Eth0 Doesn't Appear To Do Anything For Ubiquiti UniFi 6 Lite

dibs · December 26, 2021, 10:17pm

I wanted to configure my AP for VLAN tagging and have successfully done this. However I had to do this by getting VLANs from the "lan" interface. "eth0" doesn't get an IP address from my DHCP server (hosted elsewhere in the network). Is this expected behavior? If it is, what is the point of eth0 on this device?

Here is my working network file. I have the "lan" interface disabled but I can't delete it. If I delete it, the rest of the VLAN devices stop working.

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'
	option auto '0'

config device
	option type '8021q'
	option ifname 'lan'
	option vid '2'
	option name 'lan.2'

config device
	option type '8021q'
	option ifname 'lan'
	option vid '3'
	option name 'lan.3'

config device
	option type '8021q'
	option ifname 'lan'
	option vid '4'
	option name 'lan.4'

config device
	option type 'bridge'
	option name 'br-vlan2'
	list ports 'lan.2'

config device
	option type 'bridge'
	option name 'br-vlan3'
	list ports 'lan.3'

config device
	option type 'bridge'
	option name 'br-vlan4'
	list ports 'lan.4'

config interface 'home'
	option proto 'dhcp'
	option device 'br-vlan2'

config interface 'iot'
	option proto 'dhcp'
	option device 'br-vlan3'

config interface 'guest'
	option proto 'dhcp'
	option device 'br-vlan4'

config device
	option type '8021q'
	option ifname 'lan'
	option vid '6'
	option name 'lan.6'

config interface 'Management'
	option proto 'dhcp'
	option device 'lan.6'

psherman · December 26, 2021, 11:01pm

Your configuration looks really strange. I think you have lots of things going on there that shouldn't be set as they are.

This is because you have named every VLAN "lan" in the ifname. The ifname should be unique for every VLAN.

Typically speaking, because you have just one ethernet port (eth0), you should be working with the ifname as eth0.x where x is the VLAN ID. And also there is rarely a reason to give the device an address on each VLAN. This is actually bad for security. They should be proto = none for all except the the trusted/management network.

I would recommend that you reset the U6-Lite to defaults (feel free to take a backup if you want), and then post the network file (once defaulted) here for review. Alternatively, you could post the file from ROM (which should be the default): /rom/etc/config/network

dibs · December 26, 2021, 11:32pm

If I just try to make an eth.2 port for example, it does not get a dhcp address. I think this has to do with the new DSA network configuration. I don't have a good grasp on how it works yet. Of course, I'm not trying to bridge my management interface with the others but right now I'm not sure what I'm doing.

The former swconfig way was a lot more staightforward.

I'm going to have to experiment and prod this a bit more before I understand how this all works.

Thanks but it sounds like I need to read up a bit more first.

psherman · December 26, 2021, 11:53pm

First, it would need to be eth0.2 (not eth.2)
This should get a DHCP address and connectivity if (and only if) the upstream network has VLAN ID 2 tagged on the port that connects to your AP.

No, it doesn't have anything to do with DSA. Nor does it have any relation to swconfig, either. That device only has a single ethernet port, so there are no switch related elements to it. Everything is referenced as routed port configurations (i.e. eth0, eth0.x).

Can you draw a diagram of your network, including VLAN IDs and the model of each device in play? A simple sketch on paper is sufficient, and you can upload a photo directly to this post.

dibs · December 28, 2021, 1:11am

Ok, so I did some reading and testing. The Unifi 6 Lite DEFINITELY uses the new DSA driver.

With the new architecture, you no longer address the ethernet devices directly and instead you address the individual ports on that ethernet device. The ethernet device is still eth0 but is kinda pointless. The ports are supposed to be labeled lanx (lan1, lan2, lan3, etc.). Maybe on products that have wan ports or multiple ethernet MACs, they might be labeled as something else but I don't know. I don't have such a device that also uses the DSA driver. These ports are bridged together by default to make them easier to use as a default. So you'll probably get a br-lan interface which includes all of your lan ports. And guess what that bridge is called? "lan"

Now here is where it gets kinda stupid on the Unifi 6 Lite. They don't call the port lan1, they just call it lan. So by default, you get an interface called "lan" which is associated with the device "br-lan" whose member ports are just "lan"

Holy cow is that confusing!

So when I originally explicitly defined my VLANs (which I now understand I don't need to do, I can just define them implicitly), I was addressing a VLAN on the INTERFACE "lan" and not on the DEVICE "lan"!

So to resolve this, I had to take several steps. First, I had to associate the vlans with the bridge device (br-lan.2, br-lan-3, etc). Then I could delete the lan interface so that it's no longer confused. At this point I could either keep the vlans associated as they were but this adds a middle-man bridge group that consists of one member. Pretty silly IMO. So instead I could then associate the vlans with the lan device (lan.2, lan.3, etc). And finally, I could delete the bridge device since it isn't doing anything. The wlans could be associated with the vlan interfaces which is the big improvement that DSA adds (previously you had to associate wlans with devices).

Anyway, here's my final configuration for anyone who cares.

config interface 'iot'
	option proto 'dhcp'
	option device 'lan.3'

config interface 'guest'
	option proto 'dhcp'
	option device 'lan.4'

config interface 'Management'
	option proto 'dhcp'
	option device 'lan.6'

config interface 'Home'
	option proto 'dhcp'
	option device 'lan.2'

Yes, I can at this point remove the dhcp addresses from the non-management interfaces now, I'll do that in a bit. Let me celebrate solving this for now

dibs · December 28, 2021, 1:57am

Ok, here's what it looks like with access only at the management vlan:

config interface 'iot'
	option device 'lan.3'
	option proto 'none'

config interface 'guest'
	option device 'lan.4'
	option proto 'none'

config interface 'Management'
	option proto 'dhcp'
	option device 'lan.6'

config interface 'Home'
	option device 'lan.2'
	option proto 'none'

psherman · December 28, 2021, 2:08am

I stand corrected. My apologies if I muddied the waters, but good work finding a solution. I will keep this thread in mind so that I can look back (and link) to it when other people have similar issues.

Could you post your entire /etc/config/network file for reference (I'm sure future readers will find the whole thing useful)

dibs · December 28, 2021, 3:46am

Sure, but that was basically it. No worries, it happens to the best of us .
I have another device upstream that has traffic tagged with VLANs 2,3,4,6. It actually tags other VLANs as well but those aren't important for this box.

As noted below, I use VLAN2 for my home machines (PCs, cell phones, etc), VLAN 3 for IoT devices (Internet cameras, TV, Google Home, etc), VLAN4 for guest machines (they don't need access to my network), and VLAN6 for device management (for accessing managed switches, servers, etc). Each of those (except management) get a separate wireless network assigned to it by selecting the appropriate network when creating the wireless network (in the general tab).

I don't want to post my wireless configuration since it has all of my SSIDs and passwords. Here's an example of how to select it though:

You can also see it here (edited to remove personal info):

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'xxxxxx'
	option dtim_period '4'
	option key 'xxxxxxxx'
	option encryption 'psk2+ccmp'
	option network 'Home'

A few notes about my configuration. I removed "option ula_prefix" from the config since that's unique information.

Also, I removed all firewall rules since I am not routing traffic on this box. It's effectively all switched traffic. My router (not this box) handles all firewall rules and I don't usually pass a lot of traffic between VLANs over WiFi so there really wouldn't be much benefit. To the best of my knowledge, traffic is default deny if not explicitly routed using firewall rules so adding rules wouldn't really do anything. PLEASE LET ME KNOW IF I'M WRONG!

Since there is only one Ethernet device I don't think packet_steering does anything but I really don't know.

One more thing. When changing/disabling an interface that I was not using to access the box (like I was connected to home and I was making changes to iot), I had to reboot (apply settings unchecked) in order to get access back to the box. I think this might have been an arp table entry somewhere that caused this though. I didn't bother investigating.

Anyway, that's it. Hope it helps someone. Feel free to ask questions.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config interface 'iot'
	option device 'lan.3'
	option proto 'none'

config interface 'guest'
	option device 'lan.4'
	option proto 'none'

config interface 'Management'
	option proto 'dhcp'
	option device 'lan.6'

config interface 'Home'
	option device 'lan.2'
	option proto 'none'

dibs · December 28, 2021, 5:21am

Ok, I didn't sufficiently test this. I didn't actually check the wifi connections (I thought I did). Still working on this. A bit late to continue tonight though.

psherman · December 28, 2021, 5:59am

Can you post the network config file from the default state? This will serve as a reference.

dibs · December 28, 2021, 11:08pm

I would like to post it but it doesn't exist in the /rom/etc/config folder and it is rather challenging to reset it without moving a bunch of my other boxes around.

Anyway, I figured it out. What I didn't understand in my previous setup is that I have to create a bridge in order to attach more devices to it. This is not intuitive because the menus allow you to attach the wireless networks to any interface even if it's not a bridge. They don't actually get attached though. For my management interface, I don't need a bridge since it's just the one device and I don't need to attach a wireless network to it. VLANs can be defined implicitly though. Here's my full config (minus the unique ipv6 prefix).


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option type 'bridge'
	option name 'br-vlan2'
	list ports 'lan.2'

config device
	option type 'bridge'
	option name 'br-vlan3'
	list ports 'lan.3'

config device
	option type 'bridge'
	option name 'br-vlan4'
	list ports 'lan.4'

config interface 'home'
	option device 'br-vlan2'
	option proto 'none'

config interface 'iot'
	option device 'br-vlan3'
	option type 'bridge'
	option proto 'none'

config interface 'guest'
	option device 'br-vlan4'
	option proto 'none'

config interface 'Management'
	option proto 'dhcp'
	option device 'lan.6'

dibs · December 30, 2021, 5:49pm

There's more than one way to skin a cat.

Alright, so after receiving some help on configuring a different DSA device (thanks @pavelgl), I realize now that I did this incorrectly. One function of the DSA bridges is to allow tagged VLANs on the bridge to act as bridges themselves. This means that if you tag br-lan (and thus implicitly create VLANs on br-vlan) you don't need to create individual bridges for each VLAN.

This doesn't really matter in the case of a single port device like this but for consistency with other configurations that I have on my network, it makes sense to tag br-lan.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config interface 'home'
	option proto 'none'
	option device 'br-lan.2'

config interface 'iot'
	option type 'bridge'
	option proto 'none'
	option device 'br-lan.3'

config interface 'guest'
	option proto 'none'
	option device 'br-lan.4'

config interface 'Management'
	option proto 'dhcp'
	option device 'br-lan.6'

config device
	option type 'bridge'
	option name 'br-lan'
	list ports 'lan'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'lan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '6'
	list ports 'lan:t'

system · January 9, 2022, 5:49pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.