Help with DSA: bridge VLAN

Hello!

This is my first try with vlans at all and I need some help with the configuration.
I'd like to separate router B from LAN with an OpenWRT (mt7621 - 5ef4608) device to do some l2-filtering.
In other words: a remote bridge for router B and LAN.
Unfortunately the routers can't be moved due to structural conditions.

         ┌────┐  long cable  ┌────────────────────┐
         │LAN1├──────────────┤       switch       │
OpenWRT  └┬──┬┘            2t└┬───────────┬──────┬┘
router A  │1 │2t              │2          │1 LAN │1
        ┌─┴──┴─┐         ┌────┴───┐     ┌─┴─┐  ┌─┴─┐
        │bridge│         │router B│     │PC1│  │PC2│
        └──────┘         └────────┘     └───┘  └───┘
       Location A                 Location B
  • LAN1 means the port on router A

I know that it is a shoddy concept but it's only temporary.

  1. relevant section of config from router A
config interface 'lan'
	option proto 'static'
	option ipaddr '10.0.0.111/24'
	option device 'bridge'

config device
	option type 'bridge'
	option name 'bridge'
	list ports 'lan1'
	list ports 'lan1.2'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan1:t'
	list ports 'lan2:t'

but:

router B can't ping PC1, PC2 and vice versa.
router A can ping router B and PC1, PC2...

  1. some additional information from "router A":

firewall is disabled

ip r:
default via 10.0.0.137 dev bridge
10.0.0.0/24 dev bridge scope link src 10.0.0.111

cat /proc/sys/net/ipv4/ip_forward
1

brctl show:
bridge name bridge id STP enabled interfaces
bridge 7fff.64644ae346e0 yes lan1
lan1.2

I don't know if this is the right way at all.

Greatly appreciate any suggestions!

I'm not really sure that I understand your topology in general here... It isn't clear what router B is doing for the network.

What exactly are you trying to achieve -- can you give some examples?

Is your switch a smart/managed VLAN aware model? If not, you will not be able to properly use VLANs anyway.

I'm testing it on a 'TL-SG105E' and the VLAN seems to work otherwise I couldn't ping from router A to router B.

I'd like to drop udp port 67 and 68 from B -> LAN.

You won't be able to do this at L2.

Do you mean that kmod-br-netfilter won't work with DSA or with VLANS or the combination of both?

What I am saying is that traffic cannot be filtered by a device hanging off the network the way you propose. The traffic would have to go through a device in order to filter it. Your diagram shows the PCs being connected to VLAN 1, and router A is also on VLAN 1. There is nothing that Router B (on VLAN 2) can do to intercept the traffic between the PCs and Router A.

Maybe i was unclear: the PC's should be separated from router B by router A.
So the traffic goes from B to switchs PVID 2 over the trunk (long cable) to the interface of A (2t) filtered by the bridge and then to the PC's over untagged LAN1.

So you're really talking about L3 routing, not L2 filtering.

You're trying to block ports 67-68 -- those are DHCP. What is your end goal - maybe there is a more straightforward approach.

1 Like

Sorry, I described it badly...
I ment briging layer 2 and filter layer 3 packets out.

I can not turn off DHCP server on router B and want to avoid broadcasting the LAN but I have no router with access on Location B.

PS: Sorry for this, i really put much effort into describing my scenario but my english is not so good.

the DHCP server doesn't "broadcast" the LAN... rather, a host requests a DHCP lease on the LAN and the DHCP server responds. Blocking the DHCP process doesn't completely block a computer from participating on the network -- a computer could still join with a static IP.

Yes, you are right, but there is a 2nd DHCP server on LAN

This is a very bad idea. Do not use more than one DHCP server per network (unless they are part of a more sophisticated round-robin or failover topology and are actually working together in a cooperative system).

Are you trying to use an alternate DHCP server relative to the one on router B, but you are unable to turn off the DHCP server on router B?

Yes, and there is no accessible router on Location B.

What does this mean? You do not have administrative access to configure that router?

Why do you want to use an alternate DHCP server -- what do you hope to achieve with this configuration?

If you want to direct all traffic through router A, the easiest method is to basically make that the main router for the network, and router B becomes the upstream (or WAN) relative to router A. This creates a double-NAT situation which is not ideal, but it is typically not an issue for most practical purposes.

That's why I try to make this configuration.

Yes!

Provide DHCP-Options (Alternate DNS-server, Static adresses, alternate gateway and domain-search).
Better management of hostnames.
...

Yes, but I don't want to buy and manage another router only for this.

I did this setup years ago and it causes many problems.
Can't remember exactly what this was.

You already have the router, don’t you? Router A?

Unless you have a multi-wan configuration or a vpn split tunnel, you can only have a single gateway.

The dns related stuff makes sense.

Router A has radio and is not on Location B.

I have a multi wan configuration, vpn split tunnel and vrrp on other routers on LAN.

PS: "alternate gateway" was probably the wrong word. I think "different" is the right vocable in English.