Mini tutorial for DSA network config

I am attempting the mirroring, as shown, on a DIR-882 running 21.02.01.
Both the system and kernel logs are showing ...

Packet exceeded mirred recursion limit on dev br-lan

Have I done something wrong?

network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.232.205'
network.tap=interface
network.tap.proto='none'
network.tap.force_link='1'
network.tap.device='br-tap'
network.@device[1]=device
network.@device[1].type='bridge'
network.@device[1].name='br-tap'
network.@device[1].ports='lan4'

It seems I'm facing problems trying to migrate my config fron 19.07 to 21.02.

Basically, I'm using one of my LAN ports as additional WAN (another ISP). I created a configuration when I access a WLAN A, it will use main WAN, but when I switch to WLAN B, it will use the additional WAN.

I was able to accomplish this using Switch + VPN Policy Routing package. It worked perfectly for almost 3 years.

My previous setup was something like this:

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'

config interface 'lan2'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'wan'
	option ifname 'eth0.2'
	option delegate '0'
	option proto 'static'
	option ipaddr 'X.X.X.X'
	option gateway 'X.X.X.X'
	option netmask '255.255.255.0'
	option metric '0'

config interface 'wan3'
	option ifname 'eth0.3'
	option type 'bridge'
	option delegate '0'
	option proto 'static'
	option ipaddr 'X.X.X.X'
	option gateway 'X.X.X.X'
	option netmask '255.255.255.0'
	option metric '20'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '6t 3 4'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '6t 0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '6t 2'
	option vid '3'

I spent almost the whole day trying to convert this configuration to new format DSA, but I was not able to make it work.

Can someone give me a hint?

This is where I learned how to setup my vlan in 21.02

3 Likes

I found this video yesterday before. It is very complete and didactical. We can notice this guy knows what he is talking about. At beginning it didn't make any sense to me. But after you suggestion, I gave another chance and watched carefully and was able to understand the DSA (at least a little).


After some trial-and-error, I was able to translate old format to this new format.

I'll leave it here to help any other user struggling with this migration.

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'

config device
	option name 'br-lan.1'
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'

config device
	option name 'br-lan.2'
	option type '8021q'
	option ifname 'br-lan'
	option vid '2'

config device
	option name 'br-lan.3'
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'

config device
	option name 'br-lan2'
	option type 'bridge'
	option bridge_empty '1'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:t'
	list ports 'lan2:u*'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'eth0:t'
	list ports 'lan1:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth0:t'
	list ports 'wan:u*'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.1'
	option device 'br-lan.1'

config interface 'lan2'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option device 'br-lan2'

config interface 'wan'
	option proto 'static'
	option ipaddr 'X.X.X.X'
	option gateway 'X.X.X.X'
	option netmask '255.255.255.0'
	option metric '10'
	option device 'br-lan.3'

config interface 'wan2'
	option proto 'static'
	option ipaddr 'X.X.X.X'
	option gateway 'X.X.X.X'
	option netmask '255.255.255.0'
	option device 'br-lan.2'
	option metric '20'

Highlights:

  • I added both eth0 and wan to br-lan bridge
  • I created 3 VLANs, toggling tag/untag flags (see image below for better understanding)
  • For lan interface, I changed device to use the first VLAN (br-lan.1)
  • For wan, I changed device to use third VLAN (br-lan.3)
  • For the secondary wan (wan2), I changed to use second VLAN (br-lan.2)
  • br-lan2 is just a dummy bridge to hold and assign different IP range to some additional WLAN networks. Then, I crated some special config using VPN Policy Routing package to redirect all external traffic to the secondary wan (wan2)

I'm not sure if config is redundant. But at this point, if it is working, it is okay for me.

I struggling a lot for the first time but after understanding it all and after countless research now It's easier

1 Like

When we're using the swconfig framework, a switch port can either be tagged, or untagged. A switch port cannot be tagged and untagged at the same time. This is consistent with many managed switches that's in the market, i.e. a switch port cannot be tagged and untagged at the same time.

With the DSA framework, this is now allowed. Does anyone know the rational for this design?

In OpenWRT master branch the Luci interface even allows the inclusion of the same switch port in multiple bridges, which, as far as I understand it the DSA framework does not allow. Is this a bug in Luci or this is also allowed in DSA?

Can be tagged with native vlan. Any untagged frames will belong to that particular vlan.

Native VLAN means that the port has a port default VLAN ID (PVID) set correct?

My understanding is that only untagged ports will have PVID set. Tagged ports should have their PVID set to zero(0).

In other words, a port should not be tagged and untagged at the same time.

In the tutorial that you linked to, one port was configured to both VLAN 1 and VLAN2, with VLAN 1 tagged and VLAN 2 untagged with PVID of 2. So this may seem logical. Now what happens if I add VLAN 3 into the mix and make VLAN 3 untagged for the same port.

So my question is, when a tagged frame is received in the port that's in 3 VLANs, unless it is VLAN 1, it will be rejected.

What happens when the port receives an untagged frame? So VLAN 3 will never get routed to, as the port is configured with PVID of 2. A port can only have 1 PVID set.

Luci allows configurations of an untagged port to multiple VLANs, which doesn't make sense.

Also, a port should only be tagged or untagged. It should not be both at the same time. This is how I understand switch to be configure. Maybe we can argue that a port be tagged to multiple VLANs, but can only be untagged to 1 and only 1 VLAN. This is how swconfig is designed, and it only allows a port to be either tagged or untagged, never both at the same time.

my understanding is the following ... maybe not correct though:

tag/untag is setting for egress traffic, i.e. traffic leaving the port
pvid is for ingress traffic, i.e. if traffic is not tagged then it is assumed to be part of vlan <pvid>

so a port receiving differently tagged ingress traffic will be distributed to corresponding vlans. if receiving untagged traffic then it will be marked as being part of vlan <pvid>.

hope it helps. hope am right.

2 Likes

Your understanding is correct.

But a switch port can also be configured to only accept tagged incoming traffic.

With the DSA, it appears that a port can be configured in many VLANs with untagged traffic. This doesn't make sense as it is impossible to route.

Also, typically a switch port is either configured as accepting tag or untagged traffic, but not both at the same time.

I'm trying to change the mt7530/mt7531 DSA driver and this behaviour basically makes it almost impossible to implement. The DSA framework and drivers does not keep track of the VLANs membership once it is set into the switch hardware. So multiple configurations of the DSA switch will quickly lead to unpredictable behaviours, where only a reboot and reset of the switch will bring back normal operations.

Right.

Could be.

You cannot have a second vlan untagged. There is room for one untagged vlan, so that the switch will know in which vlan the untagged frames belong.

Sure doesn't, but it looks to me more like a Luci issue that allows invalid configuration.

I agree to that.

as i see there is no single vlan implementation/terminology, it varies by vendors. so hard to say what is typical in enterprise vs home, or one vendor or other vendor implementations.

to judge whether DSA code is wrong allowing atypical or bad configs is way beyond my knowledge, maybe we just need more front-end (uci/luci) clarity?

It's bad practice and can lead to vlan mismatches and hopping.
On a trunk link there is no actual reason to have a native vlan, or untagged if you may.
On an user port you might have a tagged vlan for voice and untagged for data.

asymmetric VLAN

The example in the wiki is fine, because it describes a scenario and how to do it. But it is a very specific one. If for example you have a single port device where you want to use vlans on a port and there is no wifi to connect, you can have one untagged vlan to connect your PC and troubleshoot, in case the managed switch is not available, without having to set up tagging on the PC port.
From my experience the native vlan is usually a blackhole.

Thank you for this tutorial.

I managed to successfully setup two separate networks using VLANs.
I get two different IPs depending on the used LAN Port. (192.168.1.XXX for LAN1, LAN2 and 192.168.10.XXX for LAN3)

However, if try the VLAN tagged traffic variant I do not get assigned any IP.
Here is my config:


config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan.1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan3'
	list ports 'lan4:t'

config interface 'dmz'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

I'm using a Linksys WRT3200acm and a HP ProCurve managed switch connected to Lan Port 4.

If I use an untagged port on the switch I immediately get assigned an IP for the lan network (192.168.1.XXX).

However, it does not work for any of the tagged ports. I tagged port 15 with VLAN 10 and port 22 with VLAN 1.
Neither of these ports work and I do not get an IP for these ports.


Can you help me with this problem?
Thanks!

I want to thank the OG poster and the replies for sharing in this thread, it was really informational for me. I feel I have gone down the rabbit hole a bit and I have few things I want to ask here before opening a separate thread.

I read Creating driver-level VLANs in the docs, would it still work with DSA? I tried it out by creating a VLAN br-lan.6 on my netgear wac104 dumb AP, and br-lan has all the LAN ports. The problem is that I would able to ping from the dumb AP through the VLAN to the gateway (x86_64 openwrt) and it would work, but when I try to ping the dumb AP from the gateway it doesn't work and suddenly it triggers something on the dumb AP and that also makes pinging from the dumb AP to gateway not to work anymore.

Also, I had a recent encounter with a problem and I'm wondering if DSA is related (hence the rabbit hole). I honestly don't know how to explain this, but all of my problems seem to be pointing to DSA or the switch in general for some reason and I'm trying to figure it out (generally speaking, something is causing for packets to get lost when certain events happen, like in my linked thread or above with the driver level VLAN).

One thing that I couldn't find easily is how to "look into" what's going on at the DSA level or the (AFAIK) switch fabric. For example, it took me a while to figure out that tcpdump can't capture certain packets which are switched on the same br-lan interface across different ports. Or another example is that there is bridge command (found in package ip-bridge) and it has bridge monitor which I couldn't understand a thing from but it seems to tell what's going on in the DSA drivers/ports.

Appreciate your replies and thanks!

4 posts were split to a new topic: DSA: How do I assign Guest wifi to a specific vlan?

The DSA mini tutorial is also available in the OpenWrt wiki since some time now.

Since piling up different DSA questions in the same topic has disadvantages for other users who are searching for solutions, I'm going to close this topic now.

If you have further questions regarding DSA configuration, please open a new topic in the #general:network-and-wireless-configuration category of this forum.

3 Likes