Unable to apply VLAN configuration (DSA, 23.05)

I try to set a VLAN for port lan1, but the configuration is never applied.

I also tried putting Local and doing without PVID, just Untagged. The same thing happens, no configuration is applied.

After 90 seconds, I see a window: Configuration changes have been rolled back!

My router is Xiaomi Mi Router 4. I installed OpenWRT using this instruction.

All I've done is put packages for L2TP and haven't changed anything else in the settings, just trying to configure the VLAN.

I don't see any errors in dmesg and with logread. I have also changed the log level for debugging when running netifd and likewise I don't see any errors.
It is not clear why this configuration is not applied. I do a simple thing. Why doesn't this apply? Where can I look or what do I need to do to see the advanced logs to see what is preventing this configuration from being applied?

DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='23.05.0'
DISTRIB_REVISION='r23497-6637af95aa'
DISTRIB_TARGET='ramips/mt7621'
DISTRIB_ARCH='mipsel_24kc'
DISTRIB_DESCRIPTION='OpenWrt 23.05.0 r23497-6637af95aa'
DISTRIB_TAINTS=''

What are you trying to do exactly?

The configuration you have in the screenshot just sets LAN1 as a member of VLAN 21 and keeps all the other ports without any VLAN. This disables all communication.

If you add VLAN tags on a DSA-enabled switch, you need to add the checkbox "Local" to at least one VLAN and you need to change the interface of your "lan" network from br-lan to br-lan.21, i.e. you need to add the correct VLAN for the lan interface. This needs to be applied at the same time, otherwise you end up with no connectivity.

I have a macbook and a regular laptop. The macbook connects to WI-FI (phy1-ap0) and the laptop connects to lan1. A PXE server is running on the VM in the macbook, and I have created VLAN 21 for this server on the macbook and connected the VM using QEMU to this interface. Next, I need to set an untagged VLAN on lan1 for the OS to boot correctly over PXE on the laptop.

I almost managed to get this working properly last week, but I misconfigured the interfaces on the PXE VM. I discovered this late because in dmesg inside the virtual machine I saw Martian source error messages, meaning that packets from the laptop were reaching the macbook. I have now configured the interfaces correctly on the VM, but I can't figure out what configuration I did in OpenWRT when the Martian source errors appeared.

At the same time, I need to keep the Internet working via L2TP over WI-FI, because this is a home router and everyone at home uses it.

How is the L2TP tunnel connected?

You probably need something like the following setup:

I was able to apply this configuration by connecting to lan2 via cable. I then set the lan interface to br-lan.1 device (as wrote @andyboeh) and the configuration was applied, but I had to reboot the router to get WI-FI Internet working.

L2TP is assigned to the WAN firewall zone and is the default GW.

Now this configuration was applied, but I needed to specifically connect to lan2 to apply it (this cannot be done with WI-FI). But I still need to check the connectivity with PXE VM and laptop on VLAN 21.

What doesn't work over wifi?

I don't think you can (through LuCI or UCI configuration) do vlans over wifi, but it is possible to do configure it manually: install ip-bridge package and then:

bridge vlan add vid 21 dev phy0-ap0

But you shouldn't be able to bridge QEMU VMs via WiFi. WiFi station (client) interfaces don't support adding them to a bridge, as that would require WDS or 11s mesh (4-address mode).

If it works, then macOS is doing something non-standard (such as L2 NAT - what OpenWRT's relayd does), and I'm not sure if DHCP / PXE boot works with such a hack.

What doesn't work over wifi?

I meant that I couldn't apply Bridge VLAN filtering in LuCI when connecting via WiFi, only via lan2, but I realized what the issue was. When I applied this configuration and changed the lan interface device to br-lan.1, nft was preventing the configuration from being applied because it did not have rules for br-lan.1. I cleared its rules and was able to apply this configuration when connecting over WiFi.

You're probably right. I added a VID to phy1-ap0 using the bridge command, and after that I see in the dump on the VM arp requests from the laptop and the mac address of the laptop in the arp table in the VM's PXE. I also saw in the dump requests to DHCP and a response from DHCP to boot over PXE for the laptop, but it works strange: on the laptop display I don't see it getting an IP address, but in the dump from the VM I see that DHCP gives an address for the laptop. This is very strange to me. Perhaps I don't have enough knowledge about this.

Standard WiFi network data packets have three mac addresses:

• in AP -> Station direction the addresses are: Ethernet MAC of the sending device, AP's MAC address and station's MAC
• in Station -> AP direction, the addresses are the same: Station's MAC, AP's MAC and receiving device's MAC

To add a fourth MAC address, you need 11s mesh or some kind of a WDS setup. And the fourth address is needed if a station creates a bridge with other devices behind it (including VMs).

I would recommend you connecting your mac via a wired connection.

How it is done on the Macbook: I created a VLAN interface with a parent interface en0 (WiFi) and for the PXE VM I specified that VLAN interface to bridge to it.

sudo ifconfig vlan21 create
sudo ifconfig vlan21 vlan 21 vlandev en0

sudo virt-install \
   --name undercloud \
   --memory 10240 \
   --vcpus 4 \
   --disk=size=100,backing_store="/var/lib/libvirt/images/CentOS-Stream-GenericCloud-9-latest.aarch64.qcow2" \
   --disk path=./cidata.iso,device=cdrom \
   --import \
   --os-variant centos-stream9 \
   --graphic vnc \
   --noautoconsole \
   --virt-type hvf \
   --qemu-commandline='-netdev vmnet-bridged,id=net0,ifname=vlan21 -device virtio-net-device,netdev=net0 -netdev user,id=net1,hostfwd=tcp::2022-:22 -device virtio-net-device,netdev=net1' \
  --network none

-------

vlan21: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1496
	options=6063<RXCSUM,TXCSUM,TSO4,TSO6,PARTIAL_CSUM,ZEROINVERT_CSUM>
	ether f0:2f:4b:0c:25:2e
	vlan: 21 parent interface: en0
	media: autoselect
	status: active
vmenet0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1496
	ether fa:53:a0:61:0c:4c
	media: autoselect
	status: active
bridge100: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1496
	options=3<RXCSUM,TXCSUM>
	ether f2:2f:4b:c0:7c:64
	Configuration:
		id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
		maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
		root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
		ipfilter disabled flags 0x0
	member: vlan21 flags=3<LEARNING,DISCOVER>
	        ifmaxaddr 0 port 22 priority 0 path cost 0
	member: vmenet0 flags=3<LEARNING,DISCOVER>
	        ifmaxaddr 0 port 23 priority 0 path cost 0
	media: autoselect
	status: active

So, I cleared the firewall rules on the router again, and it seems to work, but with delays, which prevents the PXE from working properly.

I would recommend you connecting your mac via a wired connection.

Perhaps, I will do this later with Type-C to RJ-45 adapter.

There's no such thing as VLANs on wifi. Tunnels can be used to multiplex isolated networks over a wifi connection.

I think you're saying you want VLAN 21 (the tunnel to the Macbook) tagged and some other general network untagged on the Ethernet port connected to the other laptop. Tagged and untagged on the same port doesn't work with all hardware, but try to get that Ethernet part working first.

Kinda managed to get this to work (see my previous message), but there are weird delays that prevent PXE from working on the laptop.

Actually you can put 802.1q tagged packets in a WiFi frame. It is not standard but it works.

I think you were right here. As you can see on this screenshot:

Wi-Fi frame contains the mac address of the VM (52:54:00:12:34:80) and when such a packet reaches the laptop, the laptop sends packets with the mac address of the VM in the destination, then the router cannot forward them to the Wi-Fi interface of the macbook. And I also understand why some packets from the macbook's VM reach the laptop, they are replies to broadcast requests, so the laptop received an IP address from DHCP in the VM, but booting further on PXE doesn't happen. It's not latency, it's just packets not being delivered to the VM.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.