Tagged and Untagged VLANs on the same physical port

Hello. I'm dealing with the “router board” which is embedded to Lenovo SE350 server. The board is technically a NXP LS1046A chip running an unidentified OpenWRT version.

(The latest OEM firmware presents itself as HYL414C, r620-7bcd4a56 and unfortunately I have no clue what it means. Even the firmware change history file does not seem to have been updated since the previous version, HYL413C, r618-fedb9be0. And their readme is even less useful.)

Long story short, I started with the VLAN wiki and figured this device does not look like it has an embedded switch hardware, even though it features plenty of physical ports.

oper@enb-7d1b-j10177lb:~$ ls -l /sys/class/net
lrwxrwxrwx    1 root     root             0 Jul 22 18:43 bond0 -> ../../devices/virtual/net/bond0
-rw-r--r--    1 root     root          4096 Jul 22 18:43 bonding_masters
lrwxrwxrwx    1 root     root             0 Jul 22 18:43 br-edge_lan -> ../../devices/virtual/net/br-edge_lan
lrwxrwxrwx    1 root     root             0 Jul 22 18:43 br-mgmt_xcc_lan -> ../../devices/virtual/net/br-mgmt_xcc_lan
lrwxrwxrwx    1 root     root             0 Jul 22 18:43 br-wifi_lan_ap -> ../../devices/virtual/net/br-wifi_lan_ap
lrwxrwxrwx    1 root     root             0 Jan  1  1970 eth0 -> ../../devices/platform/soc/soc:fsl,dpaa/soc:fsl,dpaa:ethernet@1/net/eth0
lrwxrwxrwx    1 root     root             0 Jan  1  1970 eth1 -> ../../devices/platform/soc/soc:fsl,dpaa/soc:fsl,dpaa:ethernet@2/net/eth1
lrwxrwxrwx    1 root     root             0 Jan  1  1970 eth2 -> ../../devices/platform/soc/soc:fsl,dpaa/soc:fsl,dpaa:ethernet@3/net/eth2
lrwxrwxrwx    1 root     root             0 Jan  1  1970 eth3 -> ../../devices/platform/soc/soc:fsl,dpaa/soc:fsl,dpaa:ethernet@4/net/eth3
lrwxrwxrwx    1 root     root             0 Jan  1  1970 eth4 -> ../../devices/platform/soc/soc:fsl,dpaa/soc:fsl,dpaa:ethernet@5/net/eth4
lrwxrwxrwx    1 root     root             0 Jan  1  1970 eth5 -> ../../devices/platform/soc/soc:fsl,dpaa/soc:fsl,dpaa:ethernet@8/net/eth5
lrwxrwxrwx    1 root     root             0 Jan  1  1970 eth6 -> ../../devices/platform/soc/soc:fsl,dpaa/soc:fsl,dpaa:ethernet@9/net/eth6
lrwxrwxrwx    1 root     root             0 Jan  1  1970 ip6tnl0 -> ../../devices/virtual/net/ip6tnl0
lrwxrwxrwx    1 root     root             0 Jan  1  1970 lo -> ../../devices/virtual/net/lo
lrwxrwxrwx    1 root     root             0 Jan  1  1970 sit0 -> ../../devices/virtual/net/sit0
lrwxrwxrwx    1 root     root             0 Jul 22 18:43 wlan0 -> ../../devices/platform/soc/3400000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/net/wlan0
oper@enb-7d1b-j10177lb:~$

So, I should probably follow the “Creating driver-level VLANs” section of the said wiki.

I want this device to be configured in the following way. (VLAN IDs can be anything as I'm not exposing them externally.)

  • physical port eth1: VLAN A, access mode
  • physical port eth2: VLAN B, access mode
  • physical port eth5: VLANs A & B, where VLAN A is the “native” VLAN (untagged) and VLAN B is only accessible if tagged by the client.

I do not need any routing whatsoever between those VLANs, neither do I need the OpenWRT device to have any interfaces on its own there.

Unfortunately, it looks like the wiki lacks a configuration sample for my scenario, where there are multiple VLANs on the same physical port, and one of them needs to be native. Can someone please share any pointers? Thanks in advance!

You may need to reach out to the manufacturer of the board and/or the maintainers of the OpenWrt version that is installed on it... it is likely very different than traditional OpenWrt and may therefore mean you need help from those who know the specifics of that specific hardware and OpenWrt version.

Since the board doesn't have a switch and the ports are individually routed, individual networks on eth1 and eth2 are easy. But eth5 will present a bit more of a challenge.

You may be able to create 2 bridges:

  • br-a with eth1 and eth5
  • br-b with eth2 and eth5.x (where x is the VLAN ID you choose for VLAN B).
    Then use those bridges (br-a, and br-b) as the devices in the network definitions.

Depending on the specifics of the hardware, this may be fine, or it may incur a performance penalty... a bridge is essentially a software switch, and requires the CPU to execute the switching routines. On some devices, this means it is much slower than line rate. Dedicated switch hardware is always preferred when possible. And, in your case, that might mean considering an external switch to achieve this goal... it might have better performance and may be easier to configure for these purposes. But try what I described above and see what happens.

1 Like

Thank you! Unfortunately, the vendor is not very responsive, so I'm willing to experiment myself. I'm pretty sure it's a basic OpenWRT, more or less, even though they implemented a bunch of hardening (e.g. no root login, no opkg, cannot edit configs directly, etc.)

is this how it's supposed to look like? Or I completely missed the point?

sudo uci set network.edge_lan.ifname='eth3 eth6'  # remove the ports we need from the default configuration

sudo uci set network.port5=device        # port 5 is how it's labeled on the box externally
sudo uci set network.port5.ifname='eth1' # eth1 is how OpenWRT sees it
sudo uci set network.port5.type='8021q'  # probably don't need this since it's the default, but I'd like to be explicit
sudo uci set network.port5.vid='0'       # do I need this for a port in Access mode?

sudo uci set network.port6=device        # port 6 is how it's labeled on the box externally
sudo uci set network.port6.ifname='eth2' # eth2 is how OpenWRT sees it
sudo uci set network.port6.type='8021q'  # probably don't need this since it's the default, but I'd like to be explicit
sudo uci set network.port6.vid='0'       # do I need this for a port in Access mode?

sudo uci set network.lom1_n=device           # lom 1 is how the host server (x86) sees it, `n` for Native
sudo uci set network.lom1_n.ifname='eth5'    # eth5 is how OpenWRT sees it
sudo uci set network.lom1_n.type='8021q'     # probably don't need this since it's the default, but I'd like to be explicit
sudo uci set network.lom1_n.vid='0'          # do I need this for a port in Access mode?

sudo uci set network.lom1_100=device         # lom 1 is how the host server (x86) sees it, `100` for VLAN ID
sudo uci set network.lom1_100.ifname='eth5'  # eth5 is how OpenWRT sees it
sudo uci set network.lom1_100.type='8021q'   # probably don't need this since it's the default, but I'd like to be explicit
sudo uci set network.lom1_100.vid='100'      # actual VLAN ID

sudo uci set network.internal_lab=interface
sudo uci set network.internal_lab.type='bridge'
sudo uci set network.internal_lab.ifname='port5 lom1_n'

sudo uci set network.external_corp=interface
sudo uci set network.external_corp.type='bridge'
sudo uci set network.external_corp.ifname='port6 lom1_100'

Unfortunately, the dedicated switch is not an option here. The physical device architecture is quite weird. It's basically a traditional x86 server but with a dedicated OpenWRT router embedded into it for external access. The router has a bunch of physical external ports (eth1..eth4, and several others, including a Wi-Fi and LTE modules which I'm not gonna use) but only one internal port (eth5) which is connected to the x86 server itself on the motherboard.

My end goal is to connect several external networks to this very x86 server, using the only available internal port (eth5). The idea is that I will plug different external networks into ports eth1 and eth2, and the server would be able to see them via VLANs. I know it's far from ideal, but hopefully will do for my tiny lab scenario.

That already sounds very significantly different! I would not assume that it is the same... think about the Adam West version of Batman on TV vs the recent Batman movies... yes, they're based on the same main ideas/characters, but they are not even remotely similar beyond that.

Could you repost your network configuration by running:

cat /etc/config/network
2 Likes

good question, apparently, I cannot!

oper@enb-7d1b-j10177lb:~$ sudo cat /etc/config/network
Password:
Sorry, user oper is not allowed to execute '/bin/cat /etc/config/network' as root on enb-7d1b-j10177lb.
oper@enb-7d1b-j10177lb:~$

but I can do this instead:

oper@enb-7d1b-j10177lb:~$ sudo uci show network
Password:
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd6c:7b22:02f2::/48'
network.mgmt_xcc_lan=interface
network.mgmt_xcc_lan.type='bridge'
network.mgmt_xcc_lan.ifname='eth4 eth0'
network.mgmt_xcc_lan.metric='50'
network.mgmt_xcc_lan.proto='dhcp'
network.mgmt_xcc_lan.ipaddr='0.0.0.0'
network.mgmt_xcc_lan.netmask='0.0.0.0'
network.mgmt_xcc_lan.gateway='0.0.0.0'
network.mgmt_xcc_lan_6=interface
network.mgmt_xcc_lan_6.metric='50'
network.mgmt_xcc_lan_6.proto='dhcpv6'
network.mgmt_xcc_lan_6.ip6addr='0000:0000:0000:0000:0000:0000:0000:0000/0'
network.mgmt_xcc_lan_6.ifname='br-mgmt_xcc_lan'
network.mgmt_xcc_lan_6.ip6assign='64'
network.mgmt_xcc_lan_6.ip6hint='70'
network.mgmt_xcc_lan_6.ip6class='local'
network.bonding=interface
network.bonding.ifname='bond0'
network.bonding.proto='static'
network.bonding.enabled='0'
network.edge_lan=interface
network.edge_lan.type='bridge'
network.edge_lan.ifname='eth1 eth2 eth3 eth5 eth6'
network.edge_lan.proto='static'
network.edge_lan.ipaddr='192.168.71.254'
network.edge_lan.netmask='255.255.255.0'
network.lte_wan=interface
network.lte_wan.ifname='wwan0'
network.lte_wan.proto='qmi'
network.lte_wan.device='/dev/cdc-wdm0'
network.lte_wan.apn='internet'
network.lte_wan.pincode='0000'
network.lte_wan.auth='pap'
network.lte_wan.username='Name1'
network.lte_wan.metric='30'
network.lte_wan.disabled='1'
network.wifi_lan_ap=interface
network.wifi_lan_ap.ifname='wlan0'
network.wifi_lan_ap.type='bridge'
network.wifi_lan_ap.proto='static'
network.wifi_lan_ap.ipaddr='192.168.74.254'
network.wifi_lan_ap.netmask='255.255.255.0'
network.wifi_wan_sta=interface
network.wifi_wan_sta.ifname='wlan0'
network.wifi_wan_sta.proto='dhcp'
network.wifi_wan_sta.metric='20'
network.wifi_wan_sta.ipv6='1'
network.wifi_bridge=interface
network.wifi_bridge.proto='relay'
network.wifi_bridge.network='wifi_wan_sta edge_lan'
network.vpn=interface
network.vpn.ifname='tun0'
network.vpn.proto='none'
network.edge_lan_6=interface
network.edge_lan_6.ifname='br-edge_lan'
network.edge_lan_6.proto='static'
network.edge_lan_6.ip6assign='64'
network.edge_lan_6.ip6hint='71'
network.edge_lan_6.ip6class='local'
network.lte_wan_6=interface
network.lte_wan_6.ifname='@lte_wan'
network.wifi_lan_ap_6=interface
network.wifi_lan_ap_6.ifname='br-wifi_lan_ap'
network.wifi_lan_ap_6.proto='static'
network.wifi_lan_ap_6.ip6assign='64'
network.wifi_lan_ap_6.ip6hint='74'
network.wifi_lan_ap_6.ip6class='local'
network.wifi_wan_6=interface
network.wifi_wan_6.ifname='@wifi_wan_sta'
network.wifi_wan_6.proto='dhcpv6'
network.wifi_wan_6.metric='20'
oper@enb-7d1b-j10177lb:~$

(and worry not, I can actually change configuration over uci, I already messed with basic stuff like hostname and NTP config.)

Yeah, this is nothing like standard OpenWrt. I am not in a position to help (not unwilling, it's just that I don't know how your system operates and beyond the generic advice I provided earlier, I'm at a loss).

Other (volunteer) users here will probably also not know how to configure your device -- it's just so different. You might get lucky and someone may be able and willing to help with your specific situation... but please understand that this forum cannot guarantee any kind of support, especially for unusual devices with customized builds that really don't resemble the official OpenWrt versions we know.

2 Likes

Thank you for trying to help! I understand there's a fair bunch of uncertainty here, and it's not very promising or productive. I will try to dig into available config options myself, using your advice as pointers.

If anyone's interested, here are the only two pieces of documentation (mostly overlapping) I found regarding this specific piece of hardware.

It looks like a lot of details, but unfortunately what they offer as preset configurations is not very useful. None of those allow you to access dissimilar, non-routable networks over the only available internal connection (aka. eth5.) In fact, every configuration assumes a single network on eth5 which is routable to other networks—and this is precisely what I want to avoid.

So, I have to investigate the “custom” configuration, which they thankfully allow, even though without much documentation. Except for a clumsy snippet on page 93, which lacks proper line breaks, so here's it with fixed formatting.

# Disable DHCP server on Down Link ports
sudo uci set dhcp.lan.dhcpv4=disabled
sudo uci commit dhcp
sudo /etc/init.d/dnsmasq restart

# Includes physical ports into Down link
# Refer to Wired/wireless table in the manual for the detailed interface name
sudo uci set network.edge_lan.ifname='eth1 eth3 eth6'
sudo uci commit network.edge_lan
sudo /etc/init.d/network restart

# Configure static IP of Down link ports
sudo uci set network.edge_lan.proto=static
sudo uci set network.edge_lan.ipaddr=192.168.70.254
sudo uci set network.edge_lan.netmask=255.255.255.0
sudo uci commit network.edge_lan
sudo /etc/init.d/network restart