Help with Turris Omnia DSA switch config

So I have an R7800 that I am trying to replace with a Turris Omnia. The only thing that I wasn't able to reproduce on the Turris is the old VLAN configuration.

On the R7800 I had:

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '2 3 4 6'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '12'
        option ports '0t 1t 5t'

Essentially, my ISP delivers the internet connection on VLAN 12, and as such wan port is tagged ( 5t )
As the IPTV service is also on that same VLAN, I set up port 1 ( 1t ) to also be tagged, and I connect the OEM router there. This OEM router manages the IPTV service ( the set-top-box is connected to it ).

So, the R7800 gets a public IP from the ISP because it can decode/encode the VLAN 12 encapsulation, and the OEM router also receives the same encapsulated VLAN12 frames and as such also receives a public IP and is able to manage IPTV traffic.

So, back to the Omnia. This should have been as simple as:

the wan is interface eth2, so on the /etc/config/network one uses eth2,12 for the wan device. It works perfectly. the router receives a public IP address from the ISP.

For lan I simply bridged the interfaces named lan0, lan1, lan2 and lan3 and wlan0 and wlan1. Works perfectly.

For the IPTV I created an unmanaged interface with device lan4.12. It does not work. the OEM router that is connected to this interface does not get a public IP address from the ISP.

No idea on how to proceed.

Why didn't you just add Port 'LAN4` to VLAN12 as untagged?

Is this something different from the switch?

1 Like

the port for the IPTV router must be tagged, because that router is expecting tagged packets. Still, I have no idea on how to configure a port on one vlan that untags the tag, in DSA switches. that is easy on old swconfig mode, but I don't know how to do it in DSA mode.

I had thought you "simply" add a bridge between eth2.12 and LAN4.12 to pass tagged packets to LAN4...

1 Like

I have tried that, but it did not work.

this is the output of bridge lan show:

root@gateway:/# bridge vlan show
port    vlan ids
lan0     1 PVID Egress Untagged

lan1     1 PVID Egress Untagged

lan2     1 PVID Egress Untagged

lan3     1 PVID Egress Untagged

lan4     1 PVID Egress Untagged

br-lan   1 PVID Egress Untagged

eth2.12  1 PVID Egress Untagged

br-iptv  1 PVID Egress Untagged

lan4.12  1 PVID Egress Untagged

Mmmh, maybe the following thread has some pointers:

1 Like

I actually when trough that entire thread yesterday but couldn't figure out what I am doing wrong ( or not doing )

Actually, I may have not tried this. I mean, I did try the configuration, but I didn't notice before that the router would enter a reboot loop. I tried today again just in case and indeed, the kernel does not like the configuration.

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask ''
        option ip6assign '60'
        option delegate '0'
        option ifname 'lan0 lan1 lan2 lan3 lan4'
        option ipaddr ''

config interface 'wan'
        option proto 'dhcp'
        option broadcast '1'
        option peerdns '0'
        option delegate '0'
        list dns ''
        list dns ''
        option ifname 'eth2.12'

config interface 'iptv'
        option proto 'none'
        option type 'bridge'
        option ifname 'eth2.12 lan4.12'

[   11.713689] mv88e6085 f1072004.mdio-mii:10 lan4: configuring for phy/gmii link mode
[   11.723038] IPv6: ADDRCONF(NETDEV_UP): lan4: link is not ready
[   11.729113] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
[   11.737224] br-iptv: port 2(lan4.12) entered blocking state
[   11.742835] br-iptv: port 2(lan4.12) entered disabled state
[   11.748707] device lan4.12 entered promiscuous mode
[   11.753628] device lan4 entered promiscuous mode
[   11.758261] device eth1 entered promiscuous mode
[   11.767367] Unable to handle kernel NULL pointer dereference at virtual address 00000518
[   11.775491] pgd = ec0a8779
[   11.778205] [00000518] *pgd=2d834831, *pte=00000000, *ppte=00000000
[   11.784497] Internal error: Oops: 17 [#1] SMP ARM
[   11.789213] Modules linked in: ath9k ath9k_common pppoe ppp_async iptable_nat ipt_MASQUERADE ath9k_hw ath10k_pci ath10k_core ath xt_state xt_nat xt_conntrack xt_REDIRECT xt_FLOWOFFLOAg
[   11.851892] CPU: 1 PID: 1564 Comm: netifd Not tainted 4.19.82 #0
[   11.857910] Hardware name: Marvell Armada 380/385 (Device Tree)
[   11.863848] PC is at br_vlan_enabled+0x0/0x10
[   11.868217] LR is at dsa_port_vlan_add+0x40/0x88
[   11.872842] pc : [<c06a5f04>]    lr : [<c06ab714>]    psr: 60000013
[   11.879121] sp : edacbc90  ip : 00081201  fp : edacbe1b
[   11.884356] r10: 00000001  r9 : edc3ad00  r8 : edc3e000
[   11.889591] r7 : edacbcf4  r6 : edacbd1c  r5 : ffffffa1  r4 : ee9b364c
[   11.896132] r3 : 00000004  r2 : edacbcf4  r1 : 00000000  r0 : 00000000
[   11.902673] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
[   11.909823] Control: 10c5387d  Table: 2dad404a  DAC: 00000051
[   11.915581] Process netifd (pid: 1564, stack limit = 0xa37f2f77)
[   11.921599] Stack: (0xedacbc90 to 0xedacc000)
[   11.925965] bc80:                                     edacbd1c edacbcf4 00000000 00000004
[   11.934161] bca0: ef34c000 c06b33f4 ffff8f69 c06ce434 eea745c0 edc3e000 ffffffa1 edacbd1c
[   11.942357] bcc0: edacbcf4 c06b3420 ed9d5500 edc3e068 ef6e4040 edacbcf4 ec93fbc0 edc3e000
[   11.950554] bce0: edacbd1c c06b34d0 edacbd1c c01487c0 eea74540 edacbcf4 edacbcf4 eea74501
[   11.958750] bd00: c0947040 ec93fbc0 ec93fbc0 ef0e0f00 edb3e600 c06a9ba8 edacbd54 edc3e000
[   11.966946] bd20: 00000001 00000000 00000000 00000000 00010006 00000001 eea74544 c06a7590
[   11.975142] bd40: 00000001 00000006 edb3e680 00000036 edacbd74 c01490e0 ef3da04c 00000004
[   11.983338] bd60: ef3da04c 00000000 ef0e0f00 edb3e680 0003d7a0 ef0e0f00 ec93fbc0 00000000
[   11.991535] bd80: edb3e600 00000001 c06a5e50 edacbdae edacbe1b c06a841c edacbe1c edacbdf4
[   11.999731] bda0: ef0e0f00 00000006 c0a6fe78 00010001 ef0e0f00 edacbdae 00020003 00000008
[   12.007927] bdc0: 00001000 01010000 00000000 00000000 c06a5e50 00020003 00000008 00001000
[   12.016123] bde0: 01010000 00000000 00000000 c06a5e50 ef0e0f58 c0a03c48 00000000 00000000
[   12.024320] be00: edb3e600 ef0e0f00 edb3e680 00000036 0003d7a0 c06a8540 00c3ad00 edc3a800
[   12.032516] be20: 00000007 00000002 00000000 00000000 00000000 00000000 00000000 00000000
[   12.040712] be40: 00000000 00000000 00000000 00000000 00000000 e66e53d5 edc3e000 00000000
[   12.048908] be60: edc3ad00 00000000 edb3e600 c0697ca0 00000000 c012ea9c c0a2fc40 000089a2
[   12.057104] be80: edc3a800 edacbeec c073e718 00000000 00000000 c05c1094 c0a03cb0 c0a2fc40
[   12.065301] bea0: edacbeec c0598744 edacbeec 000089a2 c0a2fc40 edacbee4 00000000 c05c16b8
[   12.073497] bec0: 000089a2 c0a03c48 00000051 beea1ba8 c0a2fc40 ffffe000 00000036 c057d550
[   12.081693] bee0: ef6e4080 c0701c01 c0a03cb0 692d7262 00767470 00000000 00000000 0000000e
[   12.089889] bf00: 00000000 00000000 00000000 e66e53d5 ef6e2c58 beea1ba8 eedd2fe0 00000008
[   12.098085] bf20: 000089a2 edc89000 edaca000 c0234d8c 00000000 eecf0990 eecf09e0 c07f6714
[   12.106282] bf40: edd4f480 00000000 eed43b00 eea7d510 eecf0990 40000010 edd4f488 c0223794
[   12.114478] bf60: 00000020 00000000 ed9d5944 ed9d5500 edc89000 edc89000 00000008 000089a2
[   12.122674] bf80: beea1ba8 edaca000 00000036 c0234e4c b6df9760 000089a2 b6e6d1b8 00000036
[   12.130870] bfa0: c0101204 c0101000 b6df9760 000089a2 00000008 000089a2 beea1ba8 beea1ba0
[   12.139067] bfc0: b6df9760 000089a2 b6e6d1b8 00000036 b6df9798 b6e6d1b8 b6df9904 0003d7a0
[   12.147263] bfe0: 0003cd54 beea1b88 00013798 b6eb678c 60000010 00000008 00000000 00000000
[   12.155464] [<c06a5f04>] (br_vlan_enabled) from [<c06ab714>] (dsa_port_vlan_add+0x40/0x88)
[   12.163752] [<c06ab714>] (dsa_port_vlan_add) from [<c06b33f4>] (__switchdev_port_obj_add+0x30/0x90)
[   12.172820] [<c06b33f4>] (__switchdev_port_obj_add) from [<c06b3420>] (__switchdev_port_obj_add+0x5c/0x90)
[   12.182497] [<c06b3420>] (__switchdev_port_obj_add) from [<c06b34d0>] (switchdev_port_obj_add_now+0x7c/0xf0)
[   12.192349] [<c06b34d0>] (switchdev_port_obj_add_now) from [<c06a9ba8>] (br_switchdev_port_vlan_add+0x40/0x48)
[   12.202375] [<c06a9ba8>] (br_switchdev_port_vlan_add) from [<c06a7590>] (__vlan_add+0x50/0x5b4)
[   12.211095] [<c06a7590>] (__vlan_add) from [<c06a841c>] (nbp_vlan_add+0x208/0x234)
[   12.218683] [<c06a841c>] (nbp_vlan_add) from [<c06a8540>] (nbp_vlan_init+0xf8/0x14c)
[   12.226446] [<c06a8540>] (nbp_vlan_init) from [<c0697ca0>] (br_add_if+0x3d0/0x5b0)
[   12.234037] [<c0697ca0>] (br_add_if) from [<c05c1094>] (dev_ifsioc+0x2e8/0x30c)
[   12.241363] [<c05c1094>] (dev_ifsioc) from [<c05c16b8>] (dev_ioctl+0x54c/0x5bc)
[   12.248690] [<c05c16b8>] (dev_ioctl) from [<c057d550>] (sock_ioctl+0x4c0/0x4f0)
[   12.256020] [<c057d550>] (sock_ioctl) from [<c0234d8c>] (do_vfs_ioctl+0x85c/0x8e8)
[   12.263609] [<c0234d8c>] (do_vfs_ioctl) from [<c0234e4c>] (ksys_ioctl+0x34/0x58)
[   12.271023] [<c0234e4c>] (ksys_ioctl) from [<c0101000>] (ret_fast_syscall+0x0/0x54)
[   12.278695] Exception stack(0xedacbfa8 to 0xedacbff0)
[   12.283757] bfa0:                   b6df9760 000089a2 00000008 000089a2 beea1ba8 beea1ba0
[   12.291953] bfc0: b6df9760 000089a2 b6e6d1b8 00000036 b6df9798 b6e6d1b8 b6df9904 0003d7a0
[   12.300148] bfe0: 0003cd54 beea1b88 00013798 b6eb678c
[   12.305212] Code: 18bd8010 e05c0002 13a00001 e8bd8010 (e5d00518) 
[   12.311341] ---[ end trace a9a937646619f922 ]---
[   12.316524] Kernel panic - not syncing: Fatal exception
[   12.321762] CPU0: stopping
[   12.324477] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G      D           4.19.82 #0
[   12.331888] Hardware name: Marvell Armada 380/385 (Device Tree)
[   12.337827] [<c010ebfc>] (unwind_backtrace) from [<c010ab60>] (show_stack+0x10/0x14)
[   12.345591] [<c010ab60>] (show_stack) from [<c06b72fc>] (dump_stack+0x88/0x9c)
[   12.352830] [<c06b72fc>] (dump_stack) from [<c010d9d8>] (handle_IPI+0xf0/0x19c)
[   12.360160] [<c010d9d8>] (handle_IPI) from [<c03dc1bc>] (gic_handle_irq+0x8c/0x90)
[   12.367750] [<c03dc1bc>] (gic_handle_irq) from [<c0101a0c>] (__irq_svc+0x6c/0x90)
[   12.375248] Exception stack(0xc0a01f38 to 0xc0a01f80)
[   12.380310] 1f20:                                                       00000000 000241f4
[   12.388507] 1f40: ef6d72c4 c01145e0 ffffe000 c0a03c6c 00000001 c0a03cac c0946528 00000000
[   12.396704] 1f60: 00000000 00000000 c0a0ef40 c0a01f88 c0108358 c010835c 60000013 ffffffff
[   12.404904] [<c0101a0c>] (__irq_svc) from [<c010835c>] (arch_cpu_idle+0x34/0x38)
[   12.412323] [<c010835c>] (arch_cpu_idle) from [<c014d034>] (do_idle+0xe4/0x1c8)
[   12.419651] [<c014d034>] (do_idle) from [<c014d374>] (cpu_startup_entry+0x18/0x1c)
[   12.427240] [<c014d374>] (cpu_startup_entry) from [<c0900de8>] (start_kernel+0x4e8/0x4f8)
[   12.435791] Rebooting in 3 seconds..

My understanding of the setup is:

  • TO -> wan eth2.12 working
    |_ TO Lan4(.12) for IPTV client (OEM router) not getting upstream connectivity

My comphension of the switch concept is that it:

  • centralizes communications among multiple connected LAN segements (which can array across mulptiple devices connected to the switch port(s)) by determinating the source and destination addresses of each packet and forwards data only to the specific network segments

With that premise it does not seem necessary to tag packets on the switch downstream port(s) (LAN 0 - 4) since upstream WAN (eth2) interface already tags egress packets with VLAN ID 12.

What I do not get is

Why should the OEM router for IPTV get a public ip from the ISP, or expect tagged packets at all? If it is ipv4 then it would be NATed by TO with a LAN ip or else with ipv6 should get a deletgated prefix from the TO,

1 Like

Quick question: Did you get your desired configuration to work before with a non DSA switch? I assume you did and are trying to re-create an known working configuration here...

1 Like

On a stock ISP configuration, the OEM router has its RJ45 WAN port connected to a device that terminates the fiber link and converts it to RJ45.
Packets that come from this RJ45 port are tagged with VLAN12. So the OEM router receives them tagged on his WAN port, untags them, routes the untagged packages to the several devices that I have at home, including the ISP's provided IPTV set-top-boxes, and the oubound traffic from these all these devices gets tagged again with VLAN ID 12 tag before leaving the WAN port.

So, to replace this OEM router for another running OpenWRT one has to mark the OpenWRT WAN port as tagged on VLAN 12. Problem, is, if I do just this, the IPTV set-top-boxes wont work, because their traffic is IGMP and I don't know how to properly route this traffic to the internal IP networks of the ISP. So the solution is to keep using the OEM router just for IPTV functionality ( the set-top boxes are connected to it's lan ports ). For this, I can simply use a dumb switch and connect the OEM router, OpenWRT router and fiber box to it, and everything will work. The OpenWRT router will get a public IP address and I will have internet, the OEM router will get a public IP address and manage the set-top-boxes. But I don't want to have yet another device ( switch ) on my setup.

The above configuration worked perfectly on the R7800. But I can't figure out how to make this work with DSA. And actually something fishy is happening, as per above post ( that you , may not have read because we posted at the same time ), the kernel ops when I try to bridge eth2.12 and lan4.12 toghether.

this is with the latest development snapshot. will try 18.06 and see if it ops too.

Yes, so as I have posted, my R7800 works perfectly with the swconfig posted above. I am going to replace it with the omnia and because it uses DSA, I'm not being able to reproduce the R7800 vlan configuration.

1 Like

So, just tried with the latest and the kernel does not crash when setting up the bridge between eth2.12 and lan4.12

unsure if it will work with this configuration as I am not at home now. will only be able to test in a couple of hours.

1 Like

Perhaps not the best (security) practice to bridge a WAN segment with a LAN segement. Seems that ipt did not take kindly to it.

Which should suffice the VLAN management with the ISP but would appear that the IPTV set-top-boxes requiring tagged packets on ingress.

For VLAN tagging to work on the switch downstream LAN ports the kernel needs to be compiled, if the Lan port is ensvlaved in a bridge, with


Assuming that being the case it then is noteworthy

by default, the bridge does not filter on VLAN and only bridges untagged
traffic. To enable VLAN support, turn on VLAN filtering:

echo 1 >/sys/class/net/<bridge>/bridge/vlan_filtering

Perhaps this is more helpful, particulalrly if Lan4 is not ensvlaved in a bidge.

The DSA switch configuration is not integrated into the main userspace network configuration suites by now and has to be performed manualy.

  • make sure that the firewall is properly set for WAN igmp ipv4 / mld (aka igmp) / icmp ipv6 / icmp ipv6 forward

If LAN4 is not part of the LAN bridge anymore, it ceases to be a LAN port, no? I took LAN4 simply as the name of the port on the omnia...

1 Like

Where and how do I configure this or see if it is active. I haven't found such an option on "make menuconfig"

I opened a bug report because of the kernel crashes:

No, since they are front-panel ports

For each front-panel port, DSA will create specialized network devices which are used as controlling and data-flowing endpoints for use by the Linux networking stack. These specialized network interfaces are referred to as “slave” network interfaces in DSA terminology and code.

On the Omnia you got

  • eth2 -> WAN facing CPU port
  • eth0 and eth1 -> switch's CPU (management) port(s) (master/conduit network devices since they act as a pipe between the host processor and the hardware Ethernet switch)
  • lan0@ethX, lan1@ethX, lan2@ethX, lan3@ethX and lan4@@ethX -> switch's downstream ports (“slave” network interfaces in DSA terminology and code)

In most distros it can be read with zcat /proc/config.gz

Alternatively lookup;a=summary

1 Like

just checked, it is enabled as I can write an 1 or 0 to the path.