Help me to setup device as 2d switch /w vlans

seriusrod · April 18, 2020, 7:04pm

I'm trying to setup a Buffalo wzr-hp-g300nh with openwrt to act as a secondary switch connected to my main d-link. The main switch has four vlans.

1- Maintenance/Management.
10- Trusted network
50- IOT
999- WAN

I have WAN present in the switch because I run my network virtualized. Router is in a VM.

The Buffalo router externally has 4 lan ports and 1 wan port.

What I want is to connect the WAN port of this device to a TRUNK port on the main switch and then assign the vlans to the lan ports as:

LAN1 trunk
LAN2 10
LAN3-4 50

I was trying to add the 50 vlan to the default 1 (manteinance) when I realized that anything I added, automatically loosed connection.

To me it seems that the bridging section in LAN interface (no wan or ipv6 there) its messed.

Can someone help me getting this up? I know L2 management, but I don't understand how this works. Thanks!

mk24 · April 18, 2020, 7:13pm

Set up a wifi AP interface and log in by wifi so you don't lose connection while configuring the Ethernet ports.

I'd suggest using the "WAN" port as something that carries only a single VLAN and has low traffic, because the CPU will need to intervene in any packet going from that port to any other. Traffic between ports connected to the switch chip is switched by hardware and can operate at full line speed without using any CPU cycles.

In the switch, make your "trunk" ports (including the CPU port) tagged in all the VLANs. "Access" ports are untagged in the one VLAN you want them to use and off in all the others. To go from eth0 to eth1 you will need a software bridge interface of protocol "none". For example if eth1 ("WAN" on the case) is an access untagged device on VLAN 50, put eth0.50 and eth1 in the bridge (Here, since eth1 has no VLAN number, the CPU will remove the tag of 50 as the packet passes through). To bridge multiple VLANs through the CPU (if for some reason you really really want "WAN" to be a trunk port) you will need multiple bridges going from eth0.X to eth1.X, one bridge per VLAN number.

Do not attach plain eth0 to anything, always refer to a VLAN number on it.

I think with that hardware you need a special configuration to have VLAN numbers higher than 128.

seriusrod · April 18, 2020, 7:32pm

Thanks, I'll try to understand you step by step. What misplaces me here is that CPU port and WAN port appear joined in my vlan display.

You suggest using the wan port for anything else and use LAN1 as the uplink, right?

So, after a reset In interfaces I have LAN, WAN and WAN6

# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd37:638d:32be::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

I enabled the wifi, though it still will be a problem as there's already a dhcp in my network and i would have to switch back and forth from static ip in my pc.

What I have to do with the interfaces? Just leave them as is and create the vlans in LAN interface? I guess WAN6 goes out first.

mk24 · April 18, 2020, 7:53pm

Remove the wan and wan6 you're not doing routing. This frees up eth1. Once you have wifi access, remove all the Ethernet ports from lan then you can run your network on Ethernet and still log in independently on wifi. (Once you have completed that, you can connect one of your networks to lan and turn off the internal DHCP server, forming a "dumb AP").

To have a bridge at layer 2 but not have any layer 3 connection to the OS, do this:

config interface 'vlan50'
    option proto 'none'
    option ifname 'eth0.50 eth1'

seriusrod · April 18, 2020, 10:00pm

Well I guess the first part is done, setup interface LAN. If I wanted to use all the vlans It should be something like this:

That is stored like:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd08:a4b5:1900::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option enable_vlan4k '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '5t 0t 1'

config switch_vlan
        option device 'switch0'
        option vlan '50'
        option ports '5t 0t 2'

config switch_vlan
        option device 'switch0'
        option ports '5t 0t 3'
        option vlan '10'

Then you say that if I want to include the WAN port into vlan50, I should create a "dummy" interface that establishes a bridge between the vlan definition (eth0.50) and the wan port eth1.
I will try to made it graphically and see what it looks like in the config file.

Do the network config file above looks good to you?

It's right, if I place the uplink on LAN1 to have this setup? If I understand, CPU must be always full tagged.

seriusrod · April 19, 2020, 2:10pm

It's working. Just as you explained. I was having an issue where as soon as I changed the default ip on the device, it disappeared out the network. Only changing the ip from 192.168.1.1 to 192.168.0.2, for example. The devices was not present, not responding to any IP/protocols. The router was marking the mac active but no ip was given. Although the configuration and connectivity through it was functional. But I couldn't reach luci or ssh to continue configuration.

So I pulled the garage cable from the main switch and connected to this device and it started to work after a reboot. Seems that I'm having a bogus device in my garage that is interfering with L3 and I have an idea that what can be. A repurposed router that the provider may have reverted it's config remotely. Not the first time. Weird, I was pulling my (missing) hair.

What I still don't know is where wlan can be connected to change it's vlan, with all those crossed interfaces.