VLAN question and IP-address assign

portuquesa · January 21, 2023, 8:09pm

Hi,

The router has 2 physical devices: 1-port eth1 and 4-ports eth0.

 ls -l /sys/class/net
lrwxrwxrwx    1 root     root             0 Jan 19 12:04 br-lan -> ../../devices/virtual/net/br-lan
lrwxrwxrwx    1 root     root             0 Jan 21 14:50 br-vlan1 -> ../../devices/virtual/net/br-vlan1
lrwxrwxrwx    1 root     root             0 Jan 21 14:50 br-vlan2 -> ../../devices/virtual/net/br-vlan2
lrwxrwxrwx    1 root     root             0 Dec 31  1969 eth0 -> ../../devices/platform/ixp4xx_eth.32/net/eth0
lrwxrwxrwx    1 root     root             0 Jan 21 14:50 eth0.1 -> ../../devices/virtual/net/eth0.1
lrwxrwxrwx    1 root     root             0 Jan 21 14:50 eth0.2 -> ../../devices/virtual/net/eth0.2
lrwxrwxrwx    1 root     root             0 Dec 31  1969 eth1 -> ../../devices/platform/ixp4xx_eth.16/net/eth1
lrwxrwxrwx    1 root     root             0 Jan 21 15:00 gre0 -> ../../devices/virtual/net/gre0
lrwxrwxrwx    1 root     root             0 Jan 21 15:00 gretap0 -> ../../devices/virtual/net/gretap0
lrwxrwxrwx    1 root     root             0 Jan 21 15:00 ip_vti0 -> ../../devices/virtual/net/ip_vti0
lrwxrwxrwx    1 root     root             0 Dec 31  1969 lo -> ../../devices/virtual/net/lo
lrwxrwxrwx    1 root     root             0 Jan 19 11:10 vti0 -> ../../devices/virtual/net/vti0

Configs are:

config interface 'lan'
	option ifname 'eth0'
	option proto 'static'
	option ip6assign '60'
	option delegate '0'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option type 'bridge'

config interface 'vlan1'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option type 'bridge'
	option ifname 'eth0 eth0.1'
	option ipaddr '192.168.222.1'

config interface 'vlan2'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option type 'bridge'
	option ifname 'eth0 eth0.2'
	option ipaddr '192.168.223.1'

I can ping both 222.1 and 223.1 from 1.0 subnet.

I can't assign to any PC an ip-address from 222.1 or 223.1? (in other words how to connect to that VLANs?)

Point is physically connected devices to any of 4 eth0 ports results nothing - IP is not assigned.
Installing switch not working (message is - switch0 has unknown topology....)

What am I missing?

psherman · January 21, 2023, 8:15pm

Let's start with the version of OpenWrt you are using... there are some issues here, but how we fix them depends on the version you are using...

what is the output of ubus call system board

portuquesa · January 21, 2023, 9:16pm

TNX for response
18.06.2

 ubus call system board
{
        "kernel": "4.9.152",
        "hostname": "host",
        "system": "XScale-IXP42x Family rev 0 (v5b)",
        "model": "USRobotics USR8200",
        "board_name": "generic",
        "release": {
                "distribution": "OpenWrt",
                "version": "18.06.2",
                "revision": "r7676-cddd7b4c77",
                "target": "ixp4xx\/generic",
                "description": "OpenWrt 18.06.2 r7676-cddd7b4c77"
        }
}

And yes, I know all is quite old... )

psherman · January 21, 2023, 9:40pm

This is very old... it has been EOL for many years and is unsupported now.

Is there a reason you have not (or cannot) upgrade to a newer release (preferably 22.03.3 if your device is still supported)?

golialive · January 21, 2023, 9:42pm

You created three bridges.
All three bridges contain the eth0 device.

I guess since eth0 is (entirely) part of the first bridge as well as (entirely) of the second as well as (entirely) part of the third, you may effectively have created a somewhat clumsy huge bridge.

Could you please explain the topology you are trying to achieve?

I don't know what happens when you mess up your interfaces. Does your router have serial console and do you have hardware to connect to it? There's a chance we break networking entirely, so having a backup plan in terms of serial console access would be a good idea.

If you do have serial access: We're good, we can always change things this way.
If you don't have serial access: I suggest creating an additional (fourth) network that is not connected to any physical interface, but to Wi-Fi. If this works, we can always use that wifi-only management network, just in case we break your physical ports' config.

As to your topology:

If you want to have eth0.1 as well as eth0.2 assigned to your devices, the pure eth0 should never part of another interface.
So just drop it from vlan1 and vlan2 and make them option ifname 'eth0.1' and option ifname 'eth0.2'.
You currently have eth0 as part of your "lan" interface. This one has to go as well.

Your setup tells me there's some knowledge missing about how vlan (IEEE 802.1Q) works.

Please have a look at the diagram on wikipedia: https://en.wikipedia.org/wiki/IEEE_802.1Q

Vlans are not "just some sort of additional network interface". They are actually implemented as additional data within IP packages. We call it a "tagged" package, since it contains the "vlan tag" information.
So a given IP package can not be both, tagged and untagged. But having it both ways at the same time is what you did on your vlan1 and vlan2 interfaces by adding eth0 as well as eth0.1, and especially reusing eth0 on your lan interface.

I guess you're going to have a problem when your switch is not working properly. The network interface "vlan1" should always "output" the IP packages "tagged". It now is the switches responsibility to strip the tags out and egress the cleaned IP package out of all the switch ports that are marked as "tagged", and in case of incoming packages, it's the switches responsibility to add those vlan tag data to IP packages in order for your interface to only pick up on those with proper tags.

So without having a working switch config, I guess there's no way to go from here.

Regards,
Stephan.

psherman · January 21, 2023, 10:04pm

What @golialive has said is generally correct in terms of how the interfaces are not properly configured for tagged vs untagged and ensuring that each network interface is assigned to the desired ports.

Ho

This is key... maybe a diagram of how you want to connect things and/or description of what you want to happen with each physical port on your device.

Because things are fairly messed up at the moment, the best option is to reset to defaults. I would highly recommend that you upgrade to a modern version of OpenWrt... and do this before going any further (just reset, then upgrade)... once upgraded, configuration should be fairly straight forward -- just post your default config file and we can help you from there.

portuquesa · January 22, 2023, 4:03pm

OK, thanks and let me try to explain what I have step-by-step...

Can't upgrade as the device is discontinued. However, it is doing all it's job perfectly, incl. asterisk telephony, ipsec etc etc... and is important part of one of the ends of my setup.
I have a serial port and used it well.
I added new server to my network and what I want to do - is a) to isolate it (together with its virtual machines) from the rest part of network, including wi-fi, and then b) to allow one wi-fi participant to access server freely. For that I'd wish to use LAN physical ports to separate access. If it's not possible, it would be even better if VLANs were separated logically, when no matter in which LAN ports units are plugged in, but are bind to VLANs, say by MAC-addresses...
What I tried to do first - I removed IP address from LAN interface and switched it to "unmanaged" bridged state; added VLAN1 (eth0.1) and VLAN2 eth0.2) without bridges and assigned them static IPs and DHCP roles. What I got - only VLAN1 pings, no pings for VLAN2.
And I checked all 4 LAN ports physically.

I also tried to configure switch0, but it doesn't show any plugged in ports, so I don't understand whether it works at all... So I removed it at all, as what I have read, PROBABLY switch is NOT necessary, and all can be done by eth0.x

In event I lost connectivity, I still can connect from external hotspot network to WAN and to reverse changes... (serial is also possible).

Hope this explained my situation a little...

psherman · January 22, 2023, 5:42pm

I was unable to find this device in the OpenWrt supported devices for anything beyond 18.06, so yeah, that may be an issue. I only spent a few mins, though, so maybe there is an upgrade available on official OpenWrt... it would be worth doing a bit more research.

Given that you apparently have lots of services running on this device, I'd suggest that you create a backup that you can use to restore all the existing settings if this go wrong.

I also really don't want to end up messing up your configuration, so I'll say these things:

Consider upgrading to a new device.

The version of OpenWrt you are using has known security vulnerabilities, and it is of course EOL and unsupported.
the syntax for the network config has changed, and any help will be best effort and best recollection about how that older version works (unless there is someone who actively remembers the old syntax)... there is a risk things could get really messed up (thus the backup suggestion).
A new device will be much more performant, too.

So, I'm guessing you only gave us a partial network config file earlier...
If you post the entire file, that might help us understand your current setup and hopefully help you with a working solution. However, often the best way to do this is to reset to defaults because then we have a known good starting point.... so, you might consider that (again, that backup comes in handy... reset > post default network file > restore backup)... you might even be able to simply move your network file so that it is regenerated at the next reboot (mv /etc/config/network > /etc/config/network.bak; reboot now)... you can use serial to grab the newly created network file and then copy the backup file back to the original filename.

portuquesa · January 22, 2023, 6:16pm

Yes, I have posted the part of network conf, only related to LAN and VLANs. And of course I have MANY backups )))

Will post "virgin" conf and current one a bit later... At the moment can't stop network functioning.
BUT there will be nothing special - 1 lo, 1 WAN and WAN6 (both eth1), 1 LAN (eth0). That's it.

However, before I do it, could you give me an idea, what has to be done AFTER VALNs are configured? Say, they're set up, how do I "plug" a device into VLAN then, if I don't use physical ports? By manually assigning to a server IP from VLAN's pool (which is NOT preferable)? Bind by MAC? Set VLAN settings on server's network adapter?

psherman · January 22, 2023, 11:50pm

Hopefully it will be straight forward to adapt the configs... doesn't sound like it should be that hard.

You have a few options of how this can work:

it is possible to create additional networks that are only associated with wifi and don't have any connections to ethernet... I don't think this is what you're after, though.
You can assign one or more port(s) to each subnet... for example, ports 1 and 2 could connect to network #1, ports 3 and 4 could connect to network #2.
You can use a trunk port (i.e. multiple networks on the same physical port) by means of tagging one or both of the networks (802.1q tags).
- Note that if you do this, you need to have a VLAN aware device downstream such as a managed switch or a VLAN aware AP, or a computer that allows you to configure 802.1q tags.

Then there are the more complicated options:

I've never tried, but there is something called MAC VLAN which is supposed to auto-assign a device based on the MAC address to the VLAN desired. I'm not sure how well this works and what the prerequisites are.
a RADIUS server and 802.1x authentication can do the same thing, but this is a more robust and secure method. However, this is probably the most complex option and is more suited to an enterprise environment than a home network.

portuquesa · January 23, 2023, 12:38am

And is there a way to do it without using switch0 config?

psherman · January 23, 2023, 12:41am

Probably not if you want wired connections... but we need to see what the default file looks like before I can make a conclusive statement.

Why, though? Is there a reason you don't want to configure switch0?

Meanwhile, it would be really good if you could define what you want to happen with each physical port -- in other words, what will be connected to each port... a diagram could be useful. If there are any switches in the topology, it's also important to note that (along with the brand/model of the switch).

slh · January 23, 2023, 12:50am

Both asterisk and IPsec are extremely sensitive high-risk packages, not upgrading is not an option for either of them. Especially security issues in asterisk will cost you real money quickly (more than any router you can run OpenWrt on).

portuquesa · January 23, 2023, 1:10am

I'd wish, but on the Luci's switch web-page, after menu item Switch is created, it says something like "switch0 has unknown topology.... Vlans are unreliable..." and graphical interface doesn't show any ports at all - the row is completely empty.

psherman · January 23, 2023, 1:21am

My guess is that something is seriously messed up with your configuration. That's why reverting to a default state is probably necessary.

portuquesa · January 23, 2023, 1:32am

Will do. But I'm afraid, it's not about the conf, but the USR8200 hardware...

That's the scheme

And that's the message

psherman · January 23, 2023, 1:43am

It that's the case, it would be yet another reason to get new hardware. But the config you shared preivously is certainly wrong... not sure what other changes you had made to the config (stuff we haven't seen yet). Again, seeing the default state of the network config file will be very revealing here, and if the issue isn't related to the hardware itself, the default config may also fix the error you're seeing on the switch page.

Based on your diagram, it looks like 1 port will be dedicated to VLAN1 and an SSID as well. Then 2 ports and an SSID will be connected to VLAN2. That leaves one physical port available to be allocated to one or the other.

What you are hoping to achieve here is absolutely possible with most normal hardware. If the USR8200's switch isn't proeprly supported, you'll either have to abandon this plan and/or buy new hardware.

portuquesa · January 23, 2023, 1:51am

OK, does this below say anything about is the device supported?

ls -l /sys/class/net
Jan 19 12:04 br-lan -> ../../devices/virtual/net/br-lan
Jan 21 14:50 br-vlan1 -> ../../devices/virtual/net/br-vlan1
Jan 21 14:50 br-vlan2 -> ../../devices/virtual/net/br-vlan2
Dec 31  1969 eth0 -> ../../devices/platform/ixp4xx_eth.32/net/eth0
Jan 21 14:50 eth0.1 -> ../../devices/virtual/net/eth0.1
Jan 21 14:50 eth0.2 -> ../../devices/virtual/net/eth0.2
Dec 31  1969 eth1 -> ../../devices/platform/ixp4xx_eth.16/net/eth1
Jan 21 15:00 gre0 -> ../../devices/virtual/net/gre0
Jan 21 15:00 gretap0 -> ../../devices/virtual/net/gretap0
Jan 21 15:00 ip_vti0 -> ../../devices/virtual/net/ip_vti0
Dec 31  1969 lo -> ../../devices/virtual/net/lo
Jan 19 11:10 vti0 -> ../../devices/virtual/net/vti0

psherman · January 23, 2023, 1:53am

I don't think it shows us anything specific about the switch... but eth0 (and eth0.1 and eth0.2) are likely on the switch... so the question is what the current complete config looks like as well as the default state.

why don't you start by posting the current complete network file?

portuquesa · January 23, 2023, 1:58am

wanted to post together with clean one.


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fff:eeee:5555::/48'

config interface 'lan'
	option ifname 'eth0'
	option proto 'static'
	option delegate '0'
	option type 'bridge'
	option ipaddr '192.168.11.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option macaddr 'dd:bb:cc:ee:aa:11'
	option peerdns '0'
	option dns '127.0.0.1'
	option delegate '0'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'
	option auto '0'
	option peerdns '0'
	option delegate '0'
	option reqaddress 'try'
	option reqprefix 'auto'
	option dns '0::1'

config interface '2cloud3'
	option proto 'pptp'
	option delegate '0'
	option buffering '1'
	option username 'pptp'
	option defaultroute '0'
	option server 'somehost.clouds1.com'
	option password 'abc'
	option auto '0'

config interface 'IPSEC'
	option ifname 'vti0'
	option proto 'none'
	option delegate '0'

config device
	option name 'ppp0'
	option ipv6 '0'

config interface 'p1_in'
	option proto 'none'
	option delegate '0'
	option ifname 'ppp0'

config interface 'vlan1'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option type 'bridge'
	option ifname 'eth0 eth0.1'
	option ipaddr '192.168.222.1'

config interface 'vlan2'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option type 'bridge'
	option ifname 'eth0 eth0.2'
	option ipaddr '192.168.223.1'