How to set up network with bonding and VLANs

Swtrse · December 7, 2023, 3:39pm

Hi,

My current setup is:
Bridge Device: br-lan (eth0, eth1, eth2, eth3)
Interface 1: lan (br-lan) 10.0.0.1/16 (DHCP running)
Interface 2: dmz (br-lan.10) 10.10.0.1/16 (DHCP running)
Interface 3: wlan1 (br-lan.20) 10.20.0.1/16 (DHCP running)
Interface 4: wlan2 (br-lan.30) 10.30.0.1/16 (DHCP running)
The switch is managed and configured in a way that the subnets can only connect to each other if they pass the openwrt box.

Currently I have only eth0 connected. (Everything else would lead to collisions).
Since there is a lot of traffic between the subnets I wanted to test if throughput can be optimized if i use ling aggregation.
How do I have to change my configuration so that everything is working like now but br-lan is replaced by a link aggregation.

It got me really confused that link aggregation is an interface not a device like vlan. If it was a device it would be easy. But with la as an interface I ran in all kind of problems like get DHCP running or put a VLAN on top of the interface.

eduperez · December 7, 2023, 4:35pm

What do you mean with this, exactly?

Link aggregation is used when there are several links between two nodes (for example, a server with two network cards both connected to the same switch); I do not see how could you use it in this situation.

Anyway, do you want to control the traffic between the subnets?

lleachii · December 7, 2023, 4:46pm

It's not clear what's physically connecting to the OpenWrt and the switch
It's not clear what ports you wanna use to bond

You shouldn't be getting collisions - is STP enabled?

Swtrse · December 8, 2023, 12:18am

Ports 1-4 of the OpenWrt box are connected to Ports 1-4 of the Managed Switch.
At least thats what it should be. But if I connect more than one port I got tons of network collisions.
Which is clear to me since the br-lan device will send ever package over every linked port. Since they go to the same router the packages collide.

Thats what I am trying to achive. My OpenWrt Box does have 5 eth Ports with 1Gb/s one port is the WAN port the others are linked in the br-lan.
My Switch and the rest of the network (except WLAN) is running at 10Gb/s

_bernd · December 8, 2023, 12:50am

Why do you not post the network config of the Openwrt and the switch, so we can have a look what is actually configured?

eduperez · December 8, 2023, 8:39am

Ok, I see it now. I thought you had performance issues with the router's CPU, not the connection to the switch. You can use link aggregation, or (just as an idea) you could use each ethernet port for one subnetwork.

For the link aggregation, you have to configure it first on the switch, then separate the four ethernet ports out of the LAN bridge, regroup them again in a bond, then configure your LAN on top of that.

As @_bernd commented, let's start with you current configuration.

Swtrse · December 8, 2023, 1:11pm

I figured it out. These are my settings and they are working perfectly fine

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd18:254d:0d95::/56'
        option packet_steering '1'

config interface 'wan'
        option device 'wan.2'
        option proto 'pppoe'
        option username 'removed'
        option password 'removed'
        option ipv6 'auto'

config interface 'lan'
        option proto 'static'
        option device 'bond-baselan.1'
        option ipaddr '10.0.0.1'
        option netmask '255.255.0.0'
        option ip6assign '64'
        list ip6class 'henet'

config interface 'cobra_lan'
        option proto 'static'
        option device 'bond-baselan.40'
        option ipaddr '10.40.0.1'
        option netmask '255.255.0.0'
        option ip6assign '64'
        option ip6hint '28'
        list ip6class 'henet'

config interface 'cobra_vpn'
        option proto 'wireguard'
        option private_key 'removed'
        option listen_port '51820'
        option ip6assign '64'
        option ip6hint '32'
        list ip6class 'henet'
        list addresses '10.50.0.1/16'
        list addresses 'removed:32::1/64'

config wireguard_cobra_vpn
        option description 'Bilal'
        option public_key 'removed'
        option private_key 'removed'
        option preshared_key 'removed'
        option persistent_keepalive '25'
        list allowed_ips '10.50.0.2/16'
        list allowed_ips '10.40.0.0/16'
        list allowed_ips 'removed:32::2/64'
        list allowed_ips 'removed:28::/64'

config wireguard_cobra_vpn
        option description 'Robin'
        option public_key 'removed'
        option private_key 'removed'
        option preshared_key 'removed'
        option persistent_keepalive '25'
        list allowed_ips '10.40.0.0/16'
        list allowed_ips '10.50.0.4/16'
        list allowed_ips 'removed:32::4/64'
        list allowed_ips 'removed:28::/64'

config wireguard_cobra_vpn
        option description 'Swtrse'
        option public_key 'removed'
        option private_key 'removed'
        option preshared_key 'removed'
        option persistent_keepalive '25'
        list allowed_ips '10.40.0.0/16'
        list allowed_ips 'removed:28::/64'
        list allowed_ips 'removed:32::2/64'
        list allowed_ips '10.50.0.2/16'

config device
        option type '8021q'
        option ifname 'wan'
        option vid '2'
        option name 'wan.2'

config interface 'wan2'
        option proto 'static'
        option device '@wan'
        list ipaddr 'removed.209/29'
        list ipaddr 'removed.210/29'
        list ipaddr 'removed.211/29'
        list ipaddr 'removed.212/29'
        list ipaddr 'removed.213/29'
        list ipaddr 'removed.214/29'

config interface 'henet'
        option proto '6in4'
        option peeraddr '216.66.80.30'
        option ip6addr 'removed::2/64'
        list ip6prefix 'removed::/48'
        option tunnelid 'removed
        option username 'removed'
        option password 'removed'

config interface 'baselan'
        option proto 'bonding'
        option ipaddr '10.255.0.1'
        option netmask '255.255.0.0'
        option bonding_policy '802.3ad'
        option min_links '0'
        option ad_actor_sys_prio '65535'
        option ad_select 'bandwidth'
        option lacp_rate 'slow'
        option xmit_hash_policy 'layer2+3'
        option all_slaves_active '0'
        option link_monitoring 'mii'
        option miimon '30'
        option downdelay '0'
        option updelay '0'
        option use_carrier '1'
        option ip6assign '64'
        list ip6class 'henet'
        option ip6hint 'FF'
        list slaves 'lan1'
        list slaves 'lan2'
        list slaves 'lan3'
        list slaves 'lan4'

config device
        option type '8021q'
        option ifname 'bond-baselan'
        option vid '1'
        option name 'bond-baselan.1'

        option type '8021q'
        option ifname 'bond-baselan'
        option vid '10'
        option name 'bond-baselan.10'

config device
        option type '8021q'
        option ifname 'bond-baselan'
        option vid '20'
        option name 'bond-baselan.20'

config device
        option type '8021q'
        option ifname 'bond-baselan'
        option vid '30'
        option name 'bond-baselan.30'

config device
        option type '8021q'
        option ifname 'bond-baselan'
        option vid '40'
        option name 'bond-baselan.40'

config interface 'private_wlan'
        option proto 'static'
        option device 'bond-baselan.10'
        option ipaddr '10.10.0.1'
        option netmask '255.255.0.0'
        option ip6assign '64'
        option ip6hint 'A'
        list ip6class 'henet'

config interface 'public_wlan'
        option proto 'static'
        option device 'bond-baselan.20'
        option ipaddr '10.20.0.1'
        option netmask '255.255.0.0'
        option ip6assign '64'
        option ip6hint '14'
        list ip6class 'henet'

config interface 'dmz'
        option proto 'static'
        option device 'bond-baselan.30'
        option ipaddr '10.30.0.1'
        option netmask '255.255.0.0'
        option ip6assign '64'
        option ip6hint '1E'
        list ip6class 'henet'

The configuration on my switch looks like this.

The LAG settings no surprises here

Next are my VLAN settings

I did use Port isolation too but they are pretty strait forward and can be ignored.

Maybe this is usefull to someone else too.
As said the only thing I was unable to achive is to give the clients in the subnet reserved for wireguard clients and VLAN ID of 50.

Swtrse · December 11, 2023, 8:34am

Just a small update.
I noticed today that after a while my Switch did not show the LAG Partner anymore. I then realized that the bounding interface is untagged traffic. The solution is simple just change the settings for WAN1, WAN2, WAN3, WAN4 in the VLAN Tab from strict to enabled and only tagged to any, it will show up again almost immediately.
If something else is not working it is 99% related to your personal firewall settings. But they are out of scope fror this post.

system · December 21, 2023, 8:35am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.