Using VLANs on ipq40xx device and DSA

Fremont · April 23, 2023, 3:06pm

/etc/config/network before change :
...
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fde9:47e1:f650::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'

config device
option name 'eth0'
option macaddr '0c:0e:76:35:be:00'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
...

Changes made :
...

/etc/config/dhcp

uci del dhcp.lan.ra_slaac

/etc/config/network

uci add network bridge-vlan # =cfg06a1b0
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='114'
uci add_list network.@bridge-vlan[-1].ports='eth0:t*'
uci set network.lan.ipaddr='192.168.114.60'
uci set network.lan.gateway='192.168.114.1'
...

That didn't change anything : I can't access the device via vlan 114 when the changes are applied.

janh · April 23, 2023, 3:35pm

To be clear, I meant the actual Linux interface called "lan", not the config section with the same name in "/etc/config/network".

You need to replace all occurences of "eth0" in "/etc/config/network" by "lan". If you start from a fresh config on a snapshot image, that should actually already be the case. (I assume you ended up with the current state by keeping your config from a stable release, which is not supported for devices which migrated to DSA.)

Fremont · April 27, 2023, 10:13am

I did :

firstboot && reboot now

and here's the content of /etc/config/network :

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxxxxxxxxxxxxxxxxx'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config device
        option name 'eth0'
        option macaddr 'xxxxxxxxxxxxxxxxx'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

If I replace the 2 occurences of "eth0" by "lan" in that network file, and restart the network, I can't access the access point anymore (its IP address being 192.168.1.1).

janh · April 27, 2023, 12:15pm

So, which device and which OpenWrt version are you actually using? From the previous information, I assumed it is a DAP-2610 running an OpenWrt snapshot build (as there isn't any stable release using DSA for this device yet). And in that case, the device "lan" should be used for the LAN interface by default.

Fremont · April 27, 2023, 12:25pm

Here is what is displayed on the status page :

Model : D-Link DAP 2610
Architecture : ARMv7 Processor rev 5 (v7l)
Target Platform : ipq40xx/generic
Firmware Version : OpenWrt 22.03.4 r20123-38ccc47687 / LuCI openwrt-22.03 branch git-23.093.57104-ce20b4a
Kernel Version : 5.10.176

You're right : that device doesn't seem to use DSA, contrary to what I thought.

grep "DEVTYPE=dsa" /sys/class/net/*/uevent

doesn't return anything.

While on another of my devices, which uses DSA for sure I get :

/sys/class/net/lan1/uevent:DEVTYPE=dsa
/sys/class/net/lan10/uevent:DEVTYPE=dsa
/sys/class/net/lan11/uevent:DEVTYPE=dsa
/sys/class/net/lan12/uevent:DEVTYPE=dsa
/sys/class/net/lan13/uevent:DEVTYPE=dsa
/sys/class/net/lan14/uevent:DEVTYPE=dsa
/sys/class/net/lan15/uevent:DEVTYPE=dsa
/sys/class/net/lan16/uevent:DEVTYPE=dsa
/sys/class/net/lan17/uevent:DEVTYPE=dsa
/sys/class/net/lan18/uevent:DEVTYPE=dsa
(and so on)

I'll use that DAP-2610 in an environnement which doesn't need VLAN, I can't get it working.

psherman · April 27, 2023, 2:22pm

Your device only has a single Ethernet port. So dsa is not a thing here.

But as a result, VLANs are really easy. Just use dotted notation - eth0.x where x is the vlan id.

Want to link another vlan to an ssid? Simple. Make a bridge containing eth0.x and a network interface with that bridge and proto none (unmanaged). Then link the ssid to that network in your wireless file.

The network file would look like this:

config device
        option name 'br-vlan10'
        option type 'bridge'
        list ports 'eth0.10'

config interface 'vlan10'
        option device 'br-vlan10'
        option proto 'none'

theMan · April 27, 2023, 4:15pm

You kinda had us all fooled the whole time.

Dunno about this particular device but some, at least the Asus Lyra didn’t come with a working switch config out of the box on 22.03 (not that it wasnt working, the switch config just didnt show up on Luci).

But as @psherman mentioned you don’t really need that. You can either use software vlan or just use the bridge vlan filtering as you would on a DSA device.

janh · April 27, 2023, 4:31pm

While this device has just one port, that port is still connected to the switch that is built into the SoC. The device tree confirms this. So DSA (or swconfig in the stable release) is very much relevant here.

psherman · April 27, 2023, 4:33pm

It that's the case (and I totally admit that I may have missed the device tree and the internal switch), bridge-vlan filtering would be the way to go here (instead of the dotted notation).

Fremont · April 27, 2023, 4:37pm

Trying bridge VLAN filtering :

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxxxxxxxxxxxxxxxxx'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config device
        option name 'eth0'
        option macaddr 'xxxxxxxxxxxxxxxxx'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

# /etc/config/network
uci add network bridge-vlan # =cfg06a1b0
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='114'
uci add_list network.@bridge-vlan[-1].ports='eth0:t*'
uci set network.lan.device='br-lan.114'
uci set network.lan.ipaddr='192.168.114.102'
uci set network.lan.gateway='192.168.114.1'

-> no access via VLAN 114

Trying bridge VLAN filtering :

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxxxxxxxxxxxxxxxxx'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config device
        option name 'eth0'
        option macaddr 'xxxxxxxxxxxxxxxxx'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

# /etc/config/network
uci add network device # =cfg060f15
uci set network.@device[-1].type='8021q'
uci set network.@device[-1].ifname='eth0'
uci set network.@device[-1].vid='114'
uci set network.@device[-1].name='eth0.114'
uci set network.@device[-1].ipv6='0'
uci set network.lan.device='eth0.114'
uci set network.lan.ipaddr='192.168.114.102'
uci set network.lan.gateway='192.168.114.1'

-> no access via VLAN 114

Fremont · April 27, 2023, 4:39pm

I thank you very much for your help, it's really appreciated.
There's probably something wrong with either my device, or the way I configure it.

The router to which it's connected allows, of course, connections to that device (192.168.114.102 in that case).

psherman · April 27, 2023, 4:43pm

Typically, the only VLAN that will have an address will be the one used for management. I'd recommend trying this:

config bridge-vlan
	option device 'br-lan'
	option vlan '114'
	list ports 'eth0:t'

config interface 'vlan114'
        option device 'br-lan.114'
        option proto 'none'

Then create a new SSID for VLAN 114 and associate it with network vlan114.

Also, have you verified that VLAN 114 is working properly on the upstream router and through any switches you have between them?

janh · April 27, 2023, 4:56pm

Ideally, you should really upgrade to a snapshot build that actually uses DSA, if you want to use VLANs on this device.

Alternatively, you may also try to get it working by adding the missing switch section to the config. But I am not sure if it is worth it, as the old non-DSA driver for IPQ40xx devices that is still used in 22.03 was always a bit quirky regarding VLANs.

Fremont · April 28, 2023, 6:42am

The upstream router is properly configured. It serves as a gateway and DHCP server for VLAN 114 on another tagged port, and everything works fine for the computers and managed switches connected downstream which rely on that VLAN.

Here's the network. I simplify, both the router and switches hosting several subnets.

===============  Upstream router =================
| Port 1                      | Port 2
| VLAN 114 tagged             | VLAN 114 tagged
|                             |
|                       DAP-2610 (VLAN tests)
|
Managed switch running OpenWRT
|                      |
|                      |
|              Devices on 114 subnet
|
| VLAN 114 tagged
|
Managed switch running OpenWRT
|
|
Devices on 114 subnet

For the test, I connect the AP to another port of the upstream router, on which tagged VLAN 114 is set (all other VLAN being set as off on that port).

psherman · April 28, 2023, 6:50am

Great. We should be able to eliminate that as part of the issue (you'd be amazed how many times it is an upstream misconfiguration that is the actual culprit).

Did you try the recipe I provided in #33 above?

Fremont · April 28, 2023, 9:26am

To exclude any problem related to the ethernet cables and keystones jacks of my rack, I plugged the AP on the port of my upstream router where I do the tests related to that VLAN configuration. I set the IP adress of the AP : 192.168.114.102. I set the port of the upstream router as untagged. I can access the AP at its adress (192.168.114.102). So, the ethernet cable and the keystone jack are OK. For the rest of the tests, I'll set the port of the upstream router as tagged for VLAN 114, and everything else as off for that port.

I was ready to test, but I the recipe, as I understand it, is to use VLAN 114 for WLAN (guest or IOT network). For my tests, I try to define the management IP adress of the router on VLAN 114. I'll look at the other VLANs later. I want everything to be tagged on the unique ethernet port of the AP.

psherman · April 28, 2023, 3:37pm

I had made the assumption, possibly incorrectly, that VLAN114 would be for the guest/IoT network, and would not be used for managing your infrastructure devices.

Usually, a dumb AP only has an address on the management netowrk, and the other network(s) are transparently bridged with no address.

I did notice one possible mistake in my recipe, but before I bother to try to fix it, maybe it is best for you to answer the following:

What VLANs will be on the eth0 port?
What is the arrangment of each of the VLANs (for example: VLAN 1 untagged + VLAN 114 tagged, or VLAN 1 tagged + VLAN 114 tagged, etc.)
What is the function of each network (i.e. VLAN 1 for management, no wifi; VLAN 114 for wifi only; or maybe both with wifi but VLAN 1 for managemnet, etc.)