Failover or bonding with VLANs

bobafetthotmail · September 27, 2021, 11:19pm

My current Internet connection aggregates 2 modems, so I have two ethernet cables, one from each modem.

I'm testing a setup where I'm virtualizing the OpenWrt router inside a Proxmox cluster (kvm/qemu, the usual stuff) with redundant networking.
This means that there are two network switches, and each Proxmox host is connected to both, using a Linux bonding set to active-backup (i.e. failover, either one cable or the other works at the same time, not both). This should ensure that if one of the network switches dies the cluster is still operational.

My current plan was to use an OpenWrt wifi router device I have laying around to aggregate both ethernet cables of the two modems and a wifi network over a single ethernet cable using VLANs, so I have VLAN 7 and 8 dedicated to the modems and VLAN 4 from the wifi, with one port untagged each, and both come out of a tagged port that goes to the switch, and from there it goes to the Proxmox cluster and the OpenWrt router VM inside.

And this works.

But this setup isn't connected to both switches of the redundant networking setup, so if I lose the switch it is currently connected to, I lose access to the wifi and to the internet.

I tried setting an additional port as tagged for VLANs 4, 7 and 8 so I could connect one on a switch and one on the other, but it does not really work.

I'm looking for a way to set up a Linux bonding set to active-backup on this wifi router as well, but with VLANs. I have installed luci-protocol-bonding (which lets me create bonds like that) and tried some things but nothing worked and I'm not sure what I should do here.

This is the current /etc/config/network, and this device is using DSA switching architecture. The "lan" interface is used as a management interface to not lock myself out of the box while I'm doing experiments, and is connected to the WAN port (which is called "internet" here for some reason)

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb0:036c:c59f::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	option bridge_empty '1'
	option ipv6 '0'
	list ports 'ethernet1'
	list ports 'ethernet2'
	list ports 'ethernet3'
	list ports 'ethernet4'
	list ports 'internet'
	option stp '1'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan.1'

config bridge-vlan
	option device 'main-switch'
	option vlan '7'
	list ports 'ethernet1'
	list ports 'ethernet3:t'
	list ports 'ethernet4:t'

config bridge-vlan
	option device 'main-switch'
	option vlan '8'
	list ports 'ethernet2'
	list ports 'ethernet3:t'
	list ports 'ethernet4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'internet:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '7'
	list ports 'ethernet1'
	list ports 'ethernet3:t'
	list ports 'ethernet4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '8'
	list ports 'ethernet2'
	list ports 'ethernet3:t'
	list ports 'ethernet4:t'

config interface 'vlan7'
	option device 'br-lan.7'
	option proto 'static'
	option ipaddr '192.168.8.2'
	option netmask '255.255.255.0'
	option defaultroute '0'

config interface 'vlan8'
	option device 'br-lan.8'
	option proto 'static'
	option ipaddr '192.168.88.2'
	option netmask '255.255.255.0'
	option defaultroute '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'ethernet3:t'
	list ports 'ethernet4:t'

config interface 'vlan4'
	option device 'br-lan.4'
	option proto 'dhcp'

bobafetthotmail · October 3, 2021, 7:16pm

So it turns out OpenWrt's GUI bonding setup makes some assumptions (like that I want to give an address to the bond) and that the interfaces created by DSA are not usable for some reason in bonding. I have tried also manually after installing ip-full package, same result, the bond comes up but I cannot add slaves to it.

So I've taken a x86 device with 5 ethernet ports (a Gateprotect GPO-110 with an additional USB 2.0 100Mbit ethernet adapter) and installed OpenSUSE on it, then I proceeded to use the Yast network configuration menu to create the following interfaces (connected to each other as shown in the graph). This is technically generic Linux stuff, you can do this on any distro, even on OpenWrt if the damn interfaces cooperate.

+------+   +---------+   
| eth0 |---|         |---|  bond0-vlan4  |---|  br-vlan4  |---|  eth4 wifi AP network on 100Mbit USB adapter |
+------+   |         |   
           |  bond0  |---|  bond0-vlan7  |---|  br-vlan7  |---|  eth2 modem WIND       |
+------+   |         |
| eth1 |---|         |---|  bond0-vlan8  |---|  br-vlan8  |---|  eth3 modem TIM        |   
+------+   |         |
           |         |---|  bond0-vlan3 with dhcp  |---|  for management     |
           |         |   
           |         |
           +---------+

Then I set the bond0 with the following options


mode=active-backup arp_interval=100 arp_ip_target=192.168.11.220,192.168.11.222

mode=active-backup means it's running only ONE interface at a time. Each interface goes to a different switch and there is no way to do link aggregation anyway.

arp_interval=100 means it's going to send a ping every 100 milliseconds to see if the targets are reachable

arp_ip_target=xxxxxxxx are the IPs of the two hypervisors in the cluster. If it can reach them, then it is using the right port and switch

I have chosen arp ping instead of mii because with mii the bond just checks if the port is connected to something, and since both ports are connected to a switch, then it's a 50% probability to connect and send traffic to the wrong switch.

To do this manually on OpenWrt you probably need to follow the commands as in this article https://developers.redhat.com/blog/2017/09/14/vlan-filter-support-on-bridge

(and this is a backup link to the same article as saved in the Internte Archive, in case the above goes dead) http://web.archive.org/web/20210329165814/https://developers.redhat.com/blog/2017/09/14/vlan-filter-support-on-bridge/

Sniff_Packets · January 15, 2022, 1:22pm

This was recommended in another forum thread about bonding connections: https://www.openmptcprouter.com/

I wonder if it is necessary or openwrt can suffice: https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3

I'm just trying to bond two GigE connections - I want to optimize speed & allow for automatic failovers.