DSA Mini-tutorial still marked as Work In Progress

Arınç ÜNAL arinc.unal at arinc9.com
Thu Sep 8 13:12:51 PDT 2022 

Hey Luiz,

On 8.09.2022 06:28, Luiz Angelo Daros de Luca wrote:
>> - Bridge device "br-vlan10" containing "lan1.10 lan2.10 lan3.10"
>>    - VLAN filtering disabled
> 
> 
> Bridging virtual 802.1q interfaces might fail in some scenarios, like
> when you use vlan1 or mix tagged with untagged traffic
> (https://github.com/openwrt/openwrt/issues/9066)
> I do recommend bridge-vlan as the first option, although ip-bridge is
> not installed by default.
> 
> I know that it is a little bit off topic but I would love some
> transitioning code that could mimic swconfig devices as if they were
> DSA. Instead of using swconfig settings for tagged vlans/isolated
> ports, just create fake lan1, lan2, wan interfaces (802.1q) and derive
> the swconfig settings from that. I've been doing that for some time,
> creating switch_vlan configs from bridge+bridge-vlan and replacing the
> user ports with the CPU port in every related bridge-vlan. This way I
> can share the config with swconfig, DSA and even devices without
> switches (VM like gns3) if I rename eth0, eth1, eth2 to lan1, wan,
> lan2. The only downsides are that untagged bridging is done using
> software bridge and the config is generated as a single-shot step
> (uci-default). However, if that mapping is done inside netifd, I
> believe it might be able to better handle those cases.

I tried this two months ago, here are the steps I took to be precise:

## Set up the Interfaces

- Put each port on a different VLAN as untagged, set the CPU port tagged.
- Rename ethX.y to the switch port name you want (optional).
     - There’s currently no way. So just ignore ethX.y interfaces and 
manually create VLAN interfaces of ethX with the interface name 
mimicking DSA.
- Put the manually created interfaces on a VLAN filtering enabled bridge.

## Untagged

- Set a VLAN ID as untagged on the manually created interfaces.
- Configure LAN with that VLAN interface of the bridge to be able to 
reach the router from the switch ports.

This works great until tagged frames are involved:

## Tagged

- Set a VLAN ID as tagged for a manually created interface.
     - Create a new network with that VLAN interface of the bridge. Set 
IP to 192.168.1.1/24 and use a firewall zone with everything allowed.
     - Set that VLAN ID on the computer and set IP to 192.168.1.2/24.
- Ping 192.168.1.2 from the router.
- See if tagged frames pass the switch port with the bridge VLAN 
filtering feature.
     - Tagged frames leave the switch port. However, tagged frames 
coming in will be dropped since the port was configured to only allow 
untagged frames.

If someone is confused like I was before, swconfig’s VLAN filtering 
won’t interfere with bridge VLAN filtering because they are separate 
systems.

With these findings, there are two changes I can see being made to swconfig:

- Allow custom names for the VLAN interface of the CPU port.
- Allow forwarding tagged frames to the CPU port coming from a switch 
port set as untagged.

Nonetheless, this is extremely hacky so I just put this out here for 
some fun talk.

Arınç

More information about the openwrt-devel mailing list