[SOLVED] Migrating to kernel 5.4 and DSA switch: config changes

Installing and Using OpenWrt
1

Greeting everyone. I am planning to upgrade from 19.07.02 to the master branch (specifically to dengqf6:dsa-fix).

MT7621 master branch had switched to kernel 5.4 with DSA switch, hence my config needs to be changed. I've come up with the below config after reading the latest discussion on #2942.

Would anyone mind reading it over and suggest if any corrections are needed? All help appreciated.

Current config based on swconfig (as seen in LUCI):

VLAN ID CPU (eth0) LAN 1 LAN 2 LAN 3 LAN 4 WAN
1 t u u
2 t u
19 t u
50 t u
  • VLAN 1 is LAN bridge eth0.1 192.168.1.1 - gives out DHCP in 192.168.1.0/24
  • VLAN 19 is also a bridge eth0.19 - gives out DHCP in 192.168.19.0/24

What I'd like to do with DSA:

VLAN ID CPU (br-lan) eth0 eth1 eth2 eth3 eth4
100 t u u
200 t u
19 t u
50 t u
  • VLAN 100 will be for LAN on ports eth2,eth3 - gives out DHCP in 192.168.100.0/24 range
  • VLAN 200 will be for WAN on eth0
  • VLAN 19 basically unchanged. Has IP of 192.168.19.1 and port eth4 gives out DHCP in 192.168.19.0/24 range

Here's what I presume needs to be done to achieve the above. Does this look reasonable; anything I missed, misunderstood?

P.S. Sorry if I am "beating a dead horse" here; but the whole DSA change is basically a paradigm shift for me.

/etc/hotplug.d/iface/21-lan

#!/bin/sh
[ "$INTERFACE" = lan ] && [ "$ACTION" = ifup ] || exit 0

# enable VLAN filtering
ip link set dev br-lan type bridge vlan_filtering 1

# clear out vlan 1
bridge v del dev eth0 vid 1
bridge v del dev eth1 vid 1
bridge v del dev eth2 vid 1
bridge v del dev eth3 vid 1
bridge v del dev eth4 vid 1
bridge v del dev br-lan self vid 1

# set vlans eth0
bridge v add dev eth0 vid 200 pvid untagged

# set vlans eth1
bridge v add dev eth1 vid 50 pvid untagged

# set vlans eth2
bridge v add dev eth2 vid 100 pvid untagged

# set vlans eth3
bridge v add dev eth3 vid 100 pvid untagged

# set vlans eth4
bridge v add dev eth4 vid 19 pvid untagged

# set vlans cpu port
bridge v add dev br-lan self vid 19 pvid untagged
bridge v add dev br-lan self vid 50 pvid untagged
bridge v add dev br-lan self vid 100
bridge v add dev br-lan self vid 200 pvid untagged

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0 eth1 eth2 eth3 eth4'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'
    option macaddr 'XX:XX:XX:XX:XX:XA'

config interface 'dhcp_lan'
	option proto 'static'
    option ifname '@lan.100'
	option ipaddr '192.168.100.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'
	option dns '10.210.210.12'
    
config interface 'wan'
	option ifname '@lan.200'
	option proto 'dhcp'
    option macaddr 'XX:XX:XX:XX:XX:XB'

config interface 'iso'
	option ifname '@lan.19'
	option proto 'static'
	list ipaddr '192.168.19.1'
    option netmask '255.255.255.0'
    list dns '8.8.8.8'
	list dns '1.1.1.1'
	option macaddr 'XX:XX:XX:XX:XX:19'
	option delegate '0'

config interface 'ros'
	option proto 'static'
	option ifname '@lan.50'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'
	option gateway '192.168.2.1'
	option macaddr 'XX:XX:XX:XX:XX:XD'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	list server '10.210.210.12'
	list notinterface 'wan'
	option filterwin2k '1'
	option authoritative '1'
	list interface 'dhcp_lan' # lan vlan 100
	list interface 'iso' # lan vlan 19

config dhcp 'dhcp_lan'
	option interface 'dhcp_lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'iso'
    option interface 'iso'
	option start '100'
	option leasetime '12h'
	option limit '150'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option mac 'XX:XX:XX:XX:XX:XX'
	option name 'iso_desk'
	option dns '1'
	option ip '192.168.19.150'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option output 'ACCEPT'
	option drop_invalid '1'
	option input 'DROP'
	option forward 'DROP'
	option flow_offloading '1'

###############
# ZONES
###############

# For 192.168.1.0/24 [lan bridge] 
# and 192.168.100.0/24 [vlan 100 dhcp_lan] networks
config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option log '1'
	option network 'lan dhcp_lan'
    option family 'ipv4'
    list subnet '192.168.1.0/24 192.168.100.0/24'

# Upstream WAN [vlan 200], nothing special
config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option log '1'
	option input 'DROP'
	option forward 'DROP'
	option network 'wan'

# For 192.168.19.0/24 [vlan 19]
config zone
    option name 'iso'
	option network 'iso'
	option log '1'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
    option family 'ipv4'
    list subnet '192.168.19.0/24'

# For 192.168.2.0/24 [vlan 50]
config zone
	option name 'ros'
    option network 'ros'
    option log '1'
	option input 'DROP'
	option forward 'DROP'
	option output 'ACCEPT'
	option family 'ipv4'
	list subnet '192.168.2.0/24'

###############
# FORWARDING
###############

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'iso'


###############
# RULES
###############

# Technically not needed, but why not
config rule
	option name 'block-egress-martians'
	option src '*'
	list src_ip '0.0.0.0/0'
	option dest 'wan'
	option proto 'all'
	list dest_ip '0.0.0.0/8'
	list dest_ip '10.0.0.0/8'
	list dest_ip '127.0.0.0/8'
	list dest_ip '169.254.0.0/16'
	list dest_ip '172.16.0.0/12'
	list dest_ip '192.0.0.0/24'
	list dest_ip '192.0.2.0/24'
	list dest_ip '224.0.0.0/3'
	list dest_ip '192.168.0.0/16'
	list dest_ip '198.18.0.0/15'
	list dest_ip '198.51.100.0/24'
	list dest_ip '203.0.113.0/24'
	option target 'DROP'

# Technically not needed, but why not
config rule
	option name 'block-ingress-martians'
	option src 'wan'
	option dest_ip '0.0.0.0/0'
	option dest '*'
	option proto 'all'
	list src_ip '0.0.0.0/8'
	list src_ip '10.0.0.0/8'
	list src_ip '127.0.0.0/8'
	list src_ip '169.254.0.0/16'
	list src_ip '172.16.0.0/12'
	list src_ip '192.0.0.0/24'
	list src_ip '192.0.2.0/24'
	list src_ip '224.0.0.0/3'
	list src_ip '192.168.0.0/16'
	list src_ip '198.18.0.0/15'
	list src_ip '198.51.100.0/24'
	list src_ip '203.0.113.0/24'
	option target 'DROP'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Block-Outbound-TFTP'
	option src 'lan'
	option dest 'wan'
	option dest_port '69'
	option proto 'udp'
	option family 'any'
	option target 'DROP'

config rule
	option name 'Block-Outbound-SNMP'
	option src 'lan'
	option dest 'wan'
	option dest_port '161 162'
	option proto 'udp'
	option family 'any'
	option target 'DROP'

config rule
	option name 'Block-Outbound-SMB'
	option src 'lan'
	option dest_port '135 137 138 139'
	option dest 'wan'
	option proto 'tcp udp'
	option target 'DROP'

config rule
    option name 'Block-445-SMB'
	option dest_port '445'
	option src '*'
	option dest '*'
	list proto 'tcp udp'
    option target 'DROP'

config rule
	option dest_port '7680'
	option src '*'
	option name 'Block-pando'
	option dest '*'
	option target 'DROP'

# Allow SSH and luci from 192.168.2.0/24
config rule
    option name 'ros-mgmt'
    option src 'ros'
    list src_ip '192.168.2.0/24'
    list dest_ip '192.168.1.1'
    option dest_port '22 80'
	list proto 'tcp'
    option target 'ACCEPT'

Thanks!

2

No that's not it at all.

There is no named CPU eth port any more. The hardware reality that all Ethernet traffic must enter the CPU through one port is abstracted away from the user.

As everything in your setup leaves the router untagged, you don't even need to think about VLAN numbers. Internal VLANs must be defined to isolate traffic within the switch, but DSA does that automatically.

So you set up 4 networks and simply use the ifname of the port(s) that you want to attach to them.

2 Likes
3

Huh thanks! Good point about isolating traffic, with swconfig I used untagged VLANs just to create separate broadcast domains; if DSA does that as is - then I don’t even need to bother.

Regarding no port named “CPU” in DSA (like eth0 in swconfig) - that much I think I understood. In the second table CPU (br-lan) refereed to the br-lan bridge. Example here: https://github.com/openwrt/openwrt/pull/2942#issuecomment-629374851

In the above example there’s a bridge br-lan created with tagging support, which I understood would be done by the CPU. Then vlans are configured both on hardware interfaces and on the bridge.

Regardless, for what I need to achieve - you’ve answered my question perfectly.

Thanks!

4

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.