Mini tutorial for DSA network config

I'm not seeing here how the new syntax is used to bridge devices together. I'm using Batman and I'm baffled as to how to bridge bat0 with lan, or bat0 with wan. I need to be able to do both, and I haven't been able to make that work under 21.02. I used to add "option type 'bridge'" to the "config interface 'lan'" stanza and say "option ifname 'bat0 eth0.1'". How do I get the same effect under 21.02 rc3?

config interface lan
  option device br-lan
  ...

config device
  option type bridge
  option name br-lan
  list ports eth0.1
  list ports bat0

This does not work on pre-built 21.02-rc3, TP-Link Archer A7 v5. You'd think that brctl would show br-lan as a bridge, right? It doesn't. And, perhaps more to the point, bat0 remains disconnected from the network. Are you sure that 'ports' is the correct parameter name? I thought 'ports' was for subdividing a switch's ports into distinct named devices, not for bridging multiple devices together.

Yes, I am absolutely sure and the config I posted works here (not with bat0 due to lack of batman, but with different eth's as ports).

Also make sure that your config interface lan section does not contain option type bridge as it would conflict with the device declaration.

2 Likes

Many thanks! YOU ARE CORRECT and I was wrong. brctl now shows appropriate stuff. FYI, here is the way my /etc/config/network and /etc/config/wireless look now, and what brctl shows. (Alas Batman still doesn't work, but from the log it appears that the problem is in wpa_supplicant. I'm reporting that problem in this discussion.)

/etc/config/network:

config interface 'loopback'
	option device 'lo'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option proto 'static'

config globals 'globals'
	option ula_prefix 'fdf9:f652:f605::/48'

config device
	list ports 'eth0.1'
	option name 'br-lan'
	option type 'bridge'
        option macaddr '26:9b:9b:5e:27:95'

config interface 'lan'
	option delegate '0'
	option device 'br-lan'
	# option ip6assign '60'
	option mtu '1312'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option proto 'static'
	option stp '0'

config device
	list ports 'bat0.1'
	list ports 'eth0.2'
	option macaddr '66:9b:9b:5e:27:95'
	option name 'br-wan'
	option type 'bridge'

config interface 'wan'
	option delegate '0'
	option device 'br-wan'
	option dns '192.168.150.1'
	option gateway '192.168.150.1'
	option ipaddr '192.168.150.149'
	option mtu '1312'
	option netmask '255.255.255.0'
	option proto 'static'
	option stp '0'

#config interface 'wan6'
#	option device 'eth0.2'
#	option proto 'dhcpv6'

config switch
	option enable_vlan '1'
	option name 'switch0'
	option reset '1'

config switch_vlan
	option device 'switch0'
	option ports '2 3 4 5 0t'
	option vlan '1'

config switch_vlan
	option device 'switch0'
	option ports '1 0t'
	option vlan '2'

config interface 'bat0'
       option aggregated_ogms '1'
       option ap_isolation '0'
       option bonding '0'
       option bridge_loop_avoidance '1'
       option distributed_arp_table '1'
       option fragmentation '1'
       option gw_mode 'client'
       option hop_penalty '30'
       option isolation_mark '0x00000000/0x00000000'
       option log_level '0'
       option multicast_fanout '16'
       option multicast_mode '1'
       option network_coding '0'
       option orig_interval '1000'
       option proto 'batadv'
       option routing_algo 'BATMAN_IV'

config interface 'nwi_mesh0'
	option master 'bat0'
	option mtu '1500'
	option proto 'batadv_hardif'

/etc/config/wireless:

config wifi-device 'radio0'
	option channel '36'
	option disabled '0'
	option htmode 'VHT80'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option txpower '23'
	option type 'mac80211'

config wifi-device 'radio1'
	option channel '1'
	option country 'US'
	option disabled '0'
	option htmode 'HT20'
	option hwmode '11g'
	option path 'platform/ahb/18100000.wmac'
	option txpower '24'
	option type 'mac80211'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option encryption 'psk2'
	option key 'XXXX'
	option macaddr '56:9b:9b:5e:27:95'
	option mode 'ap'
	option network 'lan'
	option ssid 'rpc149.rosepark.us'

config wifi-iface 'mesh0'
	option device 'radio0'
	option encryption 'psk2+ccmp'
	option key 'XXXX'
	option macaddr '36:9b:9b:5e:27:95'
	#option mesh_fwding '0'
	option mesh_id 'meshD'
	option mode 'mesh'
	option network 'nwi_mesh0'

brctl output:

root@rpc149:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br-wan          7fff.669b9b5e2795       no              bat0.1
                                                        eth0.2
br-lan          7fff.269b9b5e2795       no              wlan1
                                                        eth0.1

2 Likes

Great topic !
Thanks so much...

Can you add advice about BRIDGE as TAP ?
I have already made some successful tests a few time ago with 19.07.x using brctl and vlan tagging...
But I am sure now there is DSA compatible mode that can be used to get the same behaviour !
I search a TAP mode, as a PASS-THROUGH between LAN0 and LAN1 (for exemple)...
Not a bridge but a TAP...

Like Option2 in https://spotlightcybersecurity.com/cheap-network-tap-with-openwrt.html

just stick one and of a veth pair into each of the 'device br-lan' and 'device br-alt' and be done with it...

I have already seen one solution with veth, like here https://www.opencloudblog.com/?p=66
but is it the most effective method ?

In the swconfig world, and most applications of hardware switching, this is called a port mirror. Searching on that term would be more productive than "tap."

Packets entering and/or leaving an active port are also copied by hardware to output on another port, which is connected to an input-only monitoring device to examine their contents. This is different than a regular switch or bridge, which selectively copies based on examining the destination MAC address.

As noted in the article it is supported by swconfig if the hardware is compatible.

Yes, but I am using MARVELL boards (espressobin and espressobin-ultra) which are DSA and not swconfig compatible !

root@ultra:~# opkg install swconfig
Installing swconfig (12) to root...
Downloading https://downloads.openwrt.org/releases/21.02.0-rc3/packages/aarch64_cortex-a53/base/swconfig_12_aarch64_cortex-a53.ipk
Configuring swconfig.
root@ultra:~# swconfig 
swconfig list
swconfig dev <dev> [port <port>|vlan <vlan>] (help|set <key> <value>|get <key>|load <config>|show)
root@ultra:~# swconfig list

How can I do port mirror in DSA world ?

https://biot.com/switches/testing/mirroring

1 Like

thanks !

looks like to be not supported (in mvebu hardware, or in actual kernel, so OpenWrt ?...)

root@ultra:~#   ip link set up dev br-tap
root@ultra:~#   tc qdisc add dev br-lan clsact
root@ultra:~#   tc filter add dev br-lan ingress matchall skip_sw action mirred egress mirror dev br-tap
RTNETLINK answers: Not supported
We have an error talking to the kernel
root@ultra:~#   tc filter add dev br-lan egress matchall skip_sw action mirred egress mirror dev br-tap
RTNETLINK answers: Not supported
We have an error talking to the kernel

after have modified my network as :

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc5:0f7f:d0b5::/48'
	option packet_steering '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config device
	option type 'bridge'
	option name 'br-lan'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'
	list ports 'wlan0'

config interface 'tap'
	option proto 'none'
	option force_link '1'
	option device 'br-tap'

config device
	option type 'bridge'
	option name 'br-tap'
	list ports 'lan0'

Possible, yes, but I cannot verify since I don't have the hardware.
Did you load the required kernel modules (check with lsmod)?

1 Like

have add two ipk :

root@ultra:~# opkg install kmod-sched
root@ultra:~# opkg install kmod-sched-act-vlan

lsmod shows necessary kernel modules :

root@ultra:~# lsmod |grep sch_ingress
sch_ingress            12288  2 
root@ultra:~# lsmod |grep cls_matchall
cls_matchall           12288  0 
root@ultra:~# lsmod |grep act_mirred
act_mirred             12288  6 

but still not working...

Have take a look to the blog referred in the link you give...
but still no success (for now) :wink:

https://man7.org/linux/man-pages/man8/tc-matchall.8.html

   skip_sw
          Do not process filter by software. If hardware has no
          offload support for this filter, or TC offload is not
          enabled for the interface, operation will fail.

   skip_hw
          Do not process filter by hardware.
service network restart

ip link set up dev br-tap
tc qdisc add dev br-lan clsact
tc filter add dev br-lan ingress matchall skip_hw action mirred egress mirror dev br-tap
tc filter add dev br-lan egress matchall skip_hw action mirred egress mirror dev br-tap

but still nothing on the mirror !?

root@ultra:~# tcpdump -n -i br-tap
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-tap, link-type EN10MB (Ethernet), capture size 262144 bytes
service network restart
ip link set up dev br-tap
tc qdisc add dev br-lan clsact
tc filter add dev br-lan egress matchall skip_hw action mirred ingress mirror dev br-tap
tc filter add dev br-lan ingress matchall skip_hw action mirred egress mirror dev br-tap
root@ultra:~# tc -s -p qdisc ls dev br-lan
qdisc noqueue 0: root refcnt 2 
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0
qdisc clsact ffff: parent ffff:fff1 
 Sent 3151 bytes 41 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0
root@ultra:/# tcpdump -n -i br-tap
[ 2104.580420] device br-tap entered promiscuous mode                                                                                               
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode                                                                          
listening on br-tap, link-type EN10MB (Ethernet), capture size 262144 bytes                                                                         
15:55:28.555826 IP 10.4.2.224 > 10.4.2.112: ICMP echo reply, id 3, seq 259, length 64                                                               
15:55:29.558440 IP 10.4.2.224 > 10.4.2.112: ICMP echo reply, id 3, seq 260, length 64                                                               
15:55:30.558757 IP 10.4.2.224 > 10.4.2.112: ICMP echo reply, id 3, seq 261, length 64                                                               
15:55:31.560134 IP 10.4.2.224 > 10.4.2.112: ICMP echo reply, id 3, seq 262, length 64                                                               
15:55:32.560918 IP 10.4.2.224 > 10.4.2.112: ICMP echo reply, id 3, seq 263, length 64                                                               
15:55:33.562084 IP 10.4.2.224 > 10.4.2.112: ICMP echo reply, id 3, seq 264, length 64                                                               
15:55:34.563810 IP 10.4.2.224 > 10.4.2.112: ICMP echo reply, id 3, seq 265, length 64                                                               
15:55:35.564057 IP 10.4.2.224 > 10.4.2.112: ICMP echo reply, id 3, seq 266, length 64                                                               
15:55:36.565928 IP 10.4.2.224 > 10.4.2.112: ICMP echo reply, id 3, seq 267, length 64                                                               
15:55:37.567172 IP 10.4.2.224 > 10.4.2.112: ICMP echo reply, id 3, seq 268, length 64                                                               
15:55:38.569459 IP 10.4.2.224 > 10.4.2.112: ICMP echo reply, id 3, seq 269, length 64                                                               
15:55:39.568960 IP 10.4.2.224 > 10.4.2.112: ICMP echo reply, id 3, seq 270, length 64                                                               
15:55:40.570508 IP 10.4.2.224 > 10.4.2.112: ICMP echo reply, id 3, seq 271, length 64                                                               

WHOOO... There were a little bug in the tutorial given !?
I have mirrored ingress to egress and egress to ingress...
now it talks... (a lot !)
I hope I have done it correctly ???

sorry for the little out of topic...

thanks

edited: I have to cross egree/ingress, to not getting DUP in PING command...
Hope I have done the mirror correctly ???

I have to use the console to not get loop of my own traffic when logged by ssh...?

Not sure if bridge devices are supported as source or destination. I guess it is called port mirror for a reason.
Try with lan1, lan2 or similar.

The tutorial looks correct to me, both should be mirrored to egress of the monitoring port.

https://biot.com/switches/testing/mirroring

It's needed packages ip-full and tc-full.

1 Like
root@ultra:/# opkg install tc-full ip-full                                                                                                          
Package tc-full (5.11.0-3) installed in root is up to date.                                                                                         
Package ip-full (5.11.0-3) installed in root is up to date.                                                                                         

still silent if not "crossed" to lan0...

okay tried with wlan0 and wan, to (mirror) lan0... still silent !

But I get to change skip_sw by skip_hw ! if not I get error with kernel...

thanks for the script...
I only had to modify skip_sw to skip_hw , and set mirror port to lan0.
But still silent on my tcpdump -i lan0

@eduardo010174
How do you "listen" to your mirror port ?
With tcpdump -i lan2 ?