Hey Luiz,
On 8.09.2022 06:28, Luiz Angelo Daros de Luca wrote:
- Bridge device "br-vlan10" containing "lan1.10 lan2.10 lan3.10"
- VLAN filtering disabled
Bridging virtual 802.1q interfaces might fail in some scenarios, like
when you use vlan1 or mix tagged with untagged traffic
(https://github.com/openwrt/openwrt/issues/9066)
I do recommend bridge-vlan as the first option, although ip-bridge is
not installed by default.
I know that it is a little bit off topic but I would love some
transitioning code that could mimic swconfig devices as if they were
DSA. Instead of using swconfig settings for tagged vlans/isolated
ports, just create fake lan1, lan2, wan interfaces (802.1q) and derive
the swconfig settings from that. I've been doing that for some time,
creating switch_vlan configs from bridge+bridge-vlan and replacing the
user ports with the CPU port in every related bridge-vlan. This way I
can share the config with swconfig, DSA and even devices without
switches (VM like gns3) if I rename eth0, eth1, eth2 to lan1, wan,
lan2. The only downsides are that untagged bridging is done using
software bridge and the config is generated as a single-shot step
(uci-default). However, if that mapping is done inside netifd, I
believe it might be able to better handle those cases.
I tried this two months ago, here are the steps I took to be precise:
## Set up the Interfaces
- Put each port on a different VLAN as untagged, set the CPU port tagged.
- Rename ethX.y to the switch port name you want (optional).
- There’s currently no way. So just ignore ethX.y interfaces and
manually create VLAN interfaces of ethX with the interface name
mimicking DSA.
- Put the manually created interfaces on a VLAN filtering enabled bridge.
## Untagged
- Set a VLAN ID as untagged on the manually created interfaces.
- Configure LAN with that VLAN interface of the bridge to be able to
reach the router from the switch ports.
This works great until tagged frames are involved:
## Tagged
- Set a VLAN ID as tagged for a manually created interface.
- Create a new network with that VLAN interface of the bridge. Set
IP to 192.168.1.1/24 and use a firewall zone with everything allowed.
- Set that VLAN ID on the computer and set IP to 192.168.1.2/24.
- Ping 192.168.1.2 from the router.
- See if tagged frames pass the switch port with the bridge VLAN
filtering feature.
- Tagged frames leave the switch port. However, tagged frames
coming in will be dropped since the port was configured to only allow
untagged frames.
If someone is confused like I was before, swconfig’s VLAN filtering
won’t interfere with bridge VLAN filtering because they are separate
systems.
With these findings, there are two changes I can see being made to swconfig:
- Allow custom names for the VLAN interface of the CPU port.
- Allow forwarding tagged frames to the CPU port coming from a switch
port set as untagged.
Nonetheless, this is extremely hacky so I just put this out here for
some fun talk.
Arınç
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
