Upgrade from 22.02 to 23.05 and making my config DSA compatible

Hi all, I am running openwrt 22.02 and wanted to do a firmware upgrade to 23.05. But when I do, I get the following error.

Mon Jan 15 13:32:11 PST 2024 upgrade: The device is supported, but the config is incompatible to the new image (1.0->1.1). Please upgrade without keeping config (sysupgrade -n). Mon Jan 15 13:32:11 PST 2024 upgrade: Config cannot be migrated from swconfig to DSA Image check failed.

Doing some googling, I see that there is a change from old swconfig for VLANs switch configuration to the newer DSA. I dont want to do an upgrade while losing and redoing all my config.

I did skim through https://openwrt.org/docs/guide-user/network/dsa/converting-to-dsa but that page does explain how to do VLAN setups with DSA compared to the old swconfig and the feature differences. But I dont really use VLANs. I just have a single switch vlan, with all ports (eth0 and Lan1-4) being untagged. I havent enabled VLAN filtering on br-lan. Basically I just have my wireless and lan switch ports all connected to a single lan network. And I have a single separate guest wifi, that isnt part of that lan but only has internet access. So I am looking for a simple howto to prepare my config so it is compatible with the DSA stuff, just in order to upgrade to the newer firmware.

Thinking about it, if it isnt possible to do the config change ahead of time in luci, I would be ok with downloading a backup of my config first, manually editing that with the required changes for the DSA upgrade, and then restoring that backup for instance after I did the sysupgrade -n. If someone has clear instructions about what I would have to change in the backup, that would be hugely helpful.

You must start from scratch - there is no preparation you can do in the swconfig context that will make it possible to upgrade without a reset to defaults.

The preparation you can do is:

  • make a backup — this is useful as a human readable reference for reconfiguring your network
  • document any special network configs or requirements.
  • post your current config here if you want us to help you either re-establish an equivalent config in dsa or to advise you about how easy/complex the process will be, and/or what bits of the config could actually be copied and pasted back into place (limited, but there are some items that are safe to manually restore). (This is obviously optional)

Ok, thanks for the answer. If i have to do everything from scratch, then I'll just stay with the old version. I don't mind doing some manual config, or edit the backup so I can restore a compatible config after the upgrade. But having to do everything I did over the past few years from scratch is just not something i have time for.

I appreciate the offer to help me get an equivalent config, but i don't feel comfortable posting my full network setup including all mac addresses and IPs on the internet for everyone to read. I would feel more comfortable with some docs on what I'd need to change.
As summary though, what i have is

  • A network LAN with br-lan bridging interfaces eth0, wlan0 and wlan1
  • a switch (on eth0) with a single VLAN1, that is untagged on eth0 and LAN ports 1-4
  • a network GUEST with interface wlan0-1 that is not part of any bridge, but is allowed to output over WAN and gets masqueraded there. (so completely separate from the rest of the network).
  • a single WAN network containing interfaces wan (eth1), wan6 (eth1), and eth2 (a usb ethernet device with simcard that i use as manually activated fail over but is normally turned off/stopped)

You can redact MAC address and other sensitive info.

Most of what you describe is either relatively near to the standard default config or fairly quick to reconfigure (for example, the guest network can be added in 10 mins or less).

The mwan/cellular failover would require a bit more work because a few packages need to be installed and configured, but that is true of any upgrade (although those config files may be transferable without issue).

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Aside from that network stuff, I indeed have a whole host of installed packages i'd have to restore, and I have a whole bunch of static ips linked to local dns config, the eth2 failover, adblock, etc. My wife and me both work from home, and i really don't want both her and me to take (half) a day off work so i can tinker getting the config setup again after a full reset. So for me personally I can only

  • edit the backup so I can just reinstall the required packages and restore the backup after a reset
  • or i am going to stop updating until i have spare time on my hands to spend on this (which will be a long while for various personal reasons).

This is the hardware i am running

{
        "kernel": "5.10.201",
        "hostname": "router",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "ASUS RT-AC58U",
        "board_name": "asus,rt-ac58u",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.6",
                "revision": "r20265-f85a79bcb4",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 22.03.6 r20265-f85a79bcb4"
        }
}
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '<redacted>'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config device
        option name 'eth0'
        option macaddr '<redacted>'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '<redacted>'

config device
        option name 'eth1'
        option macaddr '<redacted>'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option metric '1'
        option type 'bridge'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2606:4700:4700::1111'
        list dns '2001:4860:4860::8888'
        list dns '2001:4860:4860::8844'
        option metric '1'
        option reqaddress 'try'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 1 2 3 4'

config device
        option name 'wlan1'
        option ipv6 '0'

config device
        option name 'wlan0'
        option ipv6 '0'

config interface 'guest'
        option proto 'static'
        option netmask '255.255.255.0'
        option device 'wlan0-1'
        option ipaddr '<redacted>'

config device
        option name 'wlan0-1'

config device
        option name 'usb0'
        option ipv6 '0'

config device
        option name 'eth2'

config interface 'eth2'
        option proto 'dhcp'
        option device 'eth2'
        option auto '0'

config interface 'wwan'
        option proto 'dhcp'
config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/soc/a000000.wifi'
        option cell_density '0'
        option country 'PH'
        option channel '1'
        option htmode 'HT40'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '<redacted>'
        option key '<redacted>'
        option ieee80211r '1'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'
        option encryption 'psk-mixed'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11a'
        option path 'platform/soc/a800000.wifi'
        option cell_density '0'
        option channel 'auto'
        option htmode 'VHT80'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option key '<redacted>'
        option ieee80211r '1'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'
        option ssid '<redacted>'
        option encryption 'sae'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid '<redacted>-guest'
        option encryption 'psk2'
        option key '<redacted>'
        option network 'guest'

config wifi-iface 'wifinet4'
        option device 'radio1'
        option mode 'sta'
        option network 'wwan'
        option ssid '<redacted>'
        option encryption 'psk2'
        option key '<redacted>'
        option disabled '1'
config defaults
        option output 'ACCEPT'
        option synflood_protect '1'
        option drop_invalid '1'
        option input 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan'

config rule
        option name 'Guest DNS'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Guest DHCP'
        list proto 'udp'
        option src 'guest'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        list icmp_type 'echo-request'
        option target 'DROP'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'DROP'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'guest'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'guest'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        list network 'wan'
        list network 'wan6'
        list network 'eth2'
        list network 'wwan'

config forwarding
        option src 'guest'
        option dest 'wan'

My dhcp config is this, plus a long list of static hosts and dns aliases

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option ednspacket_max '1232'
        option local '/<redacted>/'
        option domain '<redacted>'
        option confdir '/tmp/dnsmasq.d'
        option localservice '0'
        option nonwildcard '0'
        option noresolv '1'
        option doh_backup_noresolv '-1'
        list doh_backup_server '/use-application-dns.net/'
        list doh_backup_server '124.107.173.151'
        list doh_backup_server '142.251.220.142'
        list server '1.1.1.1'
        list server '8.8.4.4'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,10.0.8.1'
        option force '1'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option netmask '255.255.255.0'
        list dhcp_option '6,1.1.1.1,8.8.8.8,8.8.4.4'
        list ra_flags 'none'

I cant shake the feeling that it seems really impractical that a feature that i dont really use in openwrt (VLANs) has a backwards incompatibility that causes me to have redo the config of everything else on a system upgrade. It would be much nicer if the switch VLAN config (if i understand correctly, the only part affected) would be reset to stock, but everything else can still be restored from the old config. It feels like a feature incompatibility for a smaller group of power users/network experts is blocking potentially a much larger group of simpler users from keeping their firmware up to date.

Except that you do use VLANs, even if you didn't notice it, but the wan/ lan separation is done via VLANs.

Hi
it is not about VLANs (only)

it is fundamental way how OWRT expose rj45 ports to user
in old 'swconfig', individual ports are 'hidden' from user
in DSA every rj45 have own representation
it is very basic and rude explanation ... :slight_smile: but easy to understand

1 Like

There are some issues with your config as it stands, but not worth dealing with until you upgrade.

It is not necessary to redact rfc1918 ip addresses - they is t reveal anything sensitive about your network.

I do understand your hesitation to upgrade - and yes, it does make sense to wait until you have enough time to ensure everything is working properly.

It is actually much more than VLANs - it’s a fundamental change to the underlying method of hardware abstraction. The change is a one time thing that you will get though pretty easily.

The dhcp reservations can easily be copied into place, so that will save you time when you do go though the upgrade process.

In actuality, for most basic users, the upgrade process is fast and super easy to reconfigure. And for advanced users with VLANs, it is a bit more work as they learn the new method. Your setup is in a middle ground that won’t take very long except for reinstalling your packages and such.

Why don't you back up your settings, set up your network from scratch, name the interfaces "lan", "wan" and "guest", and then just put back your /etc/config/firewall and /etc/config/dhcp from the backup? You can also use attended-sysupgrade to update with all the current packages preinstalled.

Since I am made to believe I have to redo my config from scratch. I dont know what my options are. I just get an error I cant keep my config. And according to @psherman I have to redo it from scratch. If there is an alternative, please enlighten me.

So what is that upgrade process? I think I just miss options. Normally, I just do a firmware upgrade, it keeps my config, and I reinstall the packages that I had. Now i cant keep my config since it isn't compatible. So the only option as i understand from you is reset the whole setup, then go through the LUCI ui and redo everything I did over the past 2 years, and use the backed up config as a visual reminder. If there is a quicker way to do it, please explain. All the DSA page talks about is how to configure VLANS but not how to upgrade OpenWRT from a version that doesnt use DSA to a version that does, for everything except the VLANs.
If there would be a clear list of all config files that can be restored from the backup because they arent affected by DSA, and which files are affected by the DSA change, and which bits are, that would be hugely helpful.

The thing is, i haven't actively changed anything there, so whatever works stock, works for me. I wish there would be an option: set DSA related stuff to stock, and restore all other config. That way, only the people that actively changed VLAN stuff have to restore some of it manually, and everyone else isn't affected. Now the docs only focus on what did change, and how to restore those bits. But that stuff isnt relevant for me. What is relevant for me is that it says "you can't keep your config". But it doesn't say which bits of my config i can reuse.

sorry, @NPeca75 I replied to the wrong post. Your explanation was useful.

1 Like

Often the dhcp and firewall files can be restored - it is worth inspecting to make sure you aren’t doing anything that is not compatible (i.e. fw3 vs fw4), but for uci based rules it should be okay.

Network and wireless files are not directly compatible.

So are there any docs on what changed in those config files? With all the information I have available now, the only option i have is go through the luci UI, and manually restore everything by hand. I dont fancy clicking through the UI to add all static ips, dns names, adblock config, etc etc etc. That is only quick if you've done it 50 times and have it in muscle memory. But not if you did some of it 2 years ago and cant recollect it all, and have to read through the config files to remember.

1 Like

For the firewall stuff, yes. Look at the 23.05.0 release notes for more info.

Sorry, maybe I am not looking properly, but the only relevant bit I see is

Sysupgrade can be used to upgrade a device from 22.03 to 23.05, and configuration will be preserved in most cases.
!Sysupgrade from 21.02 to 23.05 is not officially supported.

  • ipq40xx EA6350v3, EA8300 and MR8300 require tweak to the U-Boot environment on update from 22.03 to 23.05. Refer to the Device wiki or the instruction on sysupgrade on how to do this change. Config needs to be reset on sysupgrade.

which doesnt really tell me much to solve the

Please upgrade without keeping config

message i see when doing a firmware upgrade.