Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:network:dsa:dsa-mini-tutorial [2021/08/12 00:30] – [config-network-device] remove preface from base someothertime | docs:guide-user:network:dsa:dsa-mini-tutorial [2023/10/19 02:58] – [Introduction] saudiqbal | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== DSA Mini-Tutorial ===== | + | ====== DSA Mini-Tutorial |
| - | /* NOTE TO EDITORS... | + | ===== Introduction |
| - | I have already incorporated some of the information from the Preface into the article. | + | |
| - | I moved the remainder to the end the page, and we can continue to incorporate what's not redundant. | + | |
| - | -richb-hanover | + | |
| - | */ | + | |
| - | ==== Introduction ==== | + | |
| DSA stands for [[https:// | DSA stands for [[https:// | ||
| Line 16: | Line 11: | ||
| **This DSA Mini-Tutorial explains how DSA works with OpenWrt, | **This DSA Mini-Tutorial explains how DSA works with OpenWrt, | ||
| and how it is configured with the LuCI web interface and the '' | and how it is configured with the LuCI web interface and the '' | ||
| + | |||
| + | (**Note**: DSA support does not affect wireless configuration in ''/ | ||
| **If you are upgrading your OpenWrt device to 21.02 or later, | **If you are upgrading your OpenWrt device to 21.02 or later, | ||
| you should read the [[: | you should read the [[: | ||
| [[: | [[: | ||
| + | There is also a [[https:// | ||
| - | //This page is a Work In Process. If you can contribute your knowledge, we would be pleased for the help.// | + | //This page is a Work In Process. |
| + | * //An example for a config file for wireless in Item 1 below// | ||
| + | * //A discussion of configuring wireless devices and interfaces// | ||
| + | * //Careful vetting of the information for Items 3 & 4 below// | ||
| + | //If you can contribute your knowledge, we would be pleased for the help.// | ||
| + | ===== Terminology ===== | ||
| - | ==== Terminology | + | //NOTE: This section is under heavy revision (mid-September 2022). Please refer to the **DSA Terminology** conversation on the OpenWrt-devel mailing list for the latest information. http:// |
| - | In DSA, each // | + | <del>DSA distinguishes between **interfaces** |
| - | and is assigned its own name like '' | + | |
| - | DSA switch ports can be operate as "standalone" //devices// (this is the norm for the WAN and CPU port) | + | * **Interfaces** (sometimes called |
| - | or can be collected into a DSA // | + | * // |
| - | Each physical port can be a member of only a single | + | * A // |
| - | Bridged interfaces forward packets | + | |
| - | the hardware level to maintain performance. | + | |
| - | A bridge device functions like a simple unmanaged (hardware) switch - all ports can talk together, | + | |
| - | but are separate form other ports in a different device. | + | |
| - | In DSA, each //interface// configures | + | * **Networks** route IP packets and operate at layer 3 in the protocol stack. |
| + | * A //network// is associated with a single // | ||
| + | * // | ||
| + | |||
| + | **Naming Conventions: | ||
| + | |||
| + | ===== OpenWrt and DSA ===== | ||
| OpenWrt configuration facilities allow you to configure the ports of your device | OpenWrt configuration facilities allow you to configure the ports of your device | ||
| Line 47: | Line 51: | ||
| - Multiple networks using VLAN tagging | - Multiple networks using VLAN tagging | ||
| - | === 1. Bridging all LAN ports === | + | //**NOTE:** THE TERMINOLOGY FOR LuCI IS NOT ENTIRELY CONSISTENT WITH THE DEFINITIONS ABOVE. STAY TUNED AS THIS PAGE IS UPDATED.// |
| + | |||
| + | ==== 1. Bridging all LAN ports ==== | ||
| In the initial (and very common) scenario, all LAN switch ports are bridged together into a single ' | In the initial (and very common) scenario, all LAN switch ports are bridged together into a single ' | ||
| Line 56: | Line 62: | ||
| The first image shows all the LAN ports ('' | The first image shows all the LAN ports ('' | ||
| The second image shows an interface (" | The second image shows an interface (" | ||
| + | |||
| + | To add a wireless device (such as '' | ||
| {{: | {{: | ||
| {{: | {{: | ||
| + | |||
| + | {{: | ||
| **Configuration file for a Bridged LAN:** | **Configuration file for a Bridged LAN:** | ||
| The first half of the file below shows how the '' | The first half of the file below shows how the '' | ||
| - | The '' | + | The '' |
| < | < | ||
| Line 83: | Line 93: | ||
| </ | </ | ||
| - | === 2. Multiple bridged networks === | + | ==== 2. Multiple bridged networks |
| OpenWrt can set up its switch to group multiple ports together into different bridge // | OpenWrt can set up its switch to group multiple ports together into different bridge // | ||
| Line 141: | Line 151: | ||
| </ | </ | ||
| - | //No editing beyond this point... // | + | ==== 3. Multiple networks using VLANs ==== |
| - | + | ||
| - | === 3. Multiple networks using VLANs === | + | |
| Ports can also be separated (grouped) using single bridge with multiple VLANs. | Ports can also be separated (grouped) using single bridge with multiple VLANs. | ||
| That requires assigning interfaces to correct software VLANs. | That requires assigning interfaces to correct software VLANs. | ||
| + | //This item needs careful vetting... // | ||
| Example: | Example: | ||
| Line 190: | Line 199: | ||
| </ | </ | ||
| - | === 4. Multiple networks using VLAN tagging === | + | ==== 4. Multiple networks using VLAN tagging |
| With proper bridge VLAN configuration it's also possible for selected port to use VLAN tagged traffic. | With proper bridge VLAN configuration it's also possible for selected port to use VLAN tagged traffic. | ||
| It also requires assigning OpenWrt interface to the correct software VLAN. | It also requires assigning OpenWrt interface to the correct software VLAN. | ||
| + | //This item needs careful vetting... // | ||
| Example: | Example: | ||
| Line 234: | Line 244: | ||
| </ | </ | ||
| - | == Previous Preface | + | ==== 5. Firewall zones for VLANs ==== |
| - | /* | + | |
| - | I moved all the remaining information from the preface down here so we know | + | |
| - | what else needs to be incorporated. | + | |
| - | -richb-hanover | + | |
| - | */ | + | |
| - | **Preface: | + | Every interface should have a correctly configured firewall zone. |
| - | used for networking in OpenWrt 21.02 and newer. | + | However, if you want to only use layer 2 and not layer 3 routing on a VLAN (only switching, no traffic between VLANs), you can set the interface as unmanaged (option proto ' |
| - | The article needs to address the following questions: | + | Keep in mind, that at least one interface should have an address |
| - | * Is it correct to say that ' | + | Example, where VLAN 1, 2 and 3 are only used for switching |
| - | If you set " | + | |
| - | config | + | |
| - | option type ' | + | |
| - | option name ' | + | |
| - | list ports ' | + | |
| - | list ports ' | + | |
| - | list ports ' | + | |
| - | list ports ' | + | |
| - | list ports ' | + | |
| - | This is more of a tiny detail than a question someone would have for DSA. Bridging is not so different under DSA. | + | config/ |
| + | < | ||
| + | config device ' | ||
| + | option name ' | ||
| + | option type ' | ||
| + | option macaddr ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| - | * Is it correct to say "device | + | config bridge-vlan ' |
| - | This is nonsensical and should be removed. | + | option |
| + | option vlan ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| - | A network interface is a software or hardware interface between two pieces of equipment or protocol layers in a computer network. It is not a protocol itself, therefore cannot abide on any of the OSI layers. | + | config bridge-vlan |
| + | option device ' | ||
| + | option vlan ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| - | * Where can people get advice about why they would prefer approach 2, 3, or 4? | + | config bridge-vlan |
| - | There will be only one approach, this should be removed in the future | + | option device ' |
| + | option vlan '3' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| - | * How do people route between various interfaces? | + | config interface ' |
| - | This is routing, unrelated to switching, should be removed | + | option proto ' |
| + | option device ' | ||
| + | |||
| + | config interface ' | ||
| + | option proto ' | ||
| + | option device ' | ||
| - | This tutorial should explain configuring | + | config interface ' |
| + | option proto ' | ||
| + | option device 'switch.3' | ||
| + | </ | ||
| - | * How do firewalls come into play? | + | config/ |
| - | This is unrelated to switching and there's not much, if not at all of a difference, should be removed | + | < |
| - | * How do the wireless interfaces come into play? | + | config defaults |
| + | option syn_flood '1' | ||
| + | option input ' | ||
| + | option output ' | ||
| + | option forward ' | ||
| - | **I think this article should address these questions: | + | config zone |
| + | option name ' | ||
| + | option input ' | ||
| + | option output ' | ||
| + | option forward ' | ||
| + | list network ' | ||
| + | </ | ||
| - | * How can I configure VLANs and switch ports using DSA on OpenWrt? | + | ==== 6. Security Considerations |
| - | * How can I configure wireless interfaces | + | |
| - | * How can I convert my swconfig configuration to DSA? | + | |
| - | **Notes from Arınç ÜNAL (arinc9)** | + | See [[https:// |
| - | The current naming OpenWrt has is incorrect and confusing. The " | + | * If using separated VLANs, it is often recommended not to use VLAN 1 for any data networks. |
| - | When you run ip link, each entry represents | + | * It is also often recommended to change the native VLAN on all trunk ports to an unused VLAN ID to explicitly only allow tagged traffic |
| - | UCI treats " | + | * Similarly, for added security any unused LAN ports can be also added (as u|*) to an unused VLAN ID. |
| - | If you head to Network -> Wireless and assign | + | As an example let's assume |
| + | * VLANS 10, 20 and 30 are used for seperated VLANs without any layer 3 routing | ||
| + | * the ports lan1 and lan2 are trunked ports with all VLANs | ||
| + | * port lan3 is only for untagged VLAN 1 | ||
| + | * port lan4 is unused | ||
| + | * VLAN 90 is not used anywhere else and is only there for added security | ||
| - | So, in my opinion: | + | < |
| + | +---------+-------+------+------+------+------+ | ||
| + | | VLAN ID | Local | lan1 | lan2 | lan3 | lan4 | | ||
| + | +---------+-------+------+------+------+------+ | ||
| + | | 10 | ||
| + | +---------+-------+------+------+------+------+ | ||
| + | | 20 | ||
| + | +---------+-------+------+------+------+------+ | ||
| + | | 30 | ||
| + | +---------+-------+------+------+------+------+ | ||
| + | | 90 | ||
| + | +---------+-------+------+------+------+------+ | ||
| + | </ | ||
| - | * "config | + | < |
| + | config | ||
| + | option name ' | ||
| + | option type ' | ||
| + | option macaddr ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| - | * "config device" should be renamed to " | + | config |
| + | option | ||
| + | option vlan ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| - | **End of Preface** | + | config bridge-vlan |
| + | option device ' | ||
| + | option vlan ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | |||
| + | config bridge-vlan | ||
| + | option device ' | ||
| + | option vlan ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | |||
| + | config bridge-vlan | ||
| + | option device ' | ||
| + | option vlan ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | option local ' | ||
| + | |||
| + | config interface ' | ||
| + | option proto ' | ||
| + | option device ' | ||
| + | |||
| + | config interface ' | ||
| + | option proto ' | ||
| + | option device ' | ||
| + | |||
| + | config interface ' | ||
| + | option proto ' | ||
| + | option device ' | ||
| + | </ | ||
| + | Note: Because local is not checked for VLAN 90, OpenWrt won't even create a device for it and there should be no interface for it, unlike the other VLANs. | ||