I am trying to configure some per-VLAN wireless SSIDs on a new Access Point-style device (WPA8631P) which OpenWrt defaults to this network configuration:
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'plc0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
atop an underlying eth0 switch device which is not referenced in the config.
My goal is to:
have this router register itself (i.e. DHCP client interface) on VLAN 1
make a few other VLANs available via their own separate wireless AP SSIDs (i.e. unmanaged interfaces)
support switch-like configuration of a few other VLANs on the wired Ethernet ports (via "Bridge VLAN filtering" alone?)
But this is another style of setup that is once again testing my mental model and its lack of clarity between "device" and "interface" and whatnot. What's throwing me is that it seems like there are three options where I might grab the VLAN:
the overall eth0 device (which LuCI shows as an "Ethernet Switch", but the default config doesn't reference at all)
the specific plc0 device (shows as a "Switch port" and will be the trunk to the rest of the network
the existing br-lan device (shows as a "Bridge" and can spawn "Software VLAN" devices if messed with)
If I create an unmanaged interface to each of those respectively, the result is:
eth0.42 — "Software VLAN"
plc0.42 — "Absent interface" and a DEVICE_CLAIM_FAILED error displayed
br-lan.42 — this actually shows up in the menu as soon as I start messing with "Bridge VLAN filtering" but is still a "Software VLAN"
So it seems that setting things up on the br-lan (maybe I'll rename it to "switch" or something?) might be the way to go, is that correct? But why won't the VLAN devices show up as "Switch VLAN" as they do on many of my other OpenWrt devices, rather than "Software VLAN" like I'm getting here?
config interface 'lan'
option proto 'dhcp'
option device 'switch.1'
config device
option type 'bridge'
option name 'switch'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'plc0'
config bridge-vlan
option device 'switch'
option vlan '1'
list ports 'lan1:t'
list ports 'plc0:t'
config bridge-vlan
option device 'switch'
option vlan '42'
list ports 'lan1:t'
list ports 'plc0:t'
option local '0'
config bridge-vlan
option device 'switch'
option local '0'
option vlan '43'
list ports 'lan2:t'
list ports 'plc0:t'
config interface 'home'
option proto 'none'
option device 'switch.42'
The main thing that gives me pause is that the devices show up as "Software VLAN" rather than "Switch VLAN". (And also I was a little suprised that option local '0' on the VLAN 42 device which gets shared with the WiFi does indeed work, so maybe I'll leave that since I don't really want the admin interface exposed on that interface? Just not sure how the packets are getting from the Ethernet to the WiFi adapter if not through the CPU?)
Don't worry about ths... it is simply how things are reported in the world of DSA. swconfig allowed you to directly configure the switch, whereas DSA (distributed switch articture) has an abstraction layer between the switch/ports and the configuration... so you address things by ports and the underlying code handles the switch itself.
I can't really answer the last part of your question -- I would think it wouldn't work, but you're saying it is. But the local context here is really about the creation of a device. Normally, if you don't want the VLAN to be able to access the router/AP itself, you simply create an unmanaged (proto=none) network interface connected to the bridge device (i.e. switch.42). Or, you can give that network an address (rarely needed), but set input = drop/reject on the firewall zone to which the network has been assigned.