[SOLVED] Swconfig & VLANs in OpenWRT 24.10?

Hello there!
I have heard that swconfig ("Switch" tab under "Network") is somewhat obsolete (I do believe since OpenWRT 21), but my Asus RT-AC51U with freshly installed OpenWRT 24.10 still has it. VLANs work both through the swconfig (with some WiFi issues) and virtual bridge filtering.

So, main question is: should not be there only single VLAN solution in such case?
Perhaps swconfig is obsolete just for newer devices, that support DSA?

If I go to the Interface/Device tab, to create VLANs, I have only two devices: "eth0.1" which is all (4) LAN ports and "eth0.2" which is single WAN port.
So, I can configure VLANs here, but not per LAN port, but only per all LAN ports and per WAN port.

I firstly did a weird swconfig + virtual bridge VLANning, at OpenWRT subreddit post first, where I first had an idea, to assign each port in swconfig to VLANs "111, 222, 333, 444" and then put each newly created VLAN in a bridge, where they would have additional VLANs, but thankfully @BIGFAT helped me to understand, that is not the best way by resource usage.

When I tried to configure VLANs on this router, I could go either way, with VLANs per all ports, or per port, but in swconfig.
With swconfig, though, I had an issue with WiFi, that I had to create a bridge with single VLAN interface, and assign this interface to WiFi's network. But, I guess this is a normal procedure.

Additional info about the router, if needed:

ubus call system board:

{
        "kernel": "6.6.93",
        "hostname": "RT-AC51U_OpenWRT",
        "system": "MediaTek MT7620A ver:2 eco:6",
        "model": "Asus RT-AC51U",
        "board_name": "asus,rt-ac51u",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.2",
                "revision": "r28739-d9340319c6",
                "target": "ramips/mt7620",
                "description": "OpenWrt 24.10.2 r28739-d9340319c6",
                "builddate": "1750711236"
        }
}

cat /etc/config/network:
(WAN interfaces are disabled, but included for future use)

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4b:ee08:5853::/48'
        option packet_steering '1'

config device
        option name 'eth0.1'
        option macaddr 'de:ad:be:ef:13:37'

config interface 'lan'
        option device 'eth0.40'
        option proto 'none'
        option type 'bridge'
        option defaultroute '0'

config interface 'wan'
        option device 'eth0.10'
        option proto 'dhcp'
        option disabled '1'
        option auto '0'
        option hostname '*'

config interface 'wan6'
        option device 'eth0.10'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'
        option disabled '1'
        option auto '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '6t'
        option vid '1'
        option description 'Hardcoded_LANs'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t'
        option vid '2'
        option description 'Hardcoded_WAN'

config interface 'IoT'
        option proto 'none'
        option device 'eth0.45'
        option defaultroute '0'

config route
        option interface 'lan'
        option target '0.0.0.0/0'
        option gateway '192.168.40.1'
        option source '192.168.40.2'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '41'
        option name 'eth0.41'

config interface 'LoL'
        option proto 'none'
        option device 'eth0.41'
        option auto '0'
        option defaultroute '0'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '40'
        option ports '0t 1 6t'
        option description 'LAN'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '41'
        option ports '0t 2 6t'
        option description 'LoL1'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option ports '0t 6t'
        option vid '45'
        option description 'IoT'

config switch_vlan
        option device 'switch0'
        option vlan '6'
        option ports '0t'
        option vid '10'
        option description 'WAN_notUsed'

config switch_vlan
        option device 'switch0'
        option vlan '7'
        option vid '50'
        option ports '0t 6t'
        option description 'Guest'

config switch_vlan
        option device 'switch0'
        option vlan '8'
        option vid '5'
        option ports '0t 6t'
        option description 'Default2'

config switch_vlan
        option device 'switch0'
        option vlan '9'
        option ports '0t 6t'
        option vid '99'
        option description 'MNGT'

config interface 'MNGT'
        option proto 'static'
        option device 'eth0.99'
        option ipaddr '192.168.99.2'
        option netmask '255.255.255.0'
        option gateway '192.168.99.1'
        list dns '192.168.99.1'

config device
        option type 'bridge'
        option name 'br-lan_wifi'
        option bridge_empty '1'
        list ports 'eth0.40'

config interface 'int_lan_wifi'
        option proto 'none'
        option device 'br-lan_wifi'
        option defaultroute '0'

config device
        option type 'bridge'
        option name 'br-IoT_wifi'
        list ports 'eth0.45'

config interface 'int_IoT_wifi'
        option proto 'none'
        option device 'br-IoT_wifi'
        option defaultroute '0'

config switch_vlan
        option device 'switch0'
        option vlan '10'
        option vid '55'
        option ports '0t 3 6t'
        option description 'Test1'

config switch_vlan
        option device 'switch0'
        option vlan '13'
        option vid '56'
        option ports '0t 4 6t'
        option description 'Test2'

cat /etc/config/wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '5g'
        option channel '36'
        option htmode 'VHT80'
        option country 'SE'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'int_lan_wifi'
        option mode 'ap'
        option ssid 'Vi-Fi_50'
        option encryption 'sae'
        option key 'password'
        option ocv '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/10180000.wmac'
        option band '2g'
        option channel '13'
        option htmode 'HT20'
        option country 'SE'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'int_lan_wifi'
        option mode 'ap'
        option ssid 'Vi-Fi_24'
        option encryption 'sae'
        option key 'password'
        option ocv '0'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Vi-Ti_24'
        option encryption 'sae-mixed'
        option key 'password'
        option network 'lan_wifi_int int_lan_wifi'
        option ocv '0'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Vi-Ti_50'
        option encryption 'sae-mixed'
        option network 'int_lan_wifi'
        option key 'password'
        option ocv '0'

config wifi-iface 'wifinet4'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Vi-Fi_IoT'
        option encryption 'sae'
        option key 'password'
        option ocv '0'
        option network 'int_IoT_wifi'

wifinet2 seems to have double interface. I can guess this is because of the renaming I did a while ago. This SSID (LAN & Internet access) works fine, though.

DSA and swconfig are two different methods of addressing the built-in switch chip inside many all-in-one consumer routers. They are mutually exclusive in that any given device will be either swconfig XOR DSA based.

Starting with 21.02, the project has been migrating to DSA, but this is done on a target-by-target basis, so the migration still continues. This means that some architectures still use swconfig.

This sounds like swconfig. As with DSA, you can configure each switch port with whatever port-vlan membership you desire. It's just a matter of understanding how to do so.

Your config has a lot of stuff going on, and will take a bit of time to read through... are things working as expected? If so, no changes are likely necessary. But if you're having an issue, please be specific about what's not working.

Everything is working fine, I was just wondering, if swconfig should be used today or my router is "special"/bugged in any ways somehow.

I wonder about one thing. My English is not perfect, so I did not fully understand thing with DSA vs swconfig... Is it mostly hardware or software limitation? Like is it possible to implement DSA through OpenWRT on older router/switch or is it physically limited by hardware-firmware for either older or specific devices?

Thanks for all the explanations!

No worries...

DSA vs swconfig has nothing to do with "limitations." It's a software implementation and simply refers to the configuration syntax (exposed to the user) and the method by which the system actually interacts with the hardware itself.

You can really think of it as 2 different languages - much the same way as we work with spoken/written languages as humans.

Keeping with the language analogy, think of it as a project translating maybe an ancient text from Latin to English (or any other modern language). It takes time to do this, so you release maybe one chapter per year. If you look at the release notes for each (major) OpenWrt version since 21.02, you'll see that the "chapters" relate to "targets" (processor architectures), with each successive OpenWrt version transitioning more of them from swconfig to DSA.

Ideally, at some point in the future, all OpenWrt devices will use DSA. So don't think of it as a hardware or firmware "limitation" but rather a matter of translating from an older method to a new one. This takes a lot of hard work on the part of the developers, and it is possible that some targets may prove more difficult than others to migrate to DSA (and it's always possible that some targets won't be migrated due to those difficulties and/or for other reasons), but fundamentally it's just a matter of "translating" the old swconfig methods to the new DSA ones.

Aha, I see!
That was a really good explanation!
Thank you so much and have a great day, @psherman!

What I dont understand is, if the router is swconfig based, in Luci you get the Network > Switch menu BUT apparently you can also define VLAN (802.1q) devices on Network > Interfaces > Devices tab, although you can’t assing individual bridge ports as tagged or untagged. You can even add an VLAN 802.1q on top of a Switch VLAN (Luci lets you do that, dont know if it will work) so you could end up with some device like eth0.4.26 …

How does both options interact? I’m guessing that you are defining software vlans on top of switch vlan but I dont understand enough to know if that makes any sense or you should just avoid touching that section and just define vlans on the Network > Switch menu…

That would be invalid.

No, such configurations would not be correct. You can define 802.1q stanzas (ethx.y), but it is not necessary since it is done automatically when you create VLANs on the switch or via bridge VLANs for dsa.

Actually it worked, but weirdly...

I could create VLANs in swconfig, and then create a virtual bridge with VLAN filtering, where I attached newly created VLANs and it somewhat worked (I do not have a config, but I can re-create if needed. Have images attached from Reddit post).

I do not recall exactly, but there were some problems with tagging in swconfig, through the WAN port... After deleting all the bridges with VLAN filtering, those problems passed away.

Just to repeat myself, for me everything is working now (using only swconfig), but weird that it is possible to mix VLANs that way.

switch-vlan-plus-software-vlan-separating-each-port-v0-nilcmlfjjpkf11001×528 31 KB

vlanFiltering906×596 22.1 KB

What is shown in those screenshots will lead to an invalid and likely problematic configuration. I’m not sure exactly what it would do, but it would probably do some unexpected things.

Well, it worked well at least for like 2-3 days, before I decided to ask if this a good solution really.
I guess this way there were extra CPU processing though (have not measured).

Thanks for the info!

I don't know that it would have impacted the CPU, but the operation of the VLANs may not have worked entirely as expected, even if not immediately obvious.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.