64 bytes from 192.168.1.2: seq=2 ttl=64 time=0.350 ms

Is not good practice since it creates a hybrid port (tagged as trunk port | untagged as access port)

Suggest to delete it with bridge v d dev lan4.1 vid 1


Can you ping from a Lan client on the TO a Lan client on the NG and vice versa, permitted that clients are not blocking by their own firewall?

Excuse me, I need leave. We continue at another time, rigth? Thanks and sorry.

No ping form TO-PC to NG-PC. The NG-PC no gets IP (It is a Wandboard, no keboard or screen at this moment)