darksky
September 11, 2021, 11:48am
1
I have a simple setup, RPi4 is primary router and R7800 as dumb AP.switch settings on the dumb AP are correct.
Diagram:
The R7800 dumb AP currently has:
Port 2 connected to the on board NIC on the RPi4 router
Port 3 connected to an unmanaged switch (rest of the wired network)
Port 4 connected to the POE switch for camera
VLAN ID1 = lan
For context, the RPi4 router has the onboard NIC setup to use a bridge device using VLAN filtering thanks to DSA like this:
Enable VLAN filtered [X]
VLAN ID Local eth0
----------------------
1 [X] u
3 [X] t
4 [X] t
5 [X] t
And here's a shot of the firewall zones:
krazeh
September 13, 2021, 1:23pm
2
Why are you not tagging the LAN traffic on the trunk between the R7800 and the RPi4?
darksky
September 13, 2021, 2:47pm
3
@krazeh - Is that:
I might have misunderstood, but that was due to the advice in this video regarding unmanaged switches and VLANs: https://youtu.be/4t_S2oWsBpE?t=710
Is it not accurate?
krazeh
September 13, 2021, 2:57pm
4
Yes, the one you've circled should be changed to tagged. Mixing untagged and tagged traffic on a trunk can work in some situations, but can also lead to unusual results. The R7800 will remove the VLAN tag for any traffic sent out to the unmanaged switch (on LAN2) and add it to any traffic received from the unmanaged switch. You don't need to also have it untagged between the R7800 and RPi4 as both devices are VLAN-aware and will understand the tagging.
darksky
September 13, 2021, 3:26pm
5
I changed the red circled from "untagged" to "tagged" and it cut off my ability to ssh into boxes in the IOT zone.
Isn't that "between the R7800 and RPI4" the same setting on LAN3?
krazeh
September 13, 2021, 3:29pm
6
Did you change the VLAN tagging settings on the RPi4 as well?
Not sure I know what you mean by this.
darksky
September 13, 2021, 4:10pm
7
I think I misunderstood your reply to me. Are you suggesting that I make two changes to achieve the result:
On the router (RPi4), change all ports to tagged?
On the AP (R7800) change the red circled setting from "untagged" to "tagged"?
Number 1 would look like this if I understand things:
Enable VLAN filtered [X]
VLAN ID Local eth0
----------------------
1 [X] t
3 [X] t
4 [X] t
5 [X] t
darksky
September 13, 2021, 4:15pm
9
I attempted it on the router first, and found that I could not connect any more (to anything). LuCI rolled the changes back automatically. I guess I need to do it first on the R7800, then router?
krazeh
September 13, 2021, 4:20pm
10
Yeah, do the R7800 first.
darksky
September 13, 2021, 4:21pm
11
Changing it first on the AP (R7800) gave a similar lack of connectivity. Not sure how to achieve this.
darksky
September 13, 2021, 4:23pm
12
Since LAN1 on the R7800 is setup to:
1 untagged
2 off
3 off
4 off
5 off
Perhaps I can connect the unmanaged switch to it and get the changes to work?
krazeh
September 13, 2021, 4:26pm
13
What's the output of cat /etc/config/network on the RPi4?
darksky
September 13, 2021, 4:28pm
14
Omitting the wireguard stuff:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd1a:184b:b879::/48'
option packet_steering '1'
config device
option name 'br-main'
option type 'bridge'
list ports 'eth0'
option ipv6 '0'
config interface 'lan'
option proto 'static'
option ipaddr '10.9.8.1'
option netmask '255.255.255.0'
option device 'br-main.1'
config interface 'wan'
option proto 'dhcp'
option peerdns '0'
option delegate '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
option device 'br-wan'
config bridge-vlan
option device 'br-main'
option vlan '1'
list ports 'eth0'
config bridge-vlan
option device 'br-main'
option vlan '3'
list ports 'eth0:t'
config device
option name 'br-main.1'
option type '8021q'
option ifname 'br-main'
option vid '1'
option ipv6 '0'
config device
option name 'br-main.3'
option type '8021q'
option ifname 'br-main'
option vid '3'
option ipv6 '0'
config device
option type 'bridge'
option name 'br-wan'
list ports 'eth1'
option ipv6 '0'
config interface 'guest'
option proto 'static'
option device 'br-main.3'
option netmask '255.255.255.0'
option ipaddr '10.9.7.1'
config device
option name 'eth0'
option ipv6 '0'
config device
option name 'eth1'
option ipv6 '0'
config bridge-vlan
option device 'br-main'
option vlan '4'
list ports 'eth0:t'
config device
option type 'bridge'
option name 'br-lxc'
list ports 'br-main.4'
option ipv6 '0'
config interface 'LXC'
option proto 'static'
option device 'br-lxc'
option ipaddr '10.0.4.1'
option netmask '255.255.255.0'
config device
option name 'br-main.4'
option type '8021q'
option ifname 'br-main'
option vid '4'
option ipv6 '0'
config bridge-vlan
option device 'br-main'
option vlan '5'
list ports 'eth0:t'
config device
option name 'br-main.5'
option type '8021q'
option ifname 'br-main'
option vid '5'
option ipv6 '0'
config interface 'iot'
option proto 'static'
option device 'br-main.5'
option ipaddr '10.9.5.1'
option netmask '255.255.255.0'
darksky
September 13, 2021, 5:03pm
15
I have tty access to the RPi4 router. I could change the red circle to 'tagged' and then use the physical keyboard on the RPi4 to change this:
config bridge-vlan
option device 'br-main'
option vlan '1'
list ports 'eth0'
To this:
config bridge-vlan
option device 'br-main'
option vlan '1'
list ports 'eth0:t'
darksky
September 13, 2021, 5:07pm
16
That did not work either.
mk24
September 13, 2021, 5:11pm
17
The Pi doesn't have a switch. Use the notation eth0.1 to emit packets tagged 1 directly from the Ethernet port.
1 Like
krazeh
September 13, 2021, 5:11pm
18
I'll be honest, I don't have any experience with DSA to run VLANs on my RPi4. I just use dot-notation (i.e. option device eth0.1 etc. in the respective interface config.)
However, you could try:
config bridge-vlan
option device 'br-main'
option vlan '1'
list ports 'eth0:t*'
This is the approach I would take. I'd get rid of the DSA side of things and just replace it with something like:
config interface 'lan'
option proto 'static'
option ipaddr '10.9.8.1'
option netmask '255.255.255.0'
option device 'eth0.1'
config interface 'wan'
option proto 'dhcp'
option peerdns '0'
option delegate '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
option device 'eth1'
config interface 'guest'
option proto 'static'
option device 'eth0.3'
option netmask '255.255.255.0'
option ipaddr '10.9.7.1'
config interface 'LXC'
option proto 'static'
option device 'eth0.4'
option ipaddr '10.0.4.1'
option netmask '255.255.255.0'
config interface 'iot'
option proto 'static'
option device 'eth0.5'
option ipaddr '10.9.5.1'
option netmask '255.255.255.0'
darksky
September 13, 2021, 5:28pm
20
OK!
Changed the AP (red circle) to 'tagged' and (on the physical keyboard) changed the setting to this:
config bridge-vlan
option device 'br-main'
option vlan '1'
# list ports 'eth0'
list ports 'eth0:t*'
Connectivity is restored. BUT, from my lan zone (a PC on the switch connected to LAN3), I am unable to ssh into a box in the IOT zone.
Correction, DNS resolution does not work between zones but I can connect manually specifying the IP address.
EDIT: my bad... I had to restart the network on the device in question (wasn't in the DHCP table). I think I am functional implementing your suggestion.
To recap, I made two changes.
First on the router (RPi4):
Enable VLAN filtered [X]
VLAN ID Local eth0
----------------------
1 [X] t*
3 [X] t
4 [X] t
5 [X] t
And second, on the dumb AP (R7800):
Does everything look right now?
