Thanks for all who posted some wireless examples to go along with guest configs, haven't found those elsewhere.
Does anyone have the syntax for making the new DSA configs (specifically creating new device configs/bridges for vlans' etc via UCI command line, aka set uci ... ?
I do all my router config via UCI CLI statements in shell scripts, I'd like to get a head start on the script conversions before I upgrade.
I have Check Point L-50 with dsa @ eth1 and phy @ eth0. I try make bridges on current snapshot:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd00::/8'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
list ports 'lan6'
# list ports 'lan7'
# list ports 'lan8'
config device
option name 'br-wan'
option type 'bridge'
list ports 'lan7'
list ports 'lan8'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'br-wan'
option proto 'dhcp'
bridge name bridge id STP enabled interfaces
br-wan 7fff.001c7f24a06b no eth0
br-lan 7fff.001c7f24a06c no lan6
lan4
lan2
lan5
lan3
lan1
root@OpenWrt:/# bridge link
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-wan state forwarding priority 32 cost 100
4: lan5@eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 master br-lan state disabled priority 32 cost 100
5: lan1@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-lan state forwarding priority 32 cost 4
6: lan6@eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 master br-lan state disabled priority 32 cost 100
7: lan2@eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 master br-lan state disabled priority 32 cost 100
9: lan3@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-lan state forwarding priority 32 cost 4
11: lan4@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-lan state forwarding priority 32 cost 4
Log:
root@OpenWrt:/# service network reload
[ 179.014089] device lan7 left promiscuous mode
[ 179.018618] br-lan: port 7(lan7) entered disabled state
[ 179.126369] device lan8 left promiscuous mode
[ 179.130875] br-lan: port 8(lan8) entered disabled state
[ 179.955013] br-wan: port 1(eth0) entered blocking state
[ 179.960281] br-wan: port 1(eth0) entered disabled state
[ 179.965789] device eth0 entered promiscuous mode
[ 179.974381] mv88e6085 f1072004.mdio-bus-mii:10 lan7: configuring for phy/gmii link mode
[ 179.998993] 8021q: adding VLAN 0 to HW filter on device lan7
[ 180.008907] br-wan: port 2(lan7) entered blocking state
[ 180.014197] br-wan: port 2(lan7) entered disabled state
[ 180.042502] device lan7 entered promiscuous mode
[ 180.060949] mv88e6085 f1072004.mdio-bus-mii:10: p4: hw VLAN 1 already used by port 0 in br-lan
[ 180.069655] mv88e6085 f1072004.mdio-bus-mii:10 lan7: failed to initialize vlan filtering on this port
[ 180.141717] br-wan: port 2(lan7) entered blocking state
[ 180.146994] br-wan: port 2(lan7) entered disabled state
[ 180.165374] mv88e6085 f1072004.mdio-bus-mii:10: p4: hw VLAN 1 already used by port 0 in br-lan
[ 180.174055] mv88e6085 f1072004.mdio-bus-mii:10 lan7: failed to initialize vlan filtering on this port
[ 180.243146] br-wan: port 2(lan7) entered blocking state
[ 180.248419] br-wan: port 2(lan7) entered disabled state
[ 180.265810] mv88e6085 f1072004.mdio-bus-mii:10: p4: hw VLAN 1 already used by port 0 in br-lan
[ 180.274494] mv88e6085 f1072004.mdio-bus-mii:10 lan7: failed to initialize vlan filtering on this port
[ 180.344668] br-wan: port 2(lan7) entered blocking state
[ 180.349917] br-wan: port 2(lan7) entered disabled state
[ 180.366244] mv88e6085 f1072004.mdio-bus-mii:10: p4: hw VLAN 1 already used by port 0 in br-lan
[ 180.374933] mv88e6085 f1072004.mdio-bus-mii:10 lan7: failed to initialize vlan filtering on this port
[ 180.460069] mv88e6085 f1072004.mdio-bus-mii:11 lan8: configuring for phy/gmii link mode
[ 180.473421] 8021q: adding VLAN 0 to HW filter on device lan8
[ 180.479872] br-wan: port 2(lan8) entered blocking state
[ 180.485147] br-wan: port 2(lan8) entered disabled state
[ 180.508173] device lan8 entered promiscuous mode
[ 180.520510] mv88e6085 f1072004.mdio-bus-mii:11: p1: hw VLAN 1 already used by port 0 in br-lan
[ 180.529201] mv88e6085 f1072004.mdio-bus-mii:11 lan8: failed to initialize vlan filtering on this port
[ 180.608106] br-wan: port 2(lan8) entered blocking state
[ 180.613363] br-wan: port 2(lan8) entered disabled state
[ 180.631717] mv88e6085 f1072004.mdio-bus-mii:11: p1: hw VLAN 1 already used by port 0 in br-lan
[ 180.640405] mv88e6085 f1072004.mdio-bus-mii:11 lan8: failed to initialize vlan filtering on this port
[ 180.712399] br-wan: port 2(lan8) entered blocking state
[ 180.717667] br-wan: port 2(lan8) entered disabled state
[ 180.736104] mv88e6085 f1072004.mdio-bus-mii:11: p1: hw VLAN 1 already used by port 0 in br-lan
[ 180.744787] mv88e6085 f1072004.mdio-bus-mii:11 lan8: failed to initialize vlan filtering on this port
[ 180.813921] br-wan: port 2(lan8) entered blocking state
[ 180.819175] br-wan: port 2(lan8) entered disabled state
[ 180.835497] mv88e6085 f1072004.mdio-bus-mii:11: p1: hw VLAN 1 already used by port 0 in br-lan
[ 180.844185] mv88e6085 f1072004.mdio-bus-mii:11 lan8: failed to initialize vlan filtering on this port
'radio0' is disabled
'radio0' is disabled
root@OpenWrt:/# [ 181.031102] mv88e6085 f1072004.mdio-bus-mii:10 lan7: configuring for phy/gmii link mode
[ 181.044804] 8021q: adding VLAN 0 to HW filter on device lan7
[ 181.050942] br-wan: port 2(lan7) entered blocking state
[ 181.056229] br-wan: port 2(lan7) entered disabled state
[ 181.085105] mv88e6085 f1072004.mdio-bus-mii:10: p4: hw VLAN 1 already used by port 0 in br-lan
[ 181.093794] mv88e6085 f1072004.mdio-bus-mii:10 lan7: failed to initialize vlan filtering on this port
[ 181.174909] br-wan: port 2(lan7) entered blocking state
[ 181.180165] br-wan: port 2(lan7) entered disabled state
[ 181.198614] mv88e6085 f1072004.mdio-bus-mii:10: p4: hw VLAN 1 already used by port 0 in br-lan
[ 181.207298] mv88e6085 f1072004.mdio-bus-mii:10 lan7: failed to initialize vlan filtering on this port
[ 181.276430] br-wan: port 2(lan7) entered blocking state
[ 181.281683] br-wan: port 2(lan7) entered disabled state
[ 181.299048] mv88e6085 f1072004.mdio-bus-mii:10: p4: hw VLAN 1 already used by port 0 in br-lan
[ 181.307739] mv88e6085 f1072004.mdio-bus-mii:10 lan7: failed to initialize vlan filtering on this port
[ 181.377865] br-wan: port 2(lan7) entered blocking state
[ 181.383114] br-wan: port 2(lan7) entered disabled state
[ 181.399397] mv88e6085 f1072004.mdio-bus-mii:10: p4: hw VLAN 1 already used by port 0 in br-lan
[ 181.408082] mv88e6085 f1072004.mdio-bus-mii:10 lan7: failed to initialize vlan filtering on this port
[ 181.488654] mv88e6085 f1072004.mdio-bus-mii:11 lan8: configuring for phy/gmii link mode
[ 181.501959] 8021q: adding VLAN 0 to HW filter on device lan8
[ 181.508362] br-wan: port 2(lan8) entered blocking state
[ 181.513625] br-wan: port 2(lan8) entered disabled state
[ 181.544004] mv88e6085 f1072004.mdio-bus-mii:11: p1: hw VLAN 1 already used by port 0 in br-lan
[ 181.552677] mv88e6085 f1072004.mdio-bus-mii:11 lan8: failed to initialize vlan filtering on this port
[ 181.632551] br-wan: port 2(lan8) entered blocking state
[ 181.637823] br-wan: port 2(lan8) entered disabled state
[ 181.656255] mv88e6085 f1072004.mdio-bus-mii:11: p1: hw VLAN 1 already used by port 0 in br-lan
[ 181.664938] mv88e6085 f1072004.mdio-bus-mii:11 lan8: failed to initialize vlan filtering on this port
[ 181.736806] br-wan: port 2(lan8) entered blocking state
[ 181.742055] br-wan: port 2(lan8) entered disabled state
[ 181.759425] mv88e6085 f1072004.mdio-bus-mii:11: p1: hw VLAN 1 already used by port 0 in br-lan
[ 181.768112] mv88e6085 f1072004.mdio-bus-mii:11 lan8: failed to initialize vlan filtering on this port
[ 181.838327] br-wan: port 2(lan8) entered blocking state
[ 181.843582] br-wan: port 2(lan8) entered disabled state
[ 181.859947] mv88e6085 f1072004.mdio-bus-mii:11: p1: hw VLAN 1 already used by port 0 in br-lan
[ 181.868636] mv88e6085 f1072004.mdio-bus-mii:11 lan8: failed to initialize vlan filtering on this port
[ 182.629332] mv643xx_eth_port mv643xx_eth_port.0 eth0: link up, 1000 Mb/s, full duplex, flow control enabled
[ 182.639173] br-wan: port 1(eth0) entered blocking state
[ 182.644449] br-wan: port 1(eth0) entered forwarding state
[ 182.651219] IPv6: ADDRCONF(NETDEV_CHANGE): br-wan: link becomes ready
How can I make it working?
Just wanted to clarify whether the following could work (router is in a remote location where my family won't have Internet if it doesn't work and I'll return only in a few days):
Goal is to create VLAN 100 on wan port to forward it internally.
Current config:
config device
option name 'wan'
option macaddr '<MAC>
config interface 'wan'
option device 'wan'
option proto 'dhcp'
From what I've read the following should work, right?
config device
option name 'wan'
option macaddr '<MAC>
config bridge-vlan
option device 'br-wan'
option vlan '100'
list ports 'wan:u'
config interface 'wan'
option device 'br-wan'
option proto 'dhcp'
If you'll return in a couple of days anyways, then just wait until you can work on it hands on.
Ok, so it doesn't work.
Forgot to specify my device: WRT32x/WRT1900AC.
The following config works:
onfig device
option name 'wan'
option macaddr '<MAC>'
config device
option name 'br-wan'
option type 'bridge'
list ports 'wan'
config bridge-vlan
option device 'br-wan'
option vlan '100'
list ports 'wan:u*'
config interface 'wan'
option device 'br-wan.100'
option proto 'dhcp'
That's a very convoluted way to simply grab vlan 100 traffic off the sole wan port. If no other ports are involved, you can simply do:
config device
option name 'wan'
option macaddr '<MAC>'
config interface 'wan'
option device 'wan.100'
option proto 'dhcp'
No need for any bridge, bridge-vlan filtering or VLAN devices on top of bridges.
Thanks for your answer!
Maybe my intention was insufficiently described (sry for that) - my ISP does not provide a VLAN-ID but I want to forward unfirewalled internettraffic via VID 100 within my network (for playing around with new devices etc).
As far as I understand option device 'wan.100' is for tagged VID 100, but to reach my goal I want untagged VID 100 for egress packages - or does option device 'wan.100' also set PVID 100 (which is reached by the * in explicit notation list ports 'wan:u*') for incoming/outgoing traffic?
edit: I'll check if it works anyways (but again only in a few days) but also want to theoretically understand it 
I thought it would be best to post it here instead of opening a new thread (as the mini-tutorial did not answer my question concerning DSA). So I do not understand your concern.
My goal would be in exact words: How to forward unfiltered/unfirewalled wan-traffic within my network on VID 100 with no external (ISP given) VID being applied.
actually... it's all covered (albeit in pieces)... even tc mirroring... definately new thread for help with your issue is best...
Hi All,
Can anyone explain why the following does not work as expected on a DSA device:
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5.2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
In this scenario, traffic tagged with VLAN2 entering port5 are served DHCP and can access the internet (locally from this same device). However, they cannot talk to other lan devices (from the other ports), nor can lan devices talk to them. i.e. arp etc are not being forwarded over the bridge, the bridge is not behaving as I expect (for port lan5.2 only).
I understand this can be done alternately with bridge vlan filtering as described in this thread, but I don't understand why this does not also work, nor do I understand why bridge vlan filtering is even a thing compared to this method? Happy to provide more details if you believe this should work.
Thanks,
Dave
The following equivalent with bridge vlan filtering appears to work as expected:
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option device 'br-lan.2'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
list ports 'lan5:t'
Dave
This part is CRUCIAL and is easily missed when you are migrating from an older configuration, as your config interface section may already have this in it.
Hi Dave,
The previous configuration might not have worked because the tagged packets were bridged to your lan ports as-is, and the devices there presumably only expect untagged packets, whereas the second configuration explicitly untags the packets before sending them to lan ports 2-4.
On my router I only list the CPU eth#.VLAN port on the device (as that's what interacts with the OS), and let the switch configuration take care of bridging between ports. Translated to your configuration, that might look something like:
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan5.2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
config switch_vlan
option device 'YOUR_SWITCH_DEVICE'
option vlan '2'
option vid '2'
option ports '2 3 4 5t'
(lan5.2 might have to be eth?.2)
Yet another configuration option? 
Richard.
You can not create a new post concerning your problems with DSA and not add anything to the mini tutorial, we do not understand anything anymore ?
Should example from post 1 work on all DSA switches? I have WRT1900AC and it seems, that all (lan1..4) ports have to be part of the same bridge/switch br-lan device. Trying to put lan4 in br-guest bridge (of course removing it first from br-lan) gets me
$ brctl addif br-guest lan4
brctl: bridge br-guest: Not supported
So are there any limitations on bridge/switch port assignments?
Changing the network configuration directly via low-level programs (e.g. brctl) is not recommended. Configure through UCI files and the netifd scripts.
As I understand it, associating different ports within the same hardware switch with multiple bridges only works if all bridge ports Ethernet traffic is untagged which also implies that each port is in at most one bridge. If you need tagging on an Ethernet port which is within a bridge, even if it is only going to be one VLAN on the cable (thus only in one bridge) it is still necessary to use bridge-vlan.
I was using command line just to try to find out what was going on. Otherwise of course /etc/config/network is the preferred way.
And you are probably right, as I do have lan1.1 in br-lan...
Hi, can someone please explain me, why in VLAN tagged traffic example:
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan4:u*'
thee is an asterisk needed for lan4:u* (and not, for example, lan1..lan3)?
lan1-3 ports are not tagged and participate only on vlan1.
lan4 port is tagged on vlan1 and untagged on vlan2. The asterisk is used to set the pvid, that is which vlan will be assigned to incoming untagged traffic.
Does anyone know of a good way to get the current VLAN status of a DSA setup (without having to install ip-bridge)? I was hoping to find a UBUS call, but I don't seem to see anything useful. ip -d link also doesn't help.