Mini tutorial for DSA network config

Thanks for your answer!
Maybe my intention was insufficiently described (sry for that) - my ISP does not provide a VLAN-ID but I want to forward unfirewalled internettraffic via VID 100 within my network (for playing around with new devices etc).
As far as I understand option device 'wan.100' is for tagged VID 100, but to reach my goal I want untagged VID 100 for egress packages - or does option device 'wan.100' also set PVID 100 (which is reached by the * in explicit notation list ports 'wan:u*') for incoming/outgoing traffic?
edit: I'll check if it works anyways (but again only in a few days) but also want to theoretically understand it :slight_smile:

I thought it would be best to post it here instead of opening a new thread (as the mini-tutorial did not answer my question concerning DSA). So I do not understand your concern.
My goal would be in exact words: How to forward unfiltered/unfirewalled wan-traffic within my network on VID 100 with no external (ISP given) VID being applied.

actually... it's all covered (albeit in pieces)... even tc mirroring... definately new thread for help with your issue is best...

Hi All,
Can anyone explain why the following does not work as expected on a DSA device:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5.2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

In this scenario, traffic tagged with VLAN2 entering port5 are served DHCP and can access the internet (locally from this same device). However, they cannot talk to other lan devices (from the other ports), nor can lan devices talk to them. i.e. arp etc are not being forwarded over the bridge, the bridge is not behaving as I expect (for port lan5.2 only).

I understand this can be done alternately with bridge vlan filtering as described in this thread, but I don't understand why this does not also work, nor do I understand why bridge vlan filtering is even a thing compared to this method? Happy to provide more details if you believe this should work.

Thanks,
Dave

The following equivalent with bridge vlan filtering appears to work as expected:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

 config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option device 'br-lan.2'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'
	list ports 'lan5:t'

Dave

This part is CRUCIAL and is easily missed when you are migrating from an older configuration, as your config interface section may already have this in it.

Hi Dave,

The previous configuration might not have worked because the tagged packets were bridged to your lan ports as-is, and the devices there presumably only expect untagged packets, whereas the second configuration explicitly untags the packets before sending them to lan ports 2-4.

On my router I only list the CPU eth#.VLAN port on the device (as that's what interacts with the OS), and let the switch configuration take care of bridging between ports. Translated to your configuration, that might look something like:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan5.2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config switch_vlan
        option device 'YOUR_SWITCH_DEVICE'
        option vlan '2'
        option vid '2'
        option ports '2 3 4 5t'

(lan5.2 might have to be eth?.2)

Yet another configuration option? :wink:

Richard.

You can not create a new post concerning your problems with DSA and not add anything to the mini tutorial, we do not understand anything anymore ?

Should example from post 1 work on all DSA switches? I have WRT1900AC and it seems, that all (lan1..4) ports have to be part of the same bridge/switch br-lan device. Trying to put lan4 in br-guest bridge (of course removing it first from br-lan) gets me

$ brctl addif br-guest lan4
brctl: bridge br-guest: Not supported

So are there any limitations on bridge/switch port assignments?

Changing the network configuration directly via low-level programs (e.g. brctl) is not recommended. Configure through UCI files and the netifd scripts.

As I understand it, associating different ports within the same hardware switch with multiple bridges only works if all bridge ports Ethernet traffic is untagged which also implies that each port is in at most one bridge. If you need tagging on an Ethernet port which is within a bridge, even if it is only going to be one VLAN on the cable (thus only in one bridge) it is still necessary to use bridge-vlan.

I was using command line just to try to find out what was going on. Otherwise of course /etc/config/network is the preferred way.
And you are probably right, as I do have lan1.1 in br-lan...

Hi, can someone please explain me, why in VLAN tagged traffic example:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan4:u*'

thee is an asterisk needed for lan4:u* (and not, for example, lan1..lan3)?

lan1-3 ports are not tagged and participate only on vlan1.
lan4 port is tagged on vlan1 and untagged on vlan2. The asterisk is used to set the pvid, that is which vlan will be assigned to incoming untagged traffic.

1 Like

Does anyone know of a good way to get the current VLAN status of a DSA setup (without having to install ip-bridge)? I was hoping to find a UBUS call, but I don't seem to see anything useful. ip -d link also doesn't help.

I am attempting the mirroring, as shown, on a DIR-882 running 21.02.01.
Both the system and kernel logs are showing ...

Packet exceeded mirred recursion limit on dev br-lan

Have I done something wrong?

network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.232.205'
network.tap=interface
network.tap.proto='none'
network.tap.force_link='1'
network.tap.device='br-tap'
network.@device[1]=device
network.@device[1].type='bridge'
network.@device[1].name='br-tap'
network.@device[1].ports='lan4'

It seems I'm facing problems trying to migrate my config fron 19.07 to 21.02.

Basically, I'm using one of my LAN ports as additional WAN (another ISP). I created a configuration when I access a WLAN A, it will use main WAN, but when I switch to WLAN B, it will use the additional WAN.

I was able to accomplish this using Switch + VPN Policy Routing package. It worked perfectly for almost 3 years.

My previous setup was something like this:

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'

config interface 'lan2'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'wan'
	option ifname 'eth0.2'
	option delegate '0'
	option proto 'static'
	option ipaddr 'X.X.X.X'
	option gateway 'X.X.X.X'
	option netmask '255.255.255.0'
	option metric '0'

config interface 'wan3'
	option ifname 'eth0.3'
	option type 'bridge'
	option delegate '0'
	option proto 'static'
	option ipaddr 'X.X.X.X'
	option gateway 'X.X.X.X'
	option netmask '255.255.255.0'
	option metric '20'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '6t 3 4'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '6t 0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '6t 2'
	option vid '3'

I spent almost the whole day trying to convert this configuration to new format DSA, but I was not able to make it work.

Can someone give me a hint?

This is where I learned how to setup my vlan in 21.02

3 Likes

I found this video yesterday before. It is very complete and didactical. We can notice this guy knows what he is talking about. At beginning it didn't make any sense to me. But after you suggestion, I gave another chance and watched carefully and was able to understand the DSA (at least a little).


After some trial-and-error, I was able to translate old format to this new format.

I'll leave it here to help any other user struggling with this migration.

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'

config device
	option name 'br-lan.1'
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'

config device
	option name 'br-lan.2'
	option type '8021q'
	option ifname 'br-lan'
	option vid '2'

config device
	option name 'br-lan.3'
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'

config device
	option name 'br-lan2'
	option type 'bridge'
	option bridge_empty '1'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:t'
	list ports 'lan2:u*'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'eth0:t'
	list ports 'lan1:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth0:t'
	list ports 'wan:u*'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.1'
	option device 'br-lan.1'

config interface 'lan2'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option device 'br-lan2'

config interface 'wan'
	option proto 'static'
	option ipaddr 'X.X.X.X'
	option gateway 'X.X.X.X'
	option netmask '255.255.255.0'
	option metric '10'
	option device 'br-lan.3'

config interface 'wan2'
	option proto 'static'
	option ipaddr 'X.X.X.X'
	option gateway 'X.X.X.X'
	option netmask '255.255.255.0'
	option device 'br-lan.2'
	option metric '20'

Highlights:

  • I added both eth0 and wan to br-lan bridge
  • I created 3 VLANs, toggling tag/untag flags (see image below for better understanding)
  • For lan interface, I changed device to use the first VLAN (br-lan.1)
  • For wan, I changed device to use third VLAN (br-lan.3)
  • For the secondary wan (wan2), I changed to use second VLAN (br-lan.2)
  • br-lan2 is just a dummy bridge to hold and assign different IP range to some additional WLAN networks. Then, I crated some special config using VPN Policy Routing package to redirect all external traffic to the secondary wan (wan2)

I'm not sure if config is redundant. But at this point, if it is working, it is okay for me.

I struggling a lot for the first time but after understanding it all and after countless research now It's easier

1 Like

When we're using the swconfig framework, a switch port can either be tagged, or untagged. A switch port cannot be tagged and untagged at the same time. This is consistent with many managed switches that's in the market, i.e. a switch port cannot be tagged and untagged at the same time.

With the DSA framework, this is now allowed. Does anyone know the rational for this design?

In OpenWRT master branch the Luci interface even allows the inclusion of the same switch port in multiple bridges, which, as far as I understand it the DSA framework does not allow. Is this a bug in Luci or this is also allowed in DSA?