I'm trying to distribute a couple of networks around the wired LAN in my house. There will end up being two networks on the LAN, untagged traffic being Network 1 and VLAN 11 traffic being Network 2. I am trying to configure my DSA enabled OpenWRT device to work with both of these networks.
The untagged Network 1 already exists, another router in the house provides DHCP addresses in the 192.168.0.0/24 range.
The VLAN 11 tagged Network 2 will be served DHCP addresses by my OpenWRT device in the 10.0.10.0/24 range. It will be NATted to Network 1 (yes, this will result in a double NAT).
The OpenWRT device has WiFi and 3 devices provided by DSA on the 3 port gigabit switch:
I also have two bridges configured:
I finally have the default LAN and WAN interfaces configured to use these bridges. Each interface also has two WiFi networks configured (2.4GHz and 5GHz each) so that I can access both the NATted Network 2 (10.0.10.0/24) and the WAN Network 1 (192.168.0.0/24) through this OpenWRT device on respective WiFI networks:
This setup works perfectly. I am able to access both Network 1 and Network 2 through this OpenWRT device using the respective SSIDs configured for them. However, I wish to also provide access to Network 2 (10.0.10.0/24) through the wan device on VLAN 11, which I have not yet been able to achieve.
I have tried various combinations of bridge devices with VLAN filtering and virtual ethernets for VLAN under 802.11q, without much success. I have tried so many combinations I have unfortunately lost track.
How can I provide access to Network 2 (10.0.10.0/24) via the wan (or maybe br-wan?) device on VLAN 11?
Tagged and untagged on the same cable is not a best practice but here it appears that you are trying to backfeed tagged packets into an unmanaged network consisting of an ISP router and an unmanaged switch. This is also not certain to work depending on how those non-vlan-aware devices handle tagged packets.
If you want to try though, the best way with DSA is to:
Put all the eth ports into one single bridge. I usually name it br-eth to distinguish that it is not dedicated to being lan or wan.
Establish a bridge-vlan inside br-eth for every VLAN, including those like wan that will not be tagged outside. The choice of VLAN numbers for those is arbitrary, but must be unique within the bridge. The VLANs which you do want to emit / receive tagged Ethernet packets must be numbered according to the tag numbers they are going to use.
Designate the external ethernet ports as tagged, untagged, or off in their VLANs.
Attach networks to this master bridge with the notation br-eth.N where N is the unique VLAN number, in the Device setting on the network interface.
The critical point is that everything inside br-eth is tagged, including the connections to the higher level kernel networks. Tags may be retained or removed on the external cables.
