Mini tutorial for DSA network config

perceival · July 13, 2021, 3:36am

Thanks @anomeome and @anon69880279 for provided examples. With their help I've migrated both R7800s to DSA config while preserving VLAN trunking.
Small remark: R7800 DSA driver seams to number switch ports in the opposite direction to actual port numbers on the device.
BTW OpenWrt with DSA is not having on AX3600 issue with 802.1q trunk MTU size limitation compared to stock firmware.
Still I am struggling with one thing: DHCP. If DHCP is enabled on R7800 configured as a router only wireless clients can obtain configuration. Wired are waiting into infinity for their IP addresses. However if I move exactly the same DHCP config to R7800 configured as access point everything is working fine for both wired and wireless cients with an exception of those connected with Ethernet directly to router R7800. It also worked fine before move to DSA.
Tried so far on the router turning off firewall/bcp38 and banIP. I've ran out of ideas (except of troubleshooting with packet sniffer and finding a way to enable logging for DHCP in dnsmasq).
Below router (not working) config:

Summary

/cut/
config globals 'globals'
	option packet_steering '1'

config device
	option name 'wan'
/cut/
config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan4'
	list ports 'lan3'
	list ports 'lan2'
	list ports 'lan1'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4:t'
	list ports 'tap0'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan4:t'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.0.0.1'
	option metric '0'
	option delegate '0'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option device 'br-lan.3'

config device
	option name 'br-lan.1'
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'

config device
	option type '8021q'
	option name 'br-lan.3'
	option vid '3'
	option ifname 'br-lan'

and /etc/config/dhcp

Summary

config dhcp 'lan'
	option interface 'lan'
	option limit '150'
	option leasetime '12h'
	list dhcp_option_force '42,10.0.0.1'
	list dhcp_option '42,10.0.0.1'
	option force '1'
	option start '10'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'guest'
	list ra_flags 'none'

perceival · July 17, 2021, 4:30am

Can someone share DHCP config (/etc/config/dhcp) that works with DSA? Especially with wireless and ethernet bridged together under one VLAN?

rainkinz · July 21, 2021, 6:30am

I don't suppose someone has an example guest network config for a WRT 3200acm? I have tried this configuration:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan4:u*'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config interface 'guest'
	option device 'br-lan.2'
	option proto 'static'
	option ipaddr '192.168.5.1'
	option netmask '255.255.255.0'

But it seemed to hang my router. Sorry I'm a bit of a newb to DSA. I had it setup previously using swconfig.

bmork · July 21, 2021, 12:06pm

Yes, I wish the examples included multiple wireless networks. It is non-obvious how to transform them from the simple single network to multiple ssids.

Warning: I'm uncertain if the example below is the CORRECT WAY. All I know is that it Works For Me(tm). Hoping some expert will chime in here and correct me...

IIUC, you still need to create a separate bridge for each wireless network. Which used to be indicated with a option type 'bridge' on the affected interfaces. This should now be explicitly created with a config device section.

This is an example from a Unifi 6 Lite, which has a single ethernet port named "lan" (very confusing!) on the embedded MT7621/MT7530 switch:

root@u6-1:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd62:fdd2:da95::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan.10'

config device
        option name 'br-iot'
        option type 'bridge'
        list ports 'lan.15'

config interface 'lan'
        option device 'br-lan'
        option proto 'none'

config interface 'iot'
        option device 'br-iot'
        option proto 'none'

config interface mgmt
        option device lan.203
        option proto 'static'
        option ipaddr '192.168.99.55'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.99.3'

I have two wireless networks here - "lan" and "iot" - connected to VLAN IDs 10 and 15 respectively. The access point has no IP address on any of these. They could have had, but I don't need it. You'd obviously jjust replace the option proto 'none' wtuff with whatever you want.

In addition there is a wired only VLAN ID 203 which I use for access point management. This is wired only, so there is no need to create a bridge for it.

All three VLANs are tagged on the only ethernet port.

Note that the port and device references to lan.x refers to a physical ethernet port on the switch named "lan", while the interface reference to lan refers to the netifd virtual interface name of the br-lan device. Yes, it is extremely confusing... I didn't choose the name of that switch port.

Some output to help illustrate:

root@u6-1:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br-iot          7fff.f492bfac9194       no              wlan0-1
                                                        lan.15
br-lan          7fff.f492bfac9194       no              wlan0
                                                        lan.10
                                                        wlan1
root@u6-1:~# bridge vlan
port              vlan-id  
br-iot            1 PVID Egress Untagged
lan.15            1 PVID Egress Untagged
br-lan            1 PVID Egress Untagged
lan.10            1 PVID Egress Untagged
wlan0             1 PVID Egress Untagged
wlan0-1           1 PVID Egress Untagged
wlan1             1 PVID Egress Untagged

perceival · July 21, 2021, 8:53pm

What is the purpose of having vlan 2 on lan4 untagged?

anomeome · July 22, 2021, 1:12am

Looks to be some questionable syntax in your config, FS3904 may be an issue on WIFI, might be able to hack something out from the following

example test configs

root@mamba:/etc/config# cat network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fde2:1857:9a33::/48'

config device
	option name 'wan'
	option macaddr '94:10:3e:85:b5:25'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option name 'lan1'
	option macaddr 'f6:4f:80:49:55:c2'

config device
	option name 'lan2'
	option macaddr 'f6:4f:80:49:55:c2'

config device
	option name 'lan3'
	option macaddr '94:10:3e:85:b5:25'

config device
	option name 'lan4'
	option macaddr '94:10:3e:85:b5:25'

config device
	option name 'itch0'
	option type 'bridge'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'itch1'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	option igmp_snooping '1'
	option stp '1'

config bridge-vlan
	option device 'itch0'
	option vlan '10'
	list ports 'lan4:*'
	list ports 'lan3'
	option alias 'lan'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'itch0.lan'

config bridge-vlan
	option device 'itch1'
	option vlan '20'
	list ports 'lan2:t'
	list ports 'lan1:t'
	option alias 'ap'

config interface 'ap'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option device 'itch1.ap'

config bridge-vlan
	option device 'itch1'
	option vlan '30'
	list ports 'lan2:t'
	list ports 'lan1:u*'
	option alias 'iot'

config interface 'iot'
	option proto 'static'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option device 'itch1.iot'

config bridge-vlan
	option device 'itch1'
	option vlan '4094'
	list ports 'lan2:t*'
	option alias 'sink'
	option local '0'

config interface 'windscribevpn'
	option proto 'none'
	option device 'tun0'

root@mamba:/etc/config# cat wireless 
config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/soc:pcie@82000000/pci0000:00/0000:00:02.0/0000:02:00.0'
	option band '2g'
	option htmode 'HT20'
	option hwmode '11g'
	option channel '6'
	option country 'CA'
	option cell_density '0'
	option txpower '20'
	option disabled '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'TuTu'
	option key 'aaaaaaaa'
	option encryption 'psk2+ccmp'
	option macaddr '94:10:3e:85:b5:26'

config wifi-iface 'iot_radio0'
	option device 'radio0'
	option network 'iot'
	option ifname 'wiot0'
	option mode 'ap'
	option ssid 'TuTuiot'
	option key 'aaaaaaaa'
	option encryption 'psk2+ccmp'
	option macaddr 'f6:4f:80:49:55:c3'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/soc:pcie@82000000/pci0000:00/0000:00:03.0/0000:03:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option hwmode '11a'
	option country 'CA'
	option cell_density '0'
	option txpower '20'
	option disabled '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'TuTwo'
	option key 'aaaaaaaa'
	option encryption 'psk2+ccmp'
	option macaddr '94:10:3e:85:b5:28'

config wifi-iface 'iot_radio1'
	option device 'radio1'
	option network 'iot'
	option ifname 'wiot1'
	option mode 'ap'
	option ssid 'TuTwoiot'
	option key 'aaaaaaaa'
	option encryption 'psk2+ccmp'
	option macaddr 'f6:4f:80:49:55:c4'

root@mamba:/etc/config# brctl show
bridge name	bridge id		STP enabled	interfaces
itch0		7fff.94103e85b525	no		lan4
							            wlan0
							            lan3
							            wlan1
itch1		7fff.f64f804955c2	yes		lan2
							            wiot0
							            wiot1
							            lan1
root@mamba:/etc/config# bridge vlan
port              vlan-id  
lan4              10 PVID Egress Untagged
lan3              10 PVID Egress Untagged
lan2              20
                  30
                  4094 PVID
lan1              20
                  30 PVID Egress Untagged
itch0             10
itch1             20
                  30
wlan0             10 PVID Egress Untagged
wlan1             10 PVID Egress Untagged
wiot0             30 PVID Egress Untagged
wiot1             30 PVID Egress Untagged
root@mamba:/etc/config# netifd-netinfo.sh -d
           DEVICE     UP    CARRIER    PRESENT   EXTERNAL  TYPE             
=============================================================================
             eth0      x          x          x             Network device   
            itch0      x          x          x             bridge           
         itch0_10      x          x          x             VLAN             
            itch1      x          x          x             bridge           
         itch1_20      x          x          x             VLAN             
         itch1_30      x          x          x             VLAN             
             lan1      x                     x             Network device   
             lan2      x                     x             Network device   
             lan3      x          x          x             Network device   
             lan4      x          x          x             Network device   
               lo      x          x          x             Network device   
              wan      x          x          x             Network device   
            wiot0      x          x          x          x  Network device   
            wiot1      x          x          x          x  Network device   
            wlan0      x          x          x          x  Network device   
            wlan1      x          x          x          x  Network device

from a similar device.

mk24 · July 22, 2021, 2:53am

Make one bridge including all the ports that are hardware switched-- I call it br-eth. Then make a bridge-vlan for each of your vlans. Avoid trying to run tagged and untagged on the same port/cable. There are two kinds of ports:

Access port: Untagged in one VLAN. Absent in all the others.
Trunk port: Tagged in one or more VLANs. Untagged in none.

In the interface definitions, pull the VLAN you want out of the switch with the notation br-eth.X. This is the only place to have a .X notation.

It starts to smell exactly like swconfig except its not.

anomeome · July 22, 2021, 4:00am

Trunk port without native VLAN

as a 3rd, an example of which I put in the above example network config.

rainkinz · July 26, 2021, 1:00am

anomeome Thanks for the help with trying to setup a guest network. I've tried the config above on a wrt-3200acm and unfortunately I can't seem to get it to work. For some reason I don't get a DHCP lease from my router and have to manually assign an IP. Then I can talk to the router, the router can get to the internet, but I can't get to the internet from my computer. I'm sure I must be doing something stupid, but any advice would be helpful. Just so that I'm not getting my wires crossed, all I'm trying to do is setup a guest network with wifi.

Thanks

danielrestrepo · August 24, 2021, 5:01pm

Hi, I guess this means I can not yet use mwan3?

solidus1983 · September 23, 2021, 10:19am

Have you made the firewall rules for port 68 source to port 67 dest for guest network if not thats why your not getting DHCP request.

glowingsword · September 23, 2021, 12:22pm

Hello! But how to make something like this How can I change my router's lan port to wan port? - #4 by lleachii with new syntax with DSA? I'm a newbie in DSA and can't understand how it need to be with new syntax.

On old syntax I has

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '6t 0 1 2'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '6t 4'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '6t 3'

config interface 'wanb'
	option ifname 'eth0.3'
	option _orig_ifname 'eth0.3'
	option _orig_bridge 'false'

but with new syntax I don't know how to make this thing.

mk24 · September 23, 2021, 1:10pm

The best way would be to start over with a default configuration, then it is easy to find and replace the reference to the device named 'wan' with 'lanN' where N is the number of the lan Ethernet port you want to use. Also of course remove lanN from the lan bridge when using it for wan.

glowingsword · September 23, 2021, 2:30pm

I made as you propose — and it works. And mwan3 with this config works too!
Thanks!

But, for future, I would like to have information on how to do the same with vlan too.

AndrewZ · September 24, 2021, 2:04pm

I have almost the same configuration as shown in your example with the addition of lanX port to each bridge. I'm using Xiaomi Mi Router 4 with 2 LAN ports and a WAN port that is used as a VLAN trunk.

# brctl show
bridge name	bridge id		STP enabled	interfaces
br-lan		7fff.40313cfd3c9c	no		lan2
										wan.5
										wlan1
br-mgmt		7fff.40313cfd3c9c	no		lan1
										wan.10

I can access the box from the network (i.e. from the trunk port over vlan 10), my wifi client connected to wlan1 can access the rest of the network (through vlan 5), but there is no bridging between lan2 and wan.5 - local PC connected to lan2 cannot even get an address from the central DHCP server. Any idea why?

tcpdump shows no ougoing DHCP requests on wan.5

mk24 · September 24, 2021, 8:49pm

That config looks like it should work, but it doesn't actually set up the hardware switch properly.

For this situation you have to use bridge-vlans. Put all the ports lan1 lan2 and wan in the same bridge, then vlan it.

AndrewZ · September 25, 2021, 8:57am

Is it a bug in the current DSA implementation that should be fixed?
Is there an option to manually configure a switch in a proper way?

Ankh · September 30, 2021, 5:46pm

Wondering if my DSA config is correct regarding the usage of tagged vlan on my WAN:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fded:487e:c9b0::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6ifaceid '::1'
        option ipaddr '192.168.30.1'
        option ip6assign '64'

config interface 'wan'
        option proto 'pppoe'
        option username '<user>'
        option password '<pass>'
        option device 'eth0.32'
        option peerdns '0'
        list dns '192.168.30.3'
        option ipv6 '1'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '32'
        option name 'eth0.32'

config interface 'wan6'
        option proto 'dhcpv6'
        option ip6ifaceid '::1'
        option device '@wan'
        option reqprefix 'auto'
        option reqaddress 'try'
        option sourcefilter '0'

config device
        option name 'eth0'

config device
        option name 'pppoe-wan'

Wondering because IPv4 is working, but the IPv6 is not working.

jaromanda · September 30, 2021, 11:40pm

I've never used an alias for wan - try

option device 'eth0.32'

ka2107 · October 1, 2021, 12:31am

What device do you have? Are you sure the DSA physical switch ports are named eth0, eth1, eth2, eth3, eth4 in your device? I thought they are named wan, lan1, lan2, lan3, lan4 usually (that's how they are named in R7800 DSA build the last time I tried).

Did IPv6 work for you before you migrated to DSA? Check if "pppoe-wan" interface has IPv6 Link-Local Address (ipv6 address starts as "fe.....") using "ip addr show" command. If there's NO link-local address assigned to "pppoe-wan" interface (which is assigned created if ISP supports IPv6 over PPPoE), then the "config interface wan6" section will NOT work.

Unfortunately my ISP doesn't yet support IPv6, so all that I said above is just theoretical knowledge. I am not sure if it will work or not.