Multiple VLAN Tagging, and Connecting Between Two Switches, DSA OpenWRT
- Tag VLAN ID package between two OpenWRT devices
Table of Contents
Introduction
Based on OpenWRT docs, DSA Mini-Tutorial .1 Distributed Switch Architecture (DSA) is the Linux kernel subsystem for network switches. Due to this upstream feature, OpenWrt implemented DSA to replace swconfig and many new routers use DSA drivers instead of swconfig drivers.
DSA does not affect wireless configuration in /etc/config/wireless. In particular the wireless config option ifname continues to be valid for specifying a custom name for a WiFi interface.
Prerequisites
I’m not going to compare the previous version and this version of DSA driver and previous swconfig drivers, rather than to make the job done, connecting tagged VLAN ID which includes two ore more VLAN between two router/switches with OpenWRT using DSA drivers. Note that, you have to make sure your device is capable of VLAN tagging, and some devices has its limitation of the number of VLAN IDs, and of course you have OpenWRT devices 21.02 version minimum on both devices. My devices are using the latest OpenWRT 24.10 version at the moment.
My main device is Xiaomi AX3600 which has 4 ports (1 wan port and 3 lan ports) and my second OpenWRT device is also Chinese brand WiFi6 capable JCQ with 3 ports (1 wan port and 2 lan ports). I like the this device due to its price, with wifi6 capable, and you can install OpenWRT in it. My use case for VLAN Taging is;
- Create separate network between guest, iot and my home network.
- Connect two devices using one trunked port, the trunked port means the port where the VLAN IDs are. And in my use case I’m only using one port, I connect it under lan3 on my main device
- Privacy and security concern
Configure Main Device
Here, I’m going to configure using CLI, If you have installed OpenWRT to your device and you connect using SSH, we can procceed.
Network Configuration
We configure the network configuration under /etc/config/network. I use vim here, you can use nano as well, but you have to install it using opkg install nano first
vim /etc/config/network
The default configuration typically looks like this, depending on your device, my main device has 1 wan port and 3 lan ports, so it looks like this
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'REDACTED'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
Device Configuration
We need to configure the config device and the config interface 'lan', so we leave another config as is, still under the /etc/config/network file. My setup with the ports and vlan:
- VLANs 2, 3 and 4 are used for seperated VLANs without any Layer 3 routing
- Port lan3 is trunked ports with all VLANs
- Port lan1 is only for untagged VLAN 2
- Port lan2 is unused
- VLAN 5 is not used anywhere else and is only there for added security
# Change the option name accordingly to your desire name, and list port according to your device
config device 'switch'
option name 'switch'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
# the port 3 is where the VLAN ID is, so we tag the lan3, 'example lan3:t', lan1 and lan2 are connected to my personal
# devices so I put untag on it, if you just want to connect your device to 1 port on lan2, you can just untag one port,
# example 'lan2:u*'
config bridge-vlan 'lan_vlan'
option device 'switch'
option vlan '2'
list ports 'lan1:u*'
list ports 'lan3:t'
# the option vlan '3' and '4' are for the interface for iot and guest
config bridge-vlan
option device 'switch'
option vlan '3'
list ports 'lan3:t'
config bridge-vlan
option device 'switch'
option vlan '4'
list ports 'lan3:t'
config bridge-vlan
option device 'switch'
option vlan '5'
list ports 'lan2:u*'
list ports 'lan3:u*'
option local '0'
Note that I put option vlan starts with ‘2’, because if using separated VLANs, it is often recommended not to use VLAN 1 for any data networks. This is because VLAN 1 is often hardcoded as a default on a lot of networking equipment and is therefore more often used in attacks and prone to accidental misconfiguration, as per DSA Mini-Tutorial documentation. You can put VLAN ID starts with ‘10’ and so on if your devices are able to do so, in my case my second device has limited ports and can’t start with ‘10’ VLAN ID.
the :u is for untagged, and * afterward is for primary VLAN we just set it that way for untagged, and :t is for tagged.
Interface Configuration
Next we configure the interface for guest, iot and our home network;
- Home network is under vlan id 2
- iot network is under vlan id 3
- guest network is under vlan id 4
# change the default 'lan' interface option device with 'switch.2', switch is our device name, 2 is the vlan id number.
# remember to put . after device name, followed by vlan id number
config interface 'lan'
option device 'switch.2'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
# our iot network with different ip address under vlan id 3
config interface 'iot'
option proto 'static'
option device 'switch.3'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
# our guest network with different ip address under vlan id 4
config interface 'guest'
option proto 'static'
option device 'switch.4'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
DHCP Configuration
Set or enable DHCP server for guest and iot network, we leave lan network as is
# default configuration for enabling DHCP server, set option interface according to your interface name
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
# default configuration for enabling DHCP server, set option interface according to your interface name
config dhcp 'iot'
option interface 'iot'
option start '100'
option limit '150'
option leasetime '12h'
Finally we can restart our network
service network restart
Configure Wireless Network
You can set the wireless configuration for each network using luci or CLI.
Configure Second Device
My JCQ router has 1 wan port and 2 lan ports, I just use the wan port as the trunked port to load the VLAN ID from the main device. My setup;
- wan port as trunked port
- lan1 and lan2 for untagged VLAN 2
- all ports are used
- VLAN 5 is not used anywhere else and is only there for added security
Configure Network
The configuration is typically the same as the main device, we setup according to port where the trunked port is, and of course the device ports we are using. Remember the VLAN ID number and the network has to be the same with the main device.
We go to /etc/config/network to configure device for VLAN id and interface
# Change the option name accordingly to your desire name, and list port according to your device
config device 'switch'
option name 'switch'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'wan'
option bridge_empty '1'
# the wan port is where the VLAN ID is, so we tag the wan port, lan1 and lan2 are for untagged vlan 2
config bridge-vlan 'lan_vlan'
option device 'switch'
option vlan '2'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'wan:t'
# remember the option vlan '3' and '4' are for the interface for iot and guest
config bridge-vlan
option device 'switch'
option vlan '3'
list ports 'wan:t'
config bridge-vlan
option device 'switch'
option vlan '4'
list ports 'wan:t'
config bridge-vlan
option device 'switch'
option vlan '5'
list ports 'wan:u*'
option local '0'
# I set 192.168.1.10 as the static ip for the second router, because we set this as the access point from the main device.
# remember we put vlan 2 for our network
config interface 'lan'
option device 'switch.2'
option proto 'static'
option ipaddr '192.168.1.10'
option netmask '255.255.255.0'
option ip6assign '60'
# I set 10 as static ip under my iot network with 192.168.2.x/64 subnet on this device
config interface 'iot'
option proto 'static'
option device 'switch.3'
option ipaddr '192.168.2.10'
option netmask '255.255.255.0'
# I set 10 as static ip under my guest network with 192.168.3.x/64 subnet on this device
config interface 'guest'
option proto 'static'
option device 'switch.4'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
Remember to disable the DHCP server for the lan interface on the second device, we don’t have to put any configuration on iot and guest interface under /etc/config/dhcp, so we leave as is.
We can now restart the network
service network restart
As we have changed ip address on second device to 192.168.1.10, so we will lost our SSH connection. We have to reconnect to 192.168.1.10.
Configure Wireless Network
You can set the wireless configuration for each network using luci or CLI.
Conclusion
Now we have setup separate network with VLAN using DSA driver, if you prefer using luci, you can setup accordingly. Note that if you configure using luci you have to save and apply your device config first before you continue to configure your interface network, or you can configure the device without save and apply, but you have to manage the interface according to the the device configuration before hitting save and apply button, or make sure to delete unnecessary interface before you start, otherwise the device will fail to lease.
The bottom line is, we have to make sure our network, especially our lan or br-lan or whatever interface correctly pointing to the right device config.
OpenWRT Official Docs, DSA Mini-Tutorial . ↩︎
Last update : Posted by : Ion Orion Sugiarmawan Tags : Notes, DSA, Networking, OpenWRT