GL-MT6000 DSA config

Hi,

I'm trying to set up my GL-MT6000 (23.05.3) in order to replace my old WRT3200ACM (19.07.10).
DSA gave me some trouble in the past so I'm still very new to the DSA party.

What I'm trying to do is to replicate my WRT3200ACM swconfig in order to replace it with the GL-MT6000.

For the reference here is my old network config with the WRT3200ACM:

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config interface 'guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.55.1'
	option netmask '255.255.255.0'
	option ifname 'eth0.3'

config interface 'psx'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.100.1'
	option ifname 'eth0.15'

config interface 'modem'
	option proto 'static'
	option ipaddr '192.168.254.1'
	option netmask '255.255.255.0'
	option ifname 'eth1.42'

config interface 'wan'
	option ifname 'eth1.7'
	option proto 'pppoe'
	option username ''
	option ipv6 'auto'
	list dns '1.1.1.1'
	option peerdns '0'
	option password ''
	option pppd_options 'debug'

config interface 'wan6'
	option ifname 'eth1.7'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan 'lan_switch'
	option device 'switch0'
	option vlan '1'
	option ports '5t 3t 2 1 0'
	option vid '1'
	option description 'LAN'

config switch_vlan 'guest_switch'
	option device 'switch0'
	option vlan '3'
	option ports '5t 3t'
	option vid '3'
	option description 'GUEST'

config switch_vlan 'consoles_switch'
	option device 'switch0'
	option vlan '15'
	option ports '5t 3t'
	option vid '15'
	option description 'PSX'

config switch_vlan 'mgmt_switch'
	option device 'switch0'
	option vlan '42'
	option ports '6t 4t'
	option vid '42'
	option description 'MODEM'

config switch_vlan 'wan_switch'
	option device 'switch0'
	option vlan '7'
	option ports '6t 4t'
	option vid '7'
	option description 'WAN'

• lan/lan_switch = private Network (vlan 1)
• guest/guest_switch = guest network with some IoT devices (vlan 3)
• psx/consoles_switch = game console network (vlan 15)
• modem/mgmt_switch = VDSL modem access (vlan 42)
• wan/wan_switch = PPPoE with vlan tag 7 (vlan 7)

My WRT3200ACM is connected to another OpenWRT device (DIR 860L running 19.07.10) which is acting as a smart switch + Wifi AP.
I got some devices connected to it via Wifi (guest and private network) and some devices connected via Ethernet (guests, consoles and private devices).

Here is the config of my DIR860L:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd1:7df9:db49::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option ifname 'eth0.1'

config interface 'guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.55.2'
	option netmask '255.255.255.0'
	option ifname 'eth0.3 eth0.4'

config interface 'psx'
	option proto 'static'
	option type 'bridge'
	option ipaddr '192.168.100.2'
	option netmask '255.255.255.0'
	option ifname 'eth0.15'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr ''

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '6t 4 0t'
	option description 'LAN'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '6t 0t'
	option description 'GUEST'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '4'
	option ports '6t 3'
	option description 'GUEST-LAN2'

config switch_vlan
	option device 'switch0'
	option vlan '15'
	option vid '15'
	option ports '6t 2 1 0t'
	option description 'PSX'

I'm not sure if my DIR860L is set up the right/most efficient way for it's purpose but I never had any issues to isolate clients (LAN and WIFI) with this config so I stayed with it and never upgraded to a DSA build.

Someone suggested the following start-up config for DSA (without the WAN and Modem part) and I would like to know if this would be the correct path for my setup:

config device
        option name 'switch'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'switch'
        option vlan '1'
        list ports 'lan1:t'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'switch'
        option vlan '3'
        list ports 'lan1:t'

config bridge-vlan
        option device 'switch'
        option vlan '15'
        list ports 'lan1:t'

config interface 'lan'
        option device 'switch.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

config interface 'guest'
        option device 'switch.3'
        option proto 'static'
        option ipaddr '192.168.55.1'
        option netmask '255.255.255.0'

config interface 'psx'
        option device 'switch.15'
        option proto 'static'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'

Any suggestions or advice?
I would also be happy to start from scratch and renew my whole setup if it will make things easier to manage and set up!

This looks right. As long as the rest of the config (DHCP and firewall) is configured properly, you should be good.

The default structure of the network config of the GL-MT6000 running 23.05.3 looks somewhat confusing to me.
Are you sure that the suggested config would work for this device?

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd55:817d:171e::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	option vlan_filtering '1'

config device
	option name 'lan1'
	option macaddr '**:**:**:**:**:**'

config device
	option name 'lan2'
	option macaddr '**:**:**:**:**:**'

config device
	option name 'lan3'
	option macaddr '**:**:**:**:**:**'

config device
	option name 'lan4'
	option macaddr '**:**:**:**:**:**'

config device
	option name 'lan5'
	option macaddr '**:**:**:**:**:**'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'

config device
	option name 'eth1'
	option macaddr '**:**:**:**:**:**'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config device 'guest_dev'
	option type 'bridge'
	option name 'br-guest'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	list ipaddr '192.168.55.1/24'

config device 'psx_dev'
	option type 'bridge'
	option name 'br-guest'

config interface 'psx'
	option proto 'static'
	option device 'br-guest'
	list ipaddr '192.168.100.1/24'

The config you have just shared is most certainly not default and it has many problems. The earlier configuration appeared to be valid.

I just added guest and psx bridge and interface on a fresh 23.05.3 install.
I'll reset to defaults in a few minutes and see if this will change the config and share the results here.
As I said I have no experience with DSA, recent OpenWRT builds and the GL-MT6000 so I can't tell what's normal/default.

edit, here is the default network config after reset:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd85:9f09:015d::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config device
	option name 'lan1'
	option macaddr '**:**:**:**:**:**'

config device
	option name 'lan2'
	option macaddr '**:**:**:**:**:**'

config device
	option name 'lan3'
	option macaddr '**:**:**:**:**:**'

config device
	option name 'lan4'
	option macaddr '**:**:**:**:**:**'

config device
	option name 'lan5'
	option macaddr '**:**:**:**:**:**'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth1'
	option macaddr '**:**:**:**:**:**'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

Here is an example using three VLANs with all ports on VLAN 10:

example1077×596 41.9 KB

I can post more details if you need.

Thanks for your input. I would need a tunk port with all my vlans on LAN1, except WAN of course.
For WAN/PPPoE i still haven't figure out how to put a vlan tag at all! eth0 seems to be my WAN port but I have no VLAN option for eth1/wan.

It's all very confusing to me and the mini DSA tutorial at the wiki didn't enlightened me either.

To assign a vlan on the wan port, which is eth1, create a new virtual interface on the interface page.

e.g If I want my wan port to use vlan 20 I would need to create a interface named eth1.20.

Thanks for your input. What about vlan7 and vlan42 on the WAN port at the same time. vlan 42 is for accessing my Modem and vlan7 for the correct pppoe vlan tag.

I have the same question.
What do you mean with "virtual device"?
There is more than one option for this in the dropdown menu.

In case VLAN 802.1q is the right device type is this set right to tag the WAN (eth1) with VLAN ID 7?
Does it matter if I choose 802.1q / 802.1ad? They look identical to me.

grafik1808×1276 147 KB

VLAN 802.1q is the correct option. Sorry for not being clearer.

10000021971038×2034 154 KB

I found this quite helpful, when configuring my PPPoE connection with vlan7:https://gist.github.com/madduci/8b8637b922e433d617261373220be44c?permalink_comment_id=4489364#gistcomment-4489364

Thanks for your help!

My GL-MT6000 is online and the new DSA VLAN config is working. I haven't checked for leaks yet but it's working fine so far.
I haven't updated my DIR860L so it's still using 19.07.10 with swconfig but I'll upgrade it to 23.05.3 the next days.

I've tested the isolated guest network today and guest devices (LAN <> Wifi) across the MT6000 and DIR860L can see each other.
It looks like that my old ebtables rules are still needed but I don't know if they still work with 23.05.3.

Old ebtables rule 19.07.10 (to fully isolate guest clients):
ebtables -A FORWARD --logical-in br-guest -j DROP # Client Isolation [GUEST]

Since br-guest doesn't exist anymore on my MT6000(it's br-lan.3 now) I'm not sure how to adjust the ebtables rule.

As I still haven't touched my DIR860L and it still running 19.07.10 the ebtable rules on this device are still fine afaik.
I'll post them here for reference:

ebtables -A FORWARD -i ! eth0.3 -o eth0.3 -j ACCEPT # allow AP clients to talk to router
ebtables -A FORWARD -i eth0.3 -o ! eth0.3 -j ACCEPT # allow router to talk to AP clients
ebtables -A FORWARD --logical-in br-guest -j DROP

To be fair I don't even find the custom rules tab at the Firewall section anymore with 23.05.3 and there are two ebtables packages available with 23.05.3 (ebtables-legacy and ebtables-nft).

Any ideas?