I'm not sure I understand what you mean by this.
I meant that when using a single bridge for VLAN filtering, you can go to your that bridge in luci, open "Bridge VLAN filtering" tab and see all vlan - port assignments at a glance.
Gottcha. Yes, that is true.
So there basically seems nothing obviously wrong aside from the possible bridge vs VLAN problem with the DSA switch?
Maybe it's really the printer's firmware blocking access. Is there any way to trick the printer into thinking that traffic comes from the same subnet, despite coming from a different one?
Yes.
You can configure your firewall to masquerade traffic destined to the printer's network from the LAN's SRC IPs.
After you enable masquerading on the printer's firewall zone - you would edit an advanced setting to specify only the LAN subnet.
You would enter 192.168.1.0/24
I don't think that the printer's firmware is at fault here... I think it is a configuration problem on OpenWrt.
I'd recommend using a single bridge and the bridge-vlan method.
But as @lleachii pointed out, yes you can try using masquerading to see if it will help the situation.
While testing the GL-MT6000 Flint 2 as a router and reworking my setup on this new device with bridge-vlans, I successfully integrated the printer in a separate subnet and firewall zone. The main difference (aside from using a different device) is the bridge-vlan method. So I would assume that @psherman has been right and my assumption about the printer's firmware blocking access from different subnets wrong.
Maybe someone more knowledgable than me could rewrite this part of the documentation which suggests otherwise and can confuse users: dsa-mini-tutorial#multiple_bridged_networks
I have one more question regarding the bridge-vlan method. Let's pick the GL-MT6000 as an example. It has 'eth1' (usually used as WAN port) and 'eth0' (switch with 'LAN1' to 'LAN5'). Am I right to assume that the latter is a DSA? For eth0 I learned that I have to use a single bridge and use the bridge-vlan method. How would I correctly implement bridging different VLANs from eth1 (let's say VLAN 7) and eth0 (VLAN 3)? Bridge eth1 and eth0 and do vlan filtering, or bridge vlans directly (bridge with devices eth1.7 and eth0.3)? In case of the former and does this properly propagate the VLAN filtering already done at eth0?
Awesome! I had expected that this method would work properly.
To be fair here, that is what seemed to be happening. But I have worked with these types of printers on different subnets and I was quite confident that it was not a firmware/routing issue at the printer level.
There are a few potential factors here... so before re-writing, it would be good to know:
- What was the mechanism by which the multiple bridges 'sort of worked'? Specifically, it appears that devices could successfully get IP addresses and even route to the internet, but yet couldn't route to the network on the other bridge. Why does this happen/what is the underlying root cause?
- Are there devices for which the multiple bridges on the same switch chip currently work? And, if so, how would one differentiate so that it would be clear what devices need a single bridge and bridge VLANs vs ones that could use multiple bridges.
- Does 24.xx (the expected next major release that will be branched soon-ish) make any changes to the DSA backend that would make 2 bridges on a single switch work properly
- Did the author(s) of the DSA mini tutorial test the multiple bridge method and have different results (i.e. working as expected)?
But yes, I do agree that this could cause confusion as currently written.
I think that the correct interpretation would be that:
- the CPU has two Ethernet ports (internal wiring inside the router): eth0, and eth1.
- eth0 is connected to a hardware switch chip inside the MT6000.
- The switch is addressed/configured via DSA
- eth1 is connected directly to the physical wan port on the MT6000, so it would be 'individually routed' (not part of the switch).
I don't think you can do this as described. You could add the wan/eth1 port to br-lan
such that the port is part of the bridge. This would allow a VLAN on the wan port to be available on one of the lan ports (as tagged with the same VLAN ID or simply untagged).
Generally, you cannot change the VLAN ID without jumping through some additional hoops. For example, on a managed switch, you could have port 1 with VLAN 7 tagged and port 2 with VLAN 7 untagged. Then you'd do the same with VLAN 3 with ports 3 (untagged) and port 4 (tagged)... connect ports 2 and 3 together with a patch cable, and voilla, VLAN 7 on port 1 becomes VLAN 3 on port 4. (this method would be generally bad practice, though).
Meanwhile, since things seem to be working for your printer now...
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!