Two bridges on the same eth0: does it suppose to work?

I have a Linksys WRT1900ACS and I want to connect it to two different networks: one for the device itself and another one (less privileged) for the devices plugged in to its ethernet ports.

The way I think it suppose to work is:

• I have two bridges, one for "wan" (br-lan) and one for "lan1, lan2, lan3, lan4" (br-media)
• "wan" is plugged into one network and router would get its IP address from it (acting as DHCP client).
• "lan1" is plugged into another network and DHCP requests from devices on lan2, lan3 and lan4 would be forwarded to the device on the other side by the bridge.

However, I can not make this to work: br-media bridge shows all physical interfaces as "down". I know the cables is plugged it properly. If I plug cable attached to lan1 into a computer instead, it'll get an IP address and everything will work. But the same cable plugged into Linksys does not change the state of the interface from "down".

(Interesting thing I found is that if I reboot the router, the bridge will briefly work and everything connected to lan2, lan3 and lan4 will get IP addresses from the other side of lan1. Sounds like a security concern, since no VLAN tagging is done)

Anyway, I'm wondering if I need to do something else I haven't yet to make it work, or, given that there's only one actual physical networking device (eth0), it is just not supposed to work at all.

Relevant configuration bits (shortened):
/etc/config/network

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'wan'
config interface 'LAN'
	option proto 'dhcp'
	option device 'br-lan.1'
config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'wan:u*'
config interface 'media'
	option proto 'none'
	option device 'br-media.30'
config device
	option type 'bridge'
	option name 'br-media'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option bridge_empty '1'
config bridge-vlan
	option device 'br-media'
	option vlan '30'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

Screenshot 2023-04-07 at 11.14.48 am1792×780 52.8 KB

Oh, the firmware version is OpenWrt 22.03.2 r19803-9a599fee93 / LuCI openwrt-22.03 branch git-22.304.65171-ec905e6

Can you take time to explain the setup and use of VLANs 1 and 30?

I don't see any discussion on them.

Do you want LAN1 to get an IP as DHCP client too?

There are other relevant missing parts. Please show all (redact MAC addresses, Public IPs, etc.)

I'm not sure it is relevant but my network is split into about ~10 different VLANs, each designated to a set of devices (computers get one, kids devices another one, media devices get yet another one). This is all handled by openwrt running on x86 gateway, let's call it router.

That router is handling DNS and DHCP.

Linksys job is to provide WiFi and be a device with Ethernet ports I can plug things into. It gets IP through VLAN 1, the rest VLANs interfaces are unmanaged, and Linksys relies on the router to handle DHCP and firewall.

There are also two managed switches: one of them is to plug all the wireless points into and its job is to forward requests to router and avoid switching anything locally (I'm using cheap TP links switches and MTU VLAN does exactly what I need). The purpose is to isolate devices on the same VLAN from each other.

The other managed switch is to deal with media devices: they are the only devices I want talking to each other on my network directly without bouncing through a router.

Ideally, Linksys (and other APs) would have two uplinks: one for the media devices, going through that second switch, and one for the rest of the VLANs, going through the first switch.

Linksys would have to have two bridges: one for media, joining together lan1, lan2, lan3 and lan4, and one for wan, handling the rest of the traffic.

Apart from that second uplink, everything works as expected

But the second uplink proves to be challenging, as I've mentioned before Linksys insists that all of ports connected to media bridge are "down", even though I am 100% sure the device on the other side is listening (and confirmed that by connecting the same cable to a laptop. Even Linksys itself briefly uses that connection during startup).

So that's why I am stuck.

I do not think VLANs have anything to do with it. The networks wan and lan1 both are connected to the router in the end but I've excluded media VLAN from wan, so there shouldn't be any cycles, there's always just one way up or down. STP is not enabled (as seen from the config), not sure if it would make a difference

I'm happy to share the full network config but honestly most of it is really of no relevance, it's just configuration of all other VLANs that look exactly like media one (but with br-lan as the base interface)

Is there any other configuration file that might be relevant?

Hi,
I have a Banana bpi r3 device with latest openwrt. See here for details:

If I have two bridges connected to the same LAN interface, I get this:
If one bridge is on vlan 1 and the other bridge is on vlan 5
Fails if: vlan 1 untagged, vlan 5 tagged.
Works if: vlan 1 tagged, vlan 5 tagged.
So, maybe if you configure it so that both vlans are tagged, it might help you also.

Yes tagged and untagged on the same cable should be avoided. This also helps with the issue of rogue untagged packets accidentally or intentionally entering the network.

During boot, the bootloader configures all four LAN ports to switch together, and that situation exists until the OS (OpenWrt) takes over and reconfigures them. This can't be avoided by OpenWrt since it is not running yet.

Any idea on how I can debug this? It is all behaving very strangely but no diagnostics are ever printed out anywhere.

• brctl shows the bridge but somehow is confused which interfaces are attached to it. I attached one of the "interface" (in luci terminology) to use the bridge and then switched it back to br-lan but attached another "interface", and brctl still shows me original interface names
• br-media doesn't have a mac address and not showing up in ifconfig or brctl outputs unless I use it as a device for some interface
• once I've attached lan1 to the br-media, it disappeared from ifconfig output completely. ifup lan1 says that device with that name doesn't exist.
• trying to set up the bridge manually with brctl fails too.

root@Linksys:~# brctl addbr br-media
root@Linksys:~# brctl addif br-media lan1
brctl: bridge br-media: Not supported

I guess lan1 is not an interface and just a port of the switch? Is there a way to add it to the bridge with linux tools somehow?

Having two bridges on the same interface does not make sense: bridges do not get attached to interfaces, but the other way around. Then,"one interface attached to two bridges" also does not make sense, as once the interface becomes part of one bridge, it is no longer available to be attached to the second bridge; and, if you could do it, then it would be all one single bridge.

Anyway, after reading your message, I still do not understand what you want to accomplish here; can we forget about the bridges for a moment, and draw a picture of your intended configuration, please?

I'm not trying to put the same port on two different bridges but as far as I understand there's only one network interface (in the kernel sense, eth0) and I wasn't sure how that interacts with bridges.

Anyway, here is a picture, hopefully it makes it clearer.

Screenshot 2023-04-12 at 9.12.34 am2158×1086 183 KB

br-lan works fine already. I'm trying to make br-media bridge but it just fails in the way I don't know how to debug.

Update; sorry, forgot to edit on the drawing but vlan 1 on wan is also untagged. Not sure if that makes a difference and I can make it tagged if needed.

Does the main router (on the right side of the image) have all the VLANs, too?

There should be no need for the second switch at all, but certainly not the link between the two switches. All of the VLANs can be handled on a single port (linksys wan) and then steered to the correct ports as needed.

Yeah, everything has the same VLANs.

The reason for two switches is that they are in a different configuration:

• switch (TL-SG108E) connected to wan in is in MTU VLAN mode, where it has port based bridges between every port and uplink (i.e. ports can't talk to each other, just to the router behind uplink).
• switch I want to be connected to lan1 is in normal mode, where it allows ports to talk to each other.

As I said previously, I find that this configuration allows me to isolate clients on the same VLAN, i.e. even if all computers are on VLAN 40, they won't be able to talk to each other.

I want pretty much all devices to be isolated and only have specific rules for interactions (i.e. computers can access media devices).

But, for media devices I want the rules to be relaxed: I want TVs, PLEX and Chromecast devices to talk to each other freely without bouncing through the router.

So:

• is this configuration (two bridges, on separate physical ports but the same switch) suppose to work?
• is there a way to somehow figure out why it doesn't?

Your drawing only shows us what you have done so far, no what you want to accomplish. I cannot understand why you have two switches connected like that, or why you have your LANs on the same interface as the WAN.

To be pedantic, as you only seem to have switches, modems, and routers, and no other user device or server in your network, you could just switch everything off.

I like humour but I think it was uncalled for.

I want Linksys to be a dumb-ish AP, that's why WAN is on the same interface.
I want devices connected to it, and other APs like it, to be isolated from each other as much as possible, that's why the switch is in the mix too.

This all works.

But the br-media shown on the picture does not work, and I have no idea how to debug it. UI shows lan1-lan4 as if they are down or no cable connected to them even though I know there is a cable connected with an active device trying to communicate. It is as if I have to "up" them but I see no option to do so. 'ifconfig' stops showing lan1-lan4 the moment I add them to the bridge, but still shows wan, even though it is part of the br-lan.

I can't see anything relevant in the logs.

All I'm interested in is how to debug the situation, how to figure out why br-media refuses to work.

It has been a little while since I've used one of these switches, but IIRC, the MTU VLAN feature and the use of standard VLANs are mutually exclusive modes.

If you remove the switch that is connected to the br-media lan1 port, does it work? If not...

• Have you verified that VLAN30 is working properly from the router and first switch?

It has been a little while since I've used one of these switches, but IIRC, the MTU VLAN feature and the use of standard VLANs are mutually exclusive modes.

I think this is red herring, as it doesn't really matter in this example. The switch with MTU enabled is connected to br-lan, which works perfectly. It is exclusive with standard VLAN on the switch itself but it forwards the VLAN tags untouched to the router, so everything works (I do get VLAN specific IP ranges from DHCP, so I'm confident in that)

If you remove the switch that is connected to the br-media lan1 port, does it work? If not...

• Have you verified that VLAN30 is working properly from the router and first switch?

I've just tried this with no luck. The symptoms are exactly the same: linksys says there's no link on lan1 (or any other port assigned to br-media), even though I know the cable is in and works, and the switch on the other side is happy to communicate. I've confirmed that multiple times through multiple means (plugged in laptop, assigned the ports back to br-lan, everything starts working immediately as expected).

VLAN30 is also not a problem, it works through br-lan currently.

I can also migrate the physical link connected to wan from one switch to another and everything keeps working. It just something on the Linksys side prevents br-media to start functioning.

So if there is a problem with the second bridge, why not just put wan + lan1-lan4 on the same bridge? Then configure all VLANs on the wan port (VLANs 1, 10, 20, 30, 40, 50 -- all tagged), and then ports lan2-lan4 (and maybe even lan1) as untagged VLAN 30.

Haven't seen your response but this is exactly what I just did

I've assigned all ports to br-lan but in the VLAN configuration excluded wan from VLAN30, and put lan1-4 to only VLAN30 (lan1 tagged, 2-4 untagged).

This works as expected

Thanks!

great!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.