Ok, I'm hoping some of you can tell me if things are correct with my setup. My ISP in Canada (Bell) has some specific VLAN requirements for it's FibreOp internet/IPTV service:
Internet VLAN 35
IPTV VLAN 34
I have the following hardware setup:
RPI4B 8GB with two USB ethernet adapters.
eth0 = my bell WAN connection
eth1 = managed switch that has a few STB's connected to it with a proper VLAN tagging setup
eth2 = unmanaged switch
I created a single bridge (br0) with all ports included (eth0, eth1, eth2) and setup VLAN filtering on that bridge:
Everything works great. However, on most out of the box setups I've seen with openwrt, there's been two bridges - br-lan and br-wan ... Are there any implications I should be aware of in having just the single bridge that includes both wan and lan ports? Should I have done this setup another way? Is there a benefit to having two bridges that divide the wan and lan ports?
It doesn't matter in your case. Your Pi was never designed as a router with predefined WAN and LAN interfaces, and you have three physical separate interfaces you're bridging. The VLANs are tagged, so traffic is separated unless you explicitly set up forwarding between the firewall zones all those bridges are part of. I assume your IPTV bridge interface has a separate zone, just like LAN and WAN. The colour in the web UI at least indicates that is the case.
What's the reason for eth0 being a tagged member of VLAN 1?
Wouldn't it be simpler to set up VLAN 35 the same as 34 and only have eth1 and eth2 as members of VLAN 1?
Which is assuming you don't have an empty port on your managed switch left and can't simply connect your unmanaged switch to it instead of the RPi.
Edit:
I might be missing something but don't you bypass the firewall by bridging your WAN and LAN ports?
So, on second thought, please disregard what I wrote about setting up VLAN 35 the same as VLAN 34!
The question about eth0 being a tagged member of VLAN 1 remains though.
@Borromini pointed out my error tagging vlan 1 .. I've since removed that. I believe where WAN and LAN are in different zones, even though they are bridged, the firewall still dictates traffic between the two?
I see, I re-read Borromini's post and the tags belonging to a certain zone is what I might have been missing.
Personally, I'd still be more comfortable with my WAN port not being tagged in the same VLAN as my LAN ports so as to not open myself up to mistakes somewhere down the line.
As you already removed the tagging anyway all is well.
I've reworked things and I think it's laid out much better now. I'm not using any VLAN filtering.
I've created the required VLAN virtual devices needed for each port and then bridged them accordingly to make the connections. Everything is working perfectly and no more WAN+LAN ports all in the same bridge (I did put eth0 by itself in a br-wan bridge just to have a nicer label on the interface vs eth0)
(I did put eth0 by itself in a br-wan bridge just to have a nicer label on the interface vs eth0)
