RPi 4B DSA VLAN - please sanity check my settings

Apologies for the late reply!
I had a long day at work and then needed to figure out why the SOs laptop refused to connect to the new AP yesterday.
I carefully read your messages though.

After giving this some thought I now believe this is where my confusion came from:
Here is the completely untouched default config of a stock 21.02.1-bcm27xx-bcm2711-rpi-4 image I flashed to a spare SDcard:

default 21.02.01 /etc/config/network
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

root@OpenWrt:~#

As you can see the default is the RPi's lonely eth0 assigned to the bridge device that's assigned to the lan interface.
This is what I was greeted by when I first started with OpenWRT about a year ago.
At first I briefly wondered why a single port had to be assigned to a bridge especially since the "S" in DSA stands for "switch" but since I could not find any information saying that a bridge always must have more than one port assigned to it and it worked flawlessly out of the box I decided that I didn't know enough to deviate from the default configuration.

So when I enabled bridge VLAN filtering I merely expanded upon these defaults.
And I got confused when you told me it would not work with the RPi because I had no indication that it didn't.

But I meant it when I said I wanted to learn and improve, so I took your advice and changed it both to VLAN IDs that are not in the 0-3 range and dotted notation.
Here is my current configuration, as you had told me untagged packages reach the mgt zone now that the DSA leftovers are gone:

current /etc/config/network with dotted notation
root@Router:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'
        option packet_steering '1'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option device 'eth0.10'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'eth1'
        option ipv6 '0'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth1'
        option delegate '0'

config interface 'tetheringwan'
        option proto 'dhcp'
        option device 'usb0'
        option delegate '0'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option device 'eth0.20'

config interface 'work'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option device 'eth0.30'

config interface 'mgt'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'
        option device 'eth0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '10'
        option name 'eth0.10'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '20'
        option name 'eth0.20'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '30'
        option name 'eth0.30'
        option ipv6 '0'

root@Router:~#

Thank you, I read through the whole thread.
It seems to me to confirm that both DSA and dotted notation can work on the RPi (provided you don't improperly mix them like I did at first) and that bridges can even be empty like your lxcbr0.
I based this on this and the following posts:

The reason you decided to use dotted notation is because it is the simpler more streamlined setup, correct?
My firewall settings are very similar to yours, which is reassuring as I was worried I made mistakes there.

Thank you all for your time, I think I have a better understanding of how this works now!
(Unfortunately only one post can be selected as solution.)

1 Like