[Solved] Bridge VLAN with non-VLAN devices

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello!

Currently, I have a setup similar to that described in the DSA tutorial: multiple br-* (LAN, IoT, Guest) devices bridging different LAN ports. No VLANs.
I want to connect a "smart" (managed) switch to one of the ports and utilize VLANs to assign different ports on the switch to different VLANs and hence bridges.

My idea was to create VLAN devices and then add them to existing bridges and let OpenWRT figure out tagging/untagging, to limit the scope of VLANs to this one port and the new switch. VLAN documentation made me think it's possible:

When you bridge non-VLAN and VLAN interfaces together, the system takes care about adding VLAN ID when sending packet from non-VLAN to VLAN interface, and it automatically removes the VLAN ID when sending packet from VLAN interface to non-VLAN one.

For simplicity, I'm testing with one VLAN and Windows machine instead of the switch. Windows machine is set to use VLAN10 and connected to LAN5 on the router. With this setup, I can access the internet, but I can't access any other devices connected to the router anymore. They are discoverable with arp -a and I can ping them. This makes me think it might be a firewall issue, but I can't figure out where the problem is.

Could you advise if what I'm trying to achieve is possible and what steps I need to take to make it work?

Here are the relevant parts of the config:

Device Info

The snapshot is custom-built, but I only added some packages and uci-defaults.

> ubus call system board

{
        "kernel": "6.6.47",
        "hostname": "GL-MT6000",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r27205-5d107bbbbb",
                "target": "mediatek/filogic",
                "description": "OpenWrt SNAPSHOT r27205-5d107bbbbb"
        }
}
/etc/config/network 
config device
        option type '8021q'
        option ifname 'lan5'
        option vid '10'
        option name 'lan5.10'

config device 'lan_dev'
        option type 'bridge'
        option name 'br-lan'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5.10'

config interface 'lan'
        option proto 'static'
        option device 'br-lan'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ip6hint '0000'
/etc/config/firewall

I don't have any Traffic rules with lan as src

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option log '1'

config forwarding
        option src 'lan'
        option dest 'wan'
Some info from the Windows machine 
~ $ ifconfig
...
Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : lan
   IPv6 Address. . . . . . . . . . . : fdb6:fa1d:ab5c::10
   IPv6 Address. . . . . . . . . . . : fdb6:fa1d:ab5c:0:e91:e04b:36ce:79c0
   Temporary IPv6 Address. . . . . . : fdb6:fa1d:ab5c:0:b9ce:b74a:8b27:64cf
   Link-local IPv6 Address . . . . . : fe80::ca39:a35b:8348:7b58%50
   IPv4 Address. . . . . . . . . . . : 192.168.10.70
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::9683:c4ff:fea7:138c%50
                                       192.168.10.1

~ $ Get-NetAdapterAdvancedProperty |
>>     Where-Object { $_.RegistryKeyword -eq "VLAN_ID" } |
>>     Select-Object Name, DisplayName, DisplayValue

Name     DisplayName DisplayValue
----     ----------- ------------
Ethernet VLAN ID     10
2

Did you omit large parts of the config?

What you've shown in the network configuration is not correct and won't achieve your goals.

You should use your smart switch, not Windows, to enable testing of VLANs... we can get to that shortly.

But what is your actual intent here? Do you want to have multiple networks (like a trusted lan, guest, and iot network)? If so, please elaborate on how these should be setup on a port-by-port basis. Which port will be used to connect to the managed switch?

3

Yes, I thought what I've left is relevant and enough. Sorry, I'll add my full configs.

Yes, as I said I have LAN, IoT, and Guest bridges. I have multiple SSIDs as well. Currently, LAN port 1 is used in IoT, ports 2-5 are LAN and Guest only has WiFi.

I want to move some of my gear off wireless. So I got this tiny 5-port TP-Link switch. My idea was to connect a LAN5 on the router to Port 5 on the switch. Then on the switch make the default PVID for Port 1 - 10 (LAN), and connect my PC. Then set PVID 15 (IoT) for Port 2 and connect Android TV. And so on.
Then make Port 5 carry both tagged and untagged packets so I'm still able to connect to the switch's web interface.

I've never used VLANs or even switches before, so this is my naive understanding.

Here's the full config after I tried to add VLAN:

/etc/config/networking 
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb6:fa1d:ab5c::/48'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option sourcefilter '0'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config device 'lan_dev'
        option type 'bridge'
        option name 'br-lan'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5.10'

config interface 'lan'
        option proto 'static'
        option device 'br-lan'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ip6hint '0000'

config device
        option type '8021q'
        option ifname 'lan5'
        option vid '10'
        option name 'lan5.10'

config device 'iot_dev'
        option type 'bridge'
        option name 'br-iot'
        list ports 'lan1'

config interface 'iot'
        option proto 'static'
        option device 'br-iot'
        option ipaddr '192.168.15.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ip6hint '0001'

config device 'guest_dev'
        option type 'bridge'
        option name 'br-guest'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ip6hint '0002'
/etc/config/wireless 
config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel 'auto'
        option htmode 'HE40'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel '56'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'main'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key 'XXXXXXX'
        option ssid 'XXXXXXX-5G'

config wifi-iface 'guest'
        option device 'radio1'
        option network 'guest'
        option mode 'ap'
        option encryption 'psk2'
        option key 'XXXXXXX'
        option ssid 'XXXXXXX-5G-Guest'
        option guest '1'
        option isolate '1'

config wifi-iface 'iot'
        option device 'radio0'
        option network 'iot'
        option mode 'ap'
        option encryption 'psk2'
        option key 'XXXXXXX'
        option ssid 'XXXXXXX-IoT'
/etc/config/dhcp 
config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        list server '127.0.0.1#5054'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        list doh_backup_server '/mask.icloud.com/'
        list doh_backup_server '/mask-h2.icloud.com/'
        list doh_backup_server '/use-application-dns.net/'
        list doh_backup_server '127.0.0.1#5053'
        list doh_backup_server '127.0.0.1#5054'
        list doh_server '127.0.0.1#5053'
        list doh_server '127.0.0.1#5054'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_default '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_default '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'iot'
        option interface 'iot'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_default '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
/etc/config/firewall 
config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option log '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option masq6 '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding 'guest_wan'
        option src 'guest'
        option dest 'wan'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule 'guest_dhcp6'
        option name 'Allow-DHCPv6-Guest'
        option src 'guest'
        option dest_port '547'
        option proto 'udp'
        option family 'ipv6'
        option target 'ACCEPT'

config rule 'guest_icmp6'
        option name 'Allow-ICMP-IPV6-Guest'
        option src 'guest'
        option proto 'icmp'
        option family 'ipv6'
        option target 'ACCEPT'

config zone 'iot'
        option name 'iot'
        option network 'iot'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding 'iot_wan'
        option src 'iot'
        option dest 'wan'

config forwarding 'lan_iot'
        option src 'lan'
        option dest 'iot'

config rule 'iot_dns'
        option name 'Allow-DNS-Iot'
        option src 'iot'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'iot_dhcp'
        option name 'Allow-DHCP-Iot'
        option src 'iot'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule 'iot_dhcp6'
        option name 'Allow-DHCPv6-Iot'
        option src 'iot'
        option dest_port '547'
        option proto 'udp'
        option family 'ipv6'
        option target 'ACCEPT'

config rule 'iot_icmp6'
        option name 'Allow-ICMP-IPV6-Iot'
        option src 'iot'
        option proto 'icmp'
        option family 'ipv6'
        option target 'ACCEPT'
4

First thing we need to do is remove the .10 from lan5 and re-add port lan1 to the bridge... I also would suggest omitting the name in the device line:

config device
        option type 'bridge'
        option name 'br-lan'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

Next, delete this:

Then we need to make bridge-VLANs (VLAN ID 10 for lan, 15 for IoT):

config bridge-vlan
        option vlan '10'
        option device 'br-lan'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'
        list ports 'lan5:t'

config bridge-vlan
        option vlan '15'
        option device 'br-lan'
        list ports 'lan1:u*'
        list ports 'lan5:t'

now, we'll edit the lan and iot interfaces to use br-lan.x where x is the respective VLAN ID:

config interface 'lan'
        option proto 'static'
        option device 'br-lan.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ip6hint '0000'

...
config interface 'iot'
        option proto 'static'
        option device 'br-lan.15'
        option ipaddr '192.168.15.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ip6hint '0001'

Now you can restart your router and you should have the following:

  • Port lan1: VLAN 15 (iot) untagged
  • Port lan2: VLAN 10 (lan) untagged
  • Port lan3: VLAN 10 (lan) untagged
  • Port lan4: VLAN 10 (lan) untagged
  • Port lan5: VLAN 10 (lan) and VLAN 15 (iot), both tagged.

On the switch, you need to make sure that you have VLANs 10 and 15 configured as tagged on the uplink port. Then, set the respective VLANs as untagged + PVID on the other ports as desired.

1 Like
5

That worked! Thank you!

Could you please elaborate on how is this different from what I was trying to do? If I understand correctly I now have all traffic in my subnets tagged, right? While I was trying to leave the VLANs at the device level and interface would only see the "normal" bridge.
Then what's the purpose of 8021q device type? Sorry for the silly questions.

Why so? I use a set of uci-defaults scripts to set up my router, so having static names helps achieve predictable results.

6

You did not setup bridge-vlans. On DSA devices, this is the method by which you can define VLANs and port-vlan membership.

Tagging relates to the status on the ethernet ports (on a per-port basis). So your subnets are assigned to VLAN IDs, and those VLAN IDs are tagged on some ports, untagged on others.

Not sure exactly what you mean here, but fundamentally, VLANs are not the device. There is the bridge as a device, and then the extensions of the bridge devices are the bridge-vlans. FWIW, DSA generally only works with a single bridge (currently anyway).

From what I can tell, the ability to explicitly define an 802.1q device is mostly a legacy thing, but it does have some practical application in certain niche situations where you might need to refer to a device by a more descriptive name. But generally, these are not needed because the underlying 802.1q device is created automatically under the hood when you define bridge-vlans. I am not sure if there is a risk of a conflict when a .1q config exists explicitly, but I always recommend keeping the config clean.

There is a line specifically for the name. The config device line can stand on its own. From a human readability standpoint, I guess you approach could work, but I always worry about the possibility that putting a name there could cause a conflict under certain circumstances (in older versions of OpenWrt, this was the method of naming the stanzas, but then the name field was added instead).

1 Like
7

Now, after I added two VLANs I think understand. If I were to go with the devices I would need to add lan5.10, lan5.15 and lan1.15 devices then bridge them with existing bridges somehow... Yeah, that's more complicated than I first thought.

The outcome for me is that I need to read more about devices, bridges, and switches :sweat_smile:

Thank you for your answers!

8

No, this would not work. And bridging them with existing bridges would defeat the purpose of VLANs.

https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial

9

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.