RPi 4B DSA VLAN - please sanity check my settings

CakeConnoisseur · February 16, 2022, 10:13pm

Hi,

recently I decided that I wanted to separate my private and work devices on my home/work from home network and give guests their own WiFi with access to internet only.
As it's the first time I set up VLANs with separate firewall zones and traffic rules I would love for you to sanity check my settings and maybe give me feedback on how to simplify things and tips on best practices.
It's step 7 below that I'm especially eager to get your opinion on.

When I first set up the OpenWRT router using a RPi 4B (eth0) with a TP-Link UE300 (eth1) I only had a basic 8 port unmanaged switch and a Fritzbox I reconfigured as AP and connected to the RPi via the switch.
A couple of days ago I got a ZyXel GS1200-8HP and NWA50AX.

Here is how I went about changing from a single lan zone to separate VLANs:

First I connected the managed switch to my old switch and logged into its webinterface to confirm the default configuration was set to all ports in VLAN 1 untagged, PVID 1 and management VID 1.
Then I followed the Mini tutorial for DSA network config and enabled VLAN filtering on the existing "br-lan" bridge device making it a trunk with VLAN IDs 1-3 tagged and ID 4 untagged+primary. As to not lock myself out of the router I did not click "Save & Apply" until after step 3 was complete.
EDIT: To clarify: I chose to set VLAN filtering on the bridge device because I found it to be convenient to see the VIDs and their tagging settings all in one place and because LuCI generated and named the necessary VLAN devices automatically for me.

Screenshot of "br-lan" VLAN filter

EDIT: added a screenshot of the device tab

Changed the existing "lan" interfaces device setting from "br-lan" to "br-lan.1" and only now clicked "Save & Apply".

Screenshot of "lan" interface changes.

Set the switches port configuration of ports 1 (router) and 2 (AP) the same as the "br-lan" in step 2 and the rest of the ports untagged members of the desired VLANs with their PVIDs in the untagged VLAN.

Screenshot of switch VLAN port configuration.

Added interfaces for the guest (br-lan.2), work (br-lan.3) and management (br-lan.4) VLANs, each with their own firewall zone and DHCP server and to keep it simple with their IP address ranges corresponding to their VLAN IDs, eg. guest 192.168.2.1/24 and so on.

Screenshot of interfaces list.

Connected the AP to switch port 2 and set it up with SSIDs on separate VLANs as needed.
At first I configured the new firewall zones "guest" and "work" identical to "lan", which was automatically configured as "accept/accept/accept" at first set up of the router.
But this gave devices on guest not only access to the internet but also to the router.
So as per How to block luci access to pubblic vlan? I changed them to "reject/accept/reject" and "lan" and "mgt" to forward reject though I'm not sure if the latter is needed.
Then I added traffic rules to allow DHCP and DNS access for "guest" and "work" and also blocked access to the modems webinterface while I was at it.

Screenshot of firewall zones. The forward from lan to mgt is meant to be only temporary, see step 8 below.

Screenshot of added traffic rules.

After everything was up and running and I had tested the forward from "lan" to "mgt" was working I changed the switch's and AP's IP address to DHCP client and their management VLAN IDs from 1 to 4 and set static leases in the 192.168.4.0/24 range on the router.

psherman · February 16, 2022, 10:34pm

Screengrabs are harder to use for reviewing the settings than looking at the base configuration files.
It is worth noting that the Pi does not use DSA -- it uses only standard dotted notation (i.e. eth0 and eth0.x, eth1 and eth1.x).

Bridge VLAN filtering isn't necessary or useful on the Pi. It really only serves a real purpose when the device in question is physically in the path of two devices that you wish to limit connections (think of a router with a 4-port switch on the LAN, for example). Here, your firewall rules will be the thing that will allow and/or limit connections between devices on different networks, but the Pi will not be able to do any such filtering between devices that exist on the same network since that traffic will be switched (via your hardware switch) and it will never reach the router.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

CakeConnoisseur · February 17, 2022, 8:47am

Thank you, it seems I misunderstood quite a few things.

I see, please find the content of the configuration files at the end of this post.
As I like to let LuCI handle the configuration files and almost exclusively rely on the GUI this made sense to me.

I thought that DSA referred to the underlying architecture and that all bcm27xx devices, the RPi being one of them, were migrated to DSA in 21.02.0.

I decided to set VLAN filtering on the bridge device since it shows all the VIDs and tagging options in one place and because LuCI created and named the necessary VLAN devices automatically upon saving the GUI form.
Will this hurt functionality, performance or manageability in any way? If so, what would be the better configuration?

My understanding was that the RPi would not handle any of the switching but needed to be made aware of the VLAN tags in order for it to route the packets from and to the various VLANs correctly and put them into their respective firewall zones.
So the switch port the router is connected to and the router need to send the packets tagged to each other, hence VIDs 1-3 set to tagged on the RPi and switch port 1.
And I found it to be convenient to set the VIDs on the RPi's bridge device for the reasons mentioned above...

At the beginning my concern was more with the firewall and traffic rules and less with the switching because of this but now I have doubts that I have set up the switching and tagging correctly.
(Everything appears to be working btw but I was not 100% sure and therefore wanted to ask the experts.)

Configuration files:

/etc/config/network

root@Router:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'
        option packet_steering '1'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option device 'br-lan.1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'
        option bridge_empty '1'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'eth1'
        option ipv6 '0'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth1'
        option delegate '0'

config interface 'tetheringwan'
        option proto 'dhcp'
        option device 'usb0'
        option delegate '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'eth0:u*'

config interface 'guest'
        option proto 'static'
        option device 'br-lan.2'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

config interface 'work'
        option proto 'static'
        option device 'br-lan.3'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

config interface 'mgt'
        option proto 'static'
        option device 'br-lan.4'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'

config device
        option name 'br-lan.1'
        option type '8021q'
        option ifname 'br-lan'
        option vid '1'
        option ipv6 '0'

config device
        option name 'br-lan.2'
        option type '8021q'
        option ifname 'br-lan'
        option vid '2'
        option ipv6 '0'

config device
        option name 'br-lan.3'
        option type '8021q'
        option ifname 'br-lan'
        option vid '3'
        option ipv6 '0'

config device
        option name 'br-lan.4'
        option type '8021q'
        option ifname 'br-lan'
        option vid '4'
        option ipv6 '0'

root@Router:~#

/etc/config/wireless

root@Router:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

root@Router:~#

/etc/config/dhcp

root@Router:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'NWA50AX'
        option mac 'xx:xx:xx:xx:xx:xx'
        option leasetime '12h'
        option ip '192.168.4.2'

config host
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.4.3'
        option name 'GS1200-8HPv2'
        option dns '1'
        option leasetime '12h'

config host
        option name 'Device1.lan'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.1.4'
        option leasetime '12h'

config host
        option name 'Device2.lan'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.1.5'
        option leasetime '12h'

config host
        option name 'Device3-Wifi.lan'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.1.6'
        option leasetime '12h'

config host
        option name 'Device4-Wifi.lan'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.1.7'
        option leasetime '12h'

config host
        option name 'Device5.lan'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option leasetime '12h'
        option ip '192.168.1.9'

config host
        option name 'Device6.lan'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.1.10'
        option leasetime '12h'

config host
        option name 'Device7.lan'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.1.11'
        option leasetime '12h'

config host
        option name 'Device8-Wifi.lan'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.1.12'
        option leasetime '12h'

config host
        option name 'Device9-Wifi.lan'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.1.13'
        option leasetime '12h'

config host
        option name 'Device10-Wifi.lan'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.1.14'
        option leasetime '12h'

config host
        option name 'Device1-Wifi.lan'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.1.15'
        option leasetime '12h'

config host
        option name 'Fritzbox.lan'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option leasetime 'infinite'
        option ip '192.168.1.20'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config dhcp 'work'
        option interface 'work'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config dhcp 'mgt'
        option interface 'mgt'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

root@Router:~#

/etc/config/firewall

root@Router:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'lan'
        option forward 'REJECT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'tetheringwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'guest'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'
        option input 'REJECT'

config zone
        option name 'work'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'work'
        option input 'REJECT'

config zone
        option name 'mgt'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'mgt'

config forwarding
        option src 'guest'
        option dest 'wan'

config forwarding
        option src 'work'
        option dest 'wan'

config rule
        list proto 'udp'
        option src 'guest'
        option target 'ACCEPT'
        option dest_port '67-68'
        option name 'Guest Allow DHCP'

config rule
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'
        option name 'Guest Allow DNS'

config rule
        option src 'guest'
        option dest 'wan'
        option target 'REJECT'
        list dest_ip 'xxx.xxx.xxx.0/24'
        option name 'Guest Deny Modem Access'

config rule
        list proto 'udp'
        option src 'work'
        option dest_port '67-68'
        option target 'ACCEPT'
        option name 'Work Allow DHCP'

config rule
        option src 'work'
        option dest_port '53'
        option target 'ACCEPT'
        option name 'Work Allow DNS'

config rule
        option name 'Work Deny Modem Access'
        option src 'work'
        option dest 'wan'
        list dest_ip 'xxx.xxx.xxx.0/24'
        option target 'REJECT'

config forwarding
        option src 'lan'
        option dest 'mgt'

root@Router:~#

psherman · February 17, 2022, 5:53pm

I'd recommend removing all of your bridge-lan stanzas and instead simply create the VLAN using the dotted notation. There is no need to use a bridge since you are only associating each network with a single physical interface (and you are not using the onboard wifi -- which is good because the Pi's built-in wifi is terrible as an AP, and IIRC it doesn't support multiple concurrent SSIDs).

For example... remove these (just illustrating one set):

and then modify the corresponding network like this:

config interface 'guest'
        option proto 'static'
        option device 'eth0.2'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

In the dotted notation, eth0 alone is an untagged network, and eth0.2 will be tagged (in this case VLAN ID 2).

CakeConnoisseur · February 17, 2022, 8:46pm

Apparently there's still something I'm missing:

new /etc/config/network config

root@Router:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'
        option packet_steering '1'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option device 'br-lan.1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'
        option bridge_empty '1'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'eth1'
        option ipv6 '0'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth1'
        option delegate '0'

config interface 'tetheringwan'
        option proto 'dhcp'
        option device 'usb0'
        option delegate '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'eth0:t'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option device 'eth0.2'

config interface 'work'
        option proto 'static'
        option device 'br-lan.3'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

config interface 'mgt'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'
        option device 'eth0'

config device
        option name 'br-lan.1'
        option type '8021q'
        option ifname 'br-lan'
        option vid '1'
        option ipv6 '0'

config device
        option name 'br-lan.3'
        option type '8021q'
        option ifname 'br-lan'
        option vid '3'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '2'
        option name 'eth0.2'
        option ipv6 '0'

root@Router:~#

I tried out eth0.2 on the guest interface as you recommended.
(Removed VID 2 from the br-lan bridge, added a VLAN device for eth0 with VID 2 => eth0.2.
Then I changed the guest interfaces device to eth0.2 and finally removed the br-lan.2 device.)
=> With a wifi device connected to the VID 2 associated SSID I couldn't tell a difference to the before settings.

Because you mentioned

I then set eth0 as the mgt interfaces device instead of the eth0:u* br-lan.4.
This resulted in not being able to connect to the router, neither through the switch nor connected directly to RPi's eth0.
VID 1 SSID to the rescue...

Is this simply a matter of personal preference? Or what am I missing here?
Sorry if I sound ignorant or obstinate but functionally I failed to see a difference in case of the guest interface but couldn't get it to work in the case of the mgt interface.
So even if I wasn't doing something wrong with the untagged network it does take more clicks in the GUI to set it up with dotted notation than with the bridge VLAN filtering tab and you're missing out on the nice overview with the easily changeable tagged/untagged drop down menu...

slh · February 18, 2022, 2:46am

You need to apply psherman's advice to your whole configuration file.

I would strongly recommend to reset to defaults and start with a fresh /etc/config/network, as you have just too much dsa leftovers in there (which don't really work without a dsa capable switch, which you don't have).

But just in short, all your bridge-vlan stanzas need to go, all 8021q stanzas need to go, lan should be eth0.1 (tagged, VID1), guest eth0.2 (tagged, VID2), work eth0.3 (tagged, VID3), mgt eth0 (untagged, mixing tagged and un-tagged traffic on one interface is not recommended) - and if you see br-lan or br-lan.x anywhere, you've missed something - but please, start over from scratch, start simple, extend piece by piece, after confirming that each of your newly added interfaces works. It's often a good idea to leave VIDs 1 and 2 alone, to skip them, as those might have special meanings for some devices.

darksky · February 18, 2022, 4:45pm

@CakeConnoisseur - I do not have time to read through this thread right now but if you have not yet seen it, you might find some answers in my post here. I use a RPi4B with VLANs as my firewall/router with a dumb AP for serving up WiFi.

Since that post, I inserted a managed switch into the mix to simplify things a bit. Ping me back if you have questions. I will try to help when I have more time.

psherman · February 18, 2022, 4:52pm

@slh basically said everything I would have said. Sorry I wasn't able to respond yesterday... been slammed at work.

I was going to point out what @slh said, which is that DSA is intended for devices with switches built in -- DSA stands for "Distributed Switch Architecture." While there are a few exceptions, devices without switches (such as the Pi) do not use DSA constructs.

CakeConnoisseur · February 19, 2022, 11:51am

Apologies for the late reply!
I had a long day at work and then needed to figure out why the SOs laptop refused to connect to the new AP yesterday.
I carefully read your messages though.

After giving this some thought I now believe this is where my confusion came from:
Here is the completely untouched default config of a stock 21.02.1-bcm27xx-bcm2711-rpi-4 image I flashed to a spare SDcard:

default 21.02.01 /etc/config/network

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

root@OpenWrt:~#

As you can see the default is the RPi's lonely eth0 assigned to the bridge device that's assigned to the lan interface.
This is what I was greeted by when I first started with OpenWRT about a year ago.
At first I briefly wondered why a single port had to be assigned to a bridge especially since the "S" in DSA stands for "switch" but since I could not find any information saying that a bridge always must have more than one port assigned to it and it worked flawlessly out of the box I decided that I didn't know enough to deviate from the default configuration.

So when I enabled bridge VLAN filtering I merely expanded upon these defaults.
And I got confused when you told me it would not work with the RPi because I had no indication that it didn't.

But I meant it when I said I wanted to learn and improve, so I took your advice and changed it both to VLAN IDs that are not in the 0-3 range and dotted notation.
Here is my current configuration, as you had told me untagged packages reach the mgt zone now that the DSA leftovers are gone:

current /etc/config/network with dotted notation

root@Router:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'
        option packet_steering '1'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option device 'eth0.10'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'eth1'
        option ipv6 '0'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth1'
        option delegate '0'

config interface 'tetheringwan'
        option proto 'dhcp'
        option device 'usb0'
        option delegate '0'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option device 'eth0.20'

config interface 'work'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option device 'eth0.30'

config interface 'mgt'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'
        option device 'eth0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '10'
        option name 'eth0.10'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '20'
        option name 'eth0.20'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '30'
        option name 'eth0.30'
        option ipv6 '0'

root@Router:~#

Thank you, I read through the whole thread.
It seems to me to confirm that both DSA and dotted notation can work on the RPi (provided you don't improperly mix them like I did at first) and that bridges can even be empty like your lxcbr0.
I based this on this and the following posts:

The reason you decided to use dotted notation is because it is the simpler more streamlined setup, correct?
My firewall settings are very similar to yours, which is reassuring as I was worried I made mistakes there.

Thank you all for your time, I think I have a better understanding of how this works now!
(Unfortunately only one post can be selected as solution.)

darksky · February 19, 2022, 11:54am

Yes, and I had some help from the community setting it up as I was learning.

slh · February 19, 2022, 1:42pm

The bridge is configured by default to allow attaching your wireless interface(s) to it, that's the second bridge member (although it's also totally fine to configure a bridge with only a single bridge member). Bridges are fine here as well, although you don't really need them, the bridge-vlan filtering doesn't really work here though - without a dsa capable onboard switch, the eth0.x notation is much simpler.

CakeConnoisseur · February 19, 2022, 5:39pm

Well, that makes a lot of sense.
To be honest, as I've never used the RPi's built in Wifi I've never thought about it like that.

system · March 1, 2022, 5:39pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.