EdgeRouter X (ER-X) with OpenWrt 21.02.1 and "Enabling vlan filtering"

Hello, I have an EdgeRouter X (ER-X) [ Architecture MediaTek MT7621] with OpenWrt 21.02.1 and unfortunately I can't manage to enable VLAN support on the switch. With OpenWrt 19.07.8 and the old switch config (swconfig) everything worked great with the new switch config (dsa) it does not work.

I also tried to change the config manually under /etc/config/network, but after a reboot the switch is not reachable anymore and has to be reset.

Has anyone managed to get the ER-X working with DSA VLAN support?

Howto DSA: https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial

I just installed OpenWrt (SNAPSHOT) on a Netgear GS308T v1 (Architecture RTL8380/realtek).
On this device DSA works as expected, you can create vlans without problme.
So obviously there must be a problem with the ER-X and DSA.

Also with version 22.03.0-rc1 and 22.03.0-rc4 I have the problem.

This is still broken on OpenWrt 22.03.3 with a fresh install.

2 Likes

Works fine.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

As I posted it's a fresh install and just enabling the vlans. The only other thing I've done is enable wan access so I can access the router to see what's going on.
Obviously there is no wireless config
root@OpenWrt:~#

 cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd26:827e:b6ca::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'
        list ports 'eth5'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '11'
        list ports 'eth1:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '12'
        list ports 'eth2:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '13'
        list ports 'eth3:u*'

root@OpenWrt:~# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'ssh'
        option src 'wan'
        option src_dport '22'
        option dest_ip '192.168.1.1'
        option dest_port '22'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'ssh'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.1.1'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'ssh'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.1.1'
        option dest_port '443'
root@OpenWrt:~#

You cannot access the router even on eth4 once vlan filtering is enabled.

What vlan do you want your main LAN to be on?

Edit the following section, the x being the vlan you want it to be on.

config interface 'lan'
        option device 'br-lan.x'

So if you put it on 11 and then connect your network cable to eth1, you'll get network access.

Hopefully this helps.

3 Likes

As @d687r02j8g described, you need to associate a network (i.e. your lan) with the VLAN which is in turn associated with the physical ports.

To be more specific, you've setup VLANs but not associated them with networks. It's kind of like if you were to setup a game with 2 teams -- the red team and the blue team. But you've only setup the colors... you haven't assigned any people to each of the teams, so the colors (tags) are not connected with anything.

  • In a routing (L3) context, a VLAN must be associated with a network in order to be useful.
  • In a switching (L2) context, a VLAN needs to be associated with 2 or more switch ports.

If there is no network assigned, and/or there is only a single port associated with a VLAN, it's basically just a dead end. The config you shared, there is only one port assigned per VLAN, and the VLANs are not associated with any networks.

2 Likes

Those vlans were just setup from luci to test. I'm trying to put each port on a different vlan so I can isolate the ports. I'm not that familiar with dsa but I was able to do this with swconfig no problems and then isolate them with ebtables. DSA doesn't appear to give me anyway to tag the CPU like swconfig did. This is my pre-dsa config. How can that translate to dsa please?

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fda5:c567:e6e0::/48'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan 'vlan1'
	option device 'switch0'
	option vlan '1'
	option ports '1 6t'

config switch_vlan 'vlan3'
	option device 'switch0'
	option vlan '3'
	option ports '2 6t'

config switch_vlan 'vlan4'
	option device 'switch0'
	option vlan '4'
	option ports '3 6t'

config switch_vlan 'vlan5'
	option device 'switch0'
	option vlan '5'
	option ports '4 6t'

config switch_vlan 'vlan2'
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1 eth0.3 eth0.4 eth0.5'
	option stp '1'

What you've done is isolate the ports by means of removing the entire association with a network. This is actually no different on swconfig vs DSA -- if you make a port a member of a different VLAN, you need to associate it with a logical network (i.e. a different subnet) in order to have any network connectivity at all.

Yes it does. It's just a bit different. here's an example from your above DSA based config...

What you have above is VLAN 12 on eth2 as untagged/PVID.

To make this tagged, it would be this:

config bridge-vlan
        option device 'br-lan'
        option vlan '12'
        list ports 'eth2:t'

That's all that's needed for setting up a VLAN as tagged vs untagged.

But there is still an issue that there appears to be no network associated with your VLANs... i.e. there is no address associated with your VLANs, so it won't respond.

In fact, in your pre-DSA (swconfig) example, there is no network association at all except for the wan (DHCP)... so unless you ether redacted large parts of the file or you're just using it as a VLAN aware switch, there is no way for it to respond there, either.

Is this the main router, or is there another router? What does your network topology look like -- maybe a diagram could help us understand where these VLANs fit into the overall environment and if you're using this device as a router or a VLAN aware switch.

Thanks that works for one vlan and I can see how I could do that for each vlan.

This is the main router. There's nothing redacted from the pre-dsa network config other than the mac address. That early config was running coova so maybe that captured the bridge and made it work. There's no Coova on this dsa router so that may be why it's not working that way now. It was so long ago that I set that up with coova I can't remember if it worked without it or not. Is there any way to do this with just the single subnet? Or is there a way to isolate the ports without vlans?

There are two ways of isolating ports... one uses VLANs, the other uses a bridge firewall.

If you want to isolate ports using VLANs, you will use multiple different subnets and then firewall rules to prevent the networks from connecting to each other (you can even make selective connections possible). This is often the preferred method in many cases.

The bridge firewall method is a bit less common, and I've never used it. It does not use VLANs, so everything is on the same logical subnet. However, theoretically it will allow you to prevent inter-port connections. Looking at the page, though, it does reference FW3 which is no longer part of OpenWrt (as of 22.03, OpenWrt now uses FW4), so I don't know if it will work or not.

Typically port isolation (without VLANs) is the domain of managed switches, and not normally employed on routers. Doing it via VLAN methods is common and useful on routers.

1 Like

Any progress on this? Installed OpenWrt today and everything seems to work fine until I go in to the bridge and wants to enable vlan filtering and add an untagged vlan id 20 on port 3-4 ..

It takes 90 s and then reverts back