Vlan trunk with wan and lan traffic?

Hi,

I have the following problem: In one of the rooms at home, I have a TV with a set-top box, along with some other network devices. The set-top box requires a direct connection to the cable modem (WAN), while the other devices should be behind my router in the local network (LAN). Unfortunately I have only one ethernet cable available. Thus the only solution is to use VLAN's to transport both WAN and LAN traffic over the same cable to a small managed switch.

But how do I configure my Turris Omnia? Unlike most other routers, the WAN port is directly connected to a CPU port, and not to the internal switch:

Thus the standard openwrt method to configure VLAN’s on the internal switch doesn't work here because WAN traffic never reaches the switch.

Note that the latest Turris Omnia 4.0 release (based on openwrt 18.06) is using the DSA switch driver. Hence the internal switch does not use swconfig anymore. But I don't think that really matters here.

Now, what I want to achieve is to configure 3 tagged VLAN's on port 4 of the internal switch:

• VLAN 1 (LAN)
• VLAN 2 (WAN)
• VLAN 3 (GUEST)

The 4 other ports should remain normal LAN ports.

Is the following configuration the correct way to do this?

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option bridge_empty '1'
	option _turris_mode 'managed'
	option ipaddr '192.168.0.1'
	option ifname 'lan0 lan1 lan2 lan3 lan4.1'

config interface 'wan'
	option proto 'dhcp'
	option ipv6 '1'
	option type 'bridge'
	option ifname 'eth2 lan4.2'

config interface 'guest'
	option enabled '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '10.111.222.1'
	option netmask '255.255.255.0'
	option bridge_empty '1'
	option ifname 'lan4.3'

Jef

What is keeping you from assigning a dedicated port on the managed switch as access port in the wan vlan that will connect to the wan port of Turris?

The cable modem and the router are in a different room than the switch with the set-top box (needing wan) and a few other devices (needing lan).

If you don't want to buy another managed switch to use on the other side of the cable, or you cannot run a second cable, that config along with the proper vlan assignment in switch configuration should do the trick.

I already have a second (managed) switch sitting next to the router, because I need more than the 5 ports my router has. I left that out of the description for simplicity. Basically the network looks like this:

drawing-1.png708×938 37 KB

Are there any disadvantages of this configuration? Does bridging the wan interface have a negative impact on performance? I want to enable SQM on the wan interface.

I assume you mean something like this setup?

drawing-2708×938 40.8 KB

The downside is that it uses two extra ports of the main switch. Right now I still have those ports available, but that might change in the near future.

Also in my setup, the cable modem and the router are connected to a UPS. That allows me to maintain the wireless network during small power outages and send email notifications in case I'm not home. With the above setup, I would also have to connect the switch to the UPS, which consumes more power.

I also noticed that with the above setup, the management interface of the main switch becomes inaccessible. I suspect the dhcp request goes to the cable modem/isp, and not to my router. This is not only very annoying, but also a security risk. The switch should not be accessible from the internet, only from within the internal network.

It depends on how much traffic are you planning to pass through. With the first design all the WAN traffic goes through the router, even though it might not be its final destination.

You can use the rest of the LAN ports on the router, or upgrade the switch to a larger one.

This is something you need to check and avoid using WAN vlan as native or untagged, except to the access ports. Also use a VLANid other than 1 for the WAN.

The first diagram is fine but for fully optimum performance you could have both the trunk cable and the cable modem plugged into ports of the hardware switch. Then the CPU is not involved at all with STB traffic. Using the existing wan and a br-wan software bridge means that the kernel must switch the STB packets through by software.

The downside of that is that all LAN to Internet activity goes in and out the same eth port ("one-armed" routing), which can be a bottleneck if your ISP rate approaches the Ethernet line speed.

That's only relevant for the traffic going to the STB, right? Because the "regular" traffic between LAN-WAN has to pass through the router anyway. Or does the bridging affect that traffic as well?

As far as I know, the STB only needs internet access for the program guide, interactivity, etc. The actual audio/video signal goes over the coax cable. So I assume the amount of traffic is relative small. (Before switching to a VLAN based setup, I used a powerline adapter for the STB to work around the single cable problem. The powerline is probably a lot slower and it worked just fine. But since I needed a switch anyway for the extra ports, I took the opportunity to buy a managed switch in order to get rid of the powerline adapters.)

I care mainly about high network performance for device inside the LAN (e.g. LAN-LAN and LAN-WAN communication). If the performance for the STB's is a bit less optimal, that's fine because they don't really need it.

The VLAN's on the main switch are configured as follows:

• VLAN 1 = LAN (1t, 5-16)
• VLAN 2 = WAN (1t, 2-4)

Thus each access port is untagged, and its PVID is set to the corresponding VLAN id. For the trunk ports, the vlan's are all tagged (e.g. no mixed untagged and tagged traffic) and the PVID is set to LAN id.

This looks correct to me. But nevertheless I have the feeling there is something going wrong in the setup. First there is the dhcp issue. I temporary work around that problem by configuring the main switch with a static ip address. But even then, accessing the management interface of the main switch is painfully slow. When I ping the IP address of the main switch, I see extremely high ping times (~8000ms) and also packet loss. When I ping the secondary switch or other devices in the network, there is no packet loss and normal ping times (~2.5ms for the secondary switch and ~0.5ms for other wired devices).

The two switches are both TP-Link switches: a TL-SG1016DE as the main switch and a TL-SG108E as the secondary switch.

Yes, correct.

Judging by your description it should not be an issue then.

Looks right to me too. My guess it that it has to do with the way the switch deals with management traffic. I would run a tcpdump on the router to verify that DHCP is on the correct VLAN. Also check the manual of the switch if it mentions anything regarding management traffic. Other than that allow on the firewall the DHCP requests from the STBs only towards the ISP, to be on the safe side.

But then I'm still better off with the second diagram, right? At the cost of using one extra port on the main switch of course. The only good reason I can think of for choosing such a "one-armed" router setup is if I wanted to place the router in another location, away from the cable modem and main switch. For example to place the router in a more central location in the house to achieve better wireless coverage. (In my setup the router is indeed in the worst possible location. I'm planning to add extra access point instead.)

The ISP rate is currently 300 Mbps down and 20 Mbps up. That's also the actual speed I measure. They do already offer 1Gbps, so it's not unlikely we'll see higher speeds in the future.

Hmm, I just discovered that if I disconnect the cable modem from the main switch, those high ping times immediately disappear and the management interface becomes responsive again. Does that indicate a problem with the switch or its configuration? How do I check this?

Look for duplicate IP addresses. Long times to eventually get a lucky random response suggest devices are fighting on the same address.

When you're switching the modem through one of the managed switches you have to be sure the VLANs are completely separate. On a trunk port the pvid should be 4095, i.e. blackhole any untagged packets. On an access port (untagged) the pvid must be the same as the VLAN number.

VLAN 1 could be your LAN, this is where the switch management CPU listens (on a good non-duplicated IP address) I don't remember if you can delete or reassign VLAN1 in those switches.

Wireshark or tcpdump are good tools to try to find the kind of things that mk24 suspects. Wireshark and port/VLAN mirroring on the switch would be my first choice of approach.

(Not all switches support VLAN mirroring)

Checking the various ARP tables and logs for “is using my address” kinds of messages may also provide clues.

On my local network, there are no duplicate IP addresses. All devices receive their IP address through dhcp from the router (either a dynamic leases in the range 100-150, or a static leases in range 2-100). Only the switch has a fixed ip address (192.168.0.4), but it doesn't conflict with any other device.

Suppose there was indeed a duplicate IP address, shouldn't I see the same kind of problems with the cable modem disconnected?

The main switch VLAN settings are as follows:


Note: compared to my diagrams above, port 1 and 2 are swapped.

The problem appears to be the main TL-SG1016DE switch. For testing, I replaced it with the secondary TL-SG108E switch, with the exactly the same configuration, and that works just fine. Normal ping times and the management interface is very responsive. So I can only conclude the TL-SG1016DE switch is buggy.

Hi jefdriesen, how did you finally configure your router. I have almost the same problem.
My modem only and switch (unmanaged) are in the same room. My router, my digicorder and my other network devices are in the living room.