Problems with Untagged Port VLAN Configuration using DSA

Edit: Apparently, I forgot to bring wan interface up, it has nothing to do with the traffic being untagged. I can reach 3 networks properly now.

I reach two ISP networks on my Linux computer using Linksys WRT32X.

On OpenWrt 19.07.3, this is the current way I reach two ISP networks and the router on my computer at LAN 4.

Router: eth0 on VLAN 1 - LAN 4 untagged

ISP1: WAN untagged - LAN 4 on VLAN 2

ISP2: LAN 1 on VLAN 561 - LAN 4 on VLAN 561

Screenshot_2021-03-06_1821051049×369 14.1 KB

I'm trying to replicate this configuration on the latest OpenWrt snapshot at kernel 5.4.101.

For now, let's not bring the CPU port into this to keep it simple. Let's try to make ISP connections work first.

Screenshot_2021-03-06_183304992×113 3.55 KB

I made a set of commands to run inspired from the Linux Networking Documentation.
https://www.kernel.org/doc/html/latest/networking/dsa/configuration.html#configuration-without-tagging-support

I installed ip-bridge and put wan, lan1 & lan4 on br-lan.

# bring up the slave interfaces
ip link set wan up
ip link set lan1 up
ip link set lan4 up

# activate VLAN filtering
ip link set dev br-lan type bridge vlan_filtering 1

# add ports to bridge
ip link set dev wan master br-lan
ip link set dev lan1 master br-lan
ip link set dev lan4 master br-lan

# tag traffic on ports
bridge vlan add dev lan1 vid 561
bridge vlan add dev lan4 vid 561

Edit: I can access ISP1 on VLAN 2, ISP2 on VLAN 561 and my router untagged from my computer now. Problem solved.

However I can't reach ISP1 on VLAN 2. Here's my configuration:

root@OpenWrt:~# bridge vlan add dev wan vid 2 untagged pvid
root@OpenWrt:~# bridge vlan add dev lan4 vid 2
root@OpenWrt:~# bridge vlan
port              vlan-id  
lan4              1 PVID Egress Untagged
                  2
                  561
lan3              1 PVID Egress Untagged
lan2              1 PVID Egress Untagged
lan1              561
wan               2 PVID Egress Untagged
br-lan            1 PVID Egress Untagged
wlan0             1 PVID Egress Untagged
wlan1             1 PVID Egress Untagged

I heard some fuss about untagged ports being problematic on DSA and I'm looking for any advice to make this work.

You will not get an answer from this user (or any other anon..... user) since he left the forum.

Ah, got it. Thanks for the heads up.

I am also using DSA configuration. I have 5 interfaces by default, each corresponding to one of the 5 physical ports on my router: lan1, lan2, lan3, lan4 and wan.

You should be able to configure it via the configuration file, Luci or UCI. No need for any manual commands. I connect to my ISP via PPPoE on the wan port on a tagged VLAN 6, and to the IPTV network on VLAN 4. Luci/UCI/configuration file will interpret dot notation as tagged VLANs: wan.6 means VLAN 6 tag on the wan port. wan.4 means VLAN 4 tag on the wan port.

The different interfaces are already in different untagged VLANs by default. In order to combine them into one layer 2 network you simply need to bridge them with each other. If you don't bridge them and use them as is, they will already be on different untagged VLANs by default. This means that in order to use two different VLANs in your network (like I am doing as well for an untrusted IOT network and my main network you simply keep them separate in your config. If you were to use an untagged VLAN on a single port you simply use that port as is. If you want to use an untagged VLAN on multiple ports, you would bridge those ports together and use that bridge as is. To give an example configuration, my network:

Tagged VLAN 6 on Wan: Internet
Tagged VLAN 4 on Wan: IPTV
Untagged VLAN on lan1 & lan2: Normal network
Untagged VLAN on lan3 & lan4: IOT network.

This is how this configuration looks. Hopefully it helps you understand how it's configured to apply that knowledge to your own setup:

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'redacted'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ifname 'lan1 lan2'
	option ip6assign '64'

config device 'lan_lan1_dev'
	option name 'lan1'
	option macaddr 'redacted'

config device 'lan_lan2_dev'
	option name 'lan2'
	option macaddr 'redacted'

config device 'lan_lan3_dev'
	option name 'lan3'
	option macaddr 'redacted'

config device 'lan_lan4_dev'
	option name 'lan4'
	option macaddr 'redacted'

config interface 'wan'
	option proto 'pppoe'
	option ifname 'wan.6'
	option username 'redacted'
	option password 'redacted'
	option ipv6 'auto'
	option mtu '1508'

config device 'wan_wan_dev'
	option name 'wan'
	option macaddr 'redacted'

config interface 'wan6'
	option ifname 'wan'
	option proto 'dhcpv6'

config interface 'untrusted'
	option proto 'static'
	option type 'bridge'
	option ifname 'lan3 lan4'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

config interface 'iptv'
	option proto 'dhcp'
	option ifname 'wan.4'
	option defaultroute '0'
	option peerdns '0'
	option vendorid 'IPTV_RG'

config route
	option interface 'lan'
	option target '192.168.4.0/24'
	option netmask '255.255.255.0'
	option gateway '192.168.1.209'

I believe I understand your current config. You specify wan as wan.6 & wan.4 and the OS/driver automatically gives the correct VLAN IDs for them, yes?
And you split lan ports into two networks which the traffic goes untagged.

If I got it right, unfortunately, I don't see how this fits the issue I'm having.

I don't know how much you know about switching and I don't want to be disrespectful so I'll break it down to the basics:

root@OpenWrt:~# bridge vlan add dev wan vid 2 untagged pvid

vid 2 pvid
This basically makes VLAN ID 2 to be considered a PVID at ingress.
That means any untagged frames AT INGRESS (traffic coming from wan port) will be assigned to this VLAN.

vid 2 untagged
Now I specify untagged for this port so VLAN 2 frames will go out untagged ON EGRESS (traffic going out to wan port).

Check bridge(8) man page to understand this better.

Image to visualize ingress/egress from Paul Gorman's VLAN Tutorial

With this configuration, egress and ingress traffic should work properly.

root@OpenWrt:~# bridge vlan add dev lan4 vid 2

This simply accepts VLAN 2 traffic to and from this port. (There might be a better explanation to what's happening here, I'll stand corrected if it's pointed out)

You see, I'm trying to have untagged traffic coming to and from wan port to have VLAN ID 2 tag on the switch.
lan4 being properly configured, VLAN 2 tagged traffic from lan4 should be switched to wan as untagged. But for some reason wan side won't work.

I'm going to do a wireshark test on each side (lan4 & wan) and see if/how the frames reach each other.

That is correct. I am not 100% sure if DSA supports a tagged VLAN and an untagged VLAN on the same port, but I am fairly sure that it does.

If that is correct, to remake your first screenshot in your initial post under DSA, you would have to do the following. You should have 5 interfaces as well: wan, lan1, lan2, lan3 and lan4.

You should create 3 interfaces.

For the current VLAN 1 you would create a bridge with: lan2, lan3 and lan4
For the current VLAN 2 you would create a bridge with: lan4.2 and wan
For the current VLAN 561 you would create a bridge with: lan1.561, lan4.561

Basically, to have an untagged VLAN use an interface as is. To have a tagged VLAN use an interface with the desired VLAN dot notation. Hope this helps.

Edit: To make your second simpler screenshot you would:

For the current VLAN 2 you would create a bridge with: lan4.2 and wan
For the current VLAN 561 you would create a bridge with: lan1.561 and lan4.561

Indeed, it does. However, I don't know yet how to specify a default VLAN (PVID) for a port, when all VLANs are tagged, for example.

Currently, I reach my router untagged and ISP2 over VLAN 561 so that's a yes.

I'm having a bit of trouble adding wan to a bridge other than br-lan for some reason. I'm working on it.

But let me tell this; the way you're suggesting is without VLAN filtering which, I admit, is a valid way. But with VLAN filtering there's only one bridge for all interfaces and it acts more like a real switch. There's a Redhat blog that explains the difference.

Honestly, the current way of how OpenWrt interfaces are configured is the "automatic" way which I believe has to change if there are any plans to make a swconfig-like configuration page but that's a conversation for another day.

Making multiple bridges somehow breaks interfaces.
For one, I just can't get any slave interface (wan, lanX) to register under different bridges.

For example:
lan2, lan3, lan4 are on br-lan

root@OpenWrt:~# brctl addif br-isp2 lan1
brctl: bridge br-isp2: Resource busy
root@OpenWrt:~# brctl addif br-lan lan1
root@OpenWrt:~# (success)

root@OpenWrt:~# brctl addif br-isp2 wan
brctl: bridge br-isp2: Resource busy
root@OpenWrt:~# brctl addif br-lan wan
root@OpenWrt:~# (success)

@Mushoz Can you give it a try too? Looks like the DSA driver doesn't allow putting slave interfaces under different bridges. Slave subinterfaces work fine.

Final Update: It turns out while I successfully bring up lan1 and lan4, I forgot to do the same on the wan interface. Doing things after a while with clean head really helps seeing the devil in the details.

Thank you @Mushoz for your help.

Glad to see you managed to get it working!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.