VLAN not working in 22.03 through netifd

David Woodhouse dwmw2 at infradead.org
Sun Nov 6 09:16:32 PST 2022 

On my border router I've set up an IPv6-only wireless with NAT64 and
want to share it over the wired network, which means it's time for me
to set up VLAN.

I'm using a BT HomeHub 5a (lantiq xrx200). It has five physical ports,
appearing as 'wan', and 'lan[1234]'. In OpenWrt 22.03 it's using DSA.

I have 'lan4' connected to an external VLAN-capable switch (TL-SG116E)
in tagged mode. The nat64 network 'br-lan6' is VLAN 3.

I can make things work manually:

ip link add link lan4 name lan4.3 type vlan id 3
brctl addif br-nat6 lan4.3

However, if I configure that in OpenWrt like this:

config device
	option type '8021q'
	option ifname 'lan4'
	option vid '3'
	option name 'lan4.3'

... and then include lan4.3 in the set of 'br-lan6' devices, it doesn't
work. netifd just doesn't create the VLAN device lan4.3.

After rebooting to try to make that work, I realised that even when I'm
doing it manually the underlying 'lan4' device has to be attached to a
bridge in order for the lan4.3 creation to work. It was like that by
accident the first time. So actually, the manual sequence is:

 brctl addbr fakebr
 brctl addif fakebr lan4
 ip link add link lan4 name lan4.34 type vlan id 3
 brctl delbr fakebr
 brctl addif br-lan6 lan4.3

That made me wonder if I was Doing It Wrong. So I tried a different
approach — make a bridge 'br-tag' with only the 'lan4' device in it,
then create a 'br-tag.3' vlan and put *that* into br-nat6. Eventually
I'll be using tagged mode on more than just one test port, so that
approach might even make more sense anyway.

So now it looks like this:

config device
	option name 'br-lan'
	option type 'bridge'
	option stp '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'tag.2'
	list ports 'wan'

config device
	option name 'br-lan6'
	option type 'bridge'
	list ports 'tag.3'

config device
	option type 'bridge'
	option name 'tag'
	option bridge_empty '1'
	option stp '0'
	option ipv6 '0'
	list ports 'lan4'

config device
	option type '8021q'
	option ifname 'tag'
	option vid '1'
	option name 'tag.1'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'tag'
	option vid '2'
	option name 'tag.2'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'tag'
	option vid '3'
	option name 'tag.3'
	option ipv6 '0'


That worked, but *only* for VLAN2 which is in the original 'br-lan' but
*not* for VLAN3:

bridge name	bridge id		STP enabled	interfaces
tag		7fff.06bde9e2bd93	yes		lan4
br-lan6		7fff.06bde9e2bd93	yes		wlan1-1
br-lan		7fff.06bde9e2bd93	yes		wlan0-1
							lan2
							wlan0
							tag.2
							wan
							lan3
							wlan1
							lan1

If I manually create the tag.3 device and add it to br-lan6, it works
fine. Why didn't netifd do it for me?

Is this even the right way to set things up, with bridges-in-bridges?
Should I assume that DSA makes this work without being too suboptimal?


Here's the full content of the network config (which shows a third
internal network br-nat which will use VLAN1 which also isn't working
unless I manually create it).

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fd64:708a:2365::/48'

config dsl 'dsl'
	option annex 'a'
	option tone 'av'
	option xfer_mode 'ptm'
	option ds_snr_offset '0'
	option line_mode 'vdsl'
	option firmware '/lib/firmware/lantiq-vrx200-a.bin'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '90.155.92.193'
	option netmask '255.255.255.192'
	option broadcast '90.155.92.255'
	option accept_ra '1'
	option ip6prefix '2001:8b0:10b:1::/64'
	list dns '90.155.92.209'
	list dns '217.169.20.20'
	list ip6addr '2001:8b0:10b:1::1/64'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '18:62:2c:5d:94:6a'

config interface 'vdsl'
	option proto 'pppoe'
	option username 'xxxxx'
	option password 'yyyyy'
	option pppd_options 'debug'
	option mtu '1500'
	option ipv6 'auto'
	option device 'dsl0.101'

config route6
	option interface 'vdsl'
	option target '::/0'
	option metric '1'

config switch_vlan 'dsl0_101'
	option device 'dsl0'
	option vlan '101'
	option vid '101'

config switch_vlan 'lan4_3'
	option device 'lan4'
	option vlan '3'
	option vid '3'

config switch_vlan 'lan4_2'
	option device 'lan4'
	option vlan '2'
	option vid '2'

config interface 'aa101'
	option proto 'none'
	option mtu '1508'
	option delegate '0'
	option device 'dsl0.101'

config interface 'dsl0'
	option proto 'none'
	option mtu '1508'
	option delegate '0'
	option device 'dsl0'

config interface 'lan6'
	option type 'bridge'
	option proto 'static'
	option ip6prefix '2001:8b0:10b:3::/64'
	option stp '1'
	list ip6addr '2001:8b0:10b:3::1/64'
	option device 'br-lan6'

config route
	option interface 'lan'
	option target '90.155.50.32/28'
	option gateway '90.155.92.209'

config route6
	option interface 'lan'
	option target '2001:8b0:10b:4::/64'
	option gateway '2001:8b0:10b:1:21d:7dff:fe04:dbe2'

config route6
	option interface 'lan'
	option target '2001:8b0:10b:2::/64'
	option gateway '2001:8b0:10b:1:21e:67ff:fecb:7a92'

config route
	option interface 'lan'
	option gateway '90.155.92.213'
	option target '81.2.98.172/30'

config route6
	option interface 'lan'
	option target '2001:8b0:10b:7::/64'
	option gateway '2001:8b0:10b:1:21e:67ff:fecb:7a92'

config route6
	option interface 'lan'
	option target '2001:8b0:10b:1234::/64'
	option gateway '2001:8b0:10b:1:d65d:64ff:fe57:4e05'

config route
	option interface 'lan'
	option target '178.238.156.104/29'
	option gateway '90.155.92.199'

config route
	option interface 'lan'
	option target '224.0.0.0'
	option netmask '255.255.0.0'

config interface 'dummy0'
	option proto 'static'
	list ip6addr '2001:8b0:10b:1::1234'
	option device 'dummy0'

config route6
	option target '2001:8b0:10b:1230::/64'
	option gateway '2001:8b0:10b:1:d65d:64ff:fe57:4e05'
	option interface 'lan'

config interface 'nat'
	option proto 'static'
	option type 'bridge'
	option delegate '0'
	option stp '1'
	option ipaddr '172.31.31.1'
	option netmask '255.255.255.0'
	option broadcast '172.31.31.255'
	list ip6addr '2001:8b0:10b:5::1/64'
	option ip6prefix '2001:8b0:10b:5::1/64'
	option device 'br-nat'

config device
	option name 'br-lan'
	option type 'bridge'
	option stp '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'tag.2'
	list ports 'wan'

config device
	option name 'br-lan6'
	option type 'bridge'
	list ports 'tag.3'

config device
	option name 'br-nat'
	option type 'bridge'

config route6
	option target '2001:8b0:10b::/64'
	option type 'unreachable'
	option interface 'vdsl'

config route6
	option interface 'vdsl'
	option type 'unreachable'
	option target '2001:8b0:10b:1220::/60'

config device
	option name 'wan'

config device
	option name 'eth0'

config device
	option name 'dsl0.101'
	option type '8021q'
	option ifname 'dsl0'
	option vid '101'

config device
	option name 'lan4'

config device
	option name 'dsl0'

config device
	option type 'bridge'
	option name 'tag'
	option bridge_empty '1'
	option stp '0'
	option ipv6 '0'
	list ports 'lan4'

config device
	option type '8021q'
	option ifname 'tag'
	option vid '1'
	option name 'tag.1'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'tag'
	option vid '2'
	option name 'tag.2'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'tag'
	option vid '3'
	option name 'tag.3'
	option ipv6 '0'

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5965 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20221106/9672f6c3/attachment.p7s>

More information about the openwrt-devel mailing list