Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:network:dsa:dsa-mini-tutorial [2021/08/17 11:00] – Add wireless config image & description richb-hanover | docs:guide-user:network:dsa:dsa-mini-tutorial [2023/10/19 02:58] – [Introduction] saudiqbal | ||
|---|---|---|---|
| Line 11: | Line 11: | ||
| **This DSA Mini-Tutorial explains how DSA works with OpenWrt, | **This DSA Mini-Tutorial explains how DSA works with OpenWrt, | ||
| and how it is configured with the LuCI web interface and the '' | and how it is configured with the LuCI web interface and the '' | ||
| + | |||
| + | (**Note**: DSA support does not affect wireless configuration in ''/ | ||
| **If you are upgrading your OpenWrt device to 21.02 or later, | **If you are upgrading your OpenWrt device to 21.02 or later, | ||
| you should read the [[: | you should read the [[: | ||
| [[: | [[: | ||
| + | There is also a [[https:// | ||
| - | //This page is a Work In Process. It contains requests for information from future editors. If you can contribute your knowledge, we would be pleased for the help.// | + | //This page is a Work In Process. It contains requests for information from future editors. |
| + | * //An example for a config file for wireless in Item 1 below// | ||
| + | * //A discussion of configuring wireless devices and interfaces// | ||
| + | * //Careful vetting of the information for Items 3 & 4 below// | ||
| + | //If you can contribute your knowledge, we would be pleased for the help.// | ||
| ===== Terminology ===== | ===== Terminology ===== | ||
| - | DSA distinguishes between | + | //NOTE: This section is under heavy revision (mid-September 2022). Please refer to the **DSA Terminology** conversation on the OpenWrt-devel mailing list for the latest information. http:// |
| - | | + | < |
| - | | + | |
| - | | + | |
| - | * **Interfaces** route IP packets and operate at layer 3 in the protocol stack. | + | * **Interfaces** (sometimes called " |
| + | * // | ||
| + | * A //bridge// is an interface that groups several individual interfaces together so they can be treated as a single entity. A bridge functions like a separate unmanaged (hardware) switch, forwarding traffic between member ports as needed at the hardware level to maintain performance. Each interface can be a member of only a single bridge. // | ||
| + | |||
| + | * **Networks** route IP packets and operate at layer 3 in the protocol stack. | ||
| + | * A // | ||
| + | * // | ||
| - | **Naming:** //Devices// are assigned a name like '' | + | **Naming |
| ===== OpenWrt and DSA ===== | ===== OpenWrt and DSA ===== | ||
| Line 39: | Line 50: | ||
| - Multiple networks using VLANs | - Multiple networks using VLANs | ||
| - Multiple networks using VLAN tagging | - Multiple networks using VLAN tagging | ||
| + | |||
| + | //**NOTE:** THE TERMINOLOGY FOR LuCI IS NOT ENTIRELY CONSISTENT WITH THE DEFINITIONS ABOVE. STAY TUNED AS THIS PAGE IS UPDATED.// | ||
| ==== 1. Bridging all LAN ports ==== | ==== 1. Bridging all LAN ports ==== | ||
| Line 137: | Line 150: | ||
| option netmask ' | option netmask ' | ||
| </ | </ | ||
| - | |||
| - | //No editing beyond this point... // | ||
| ==== 3. Multiple networks using VLANs ==== | ==== 3. Multiple networks using VLANs ==== | ||
| Line 144: | Line 155: | ||
| Ports can also be separated (grouped) using single bridge with multiple VLANs. | Ports can also be separated (grouped) using single bridge with multiple VLANs. | ||
| That requires assigning interfaces to correct software VLANs. | That requires assigning interfaces to correct software VLANs. | ||
| + | //This item needs careful vetting... // | ||
| Example: | Example: | ||
| Line 191: | Line 203: | ||
| With proper bridge VLAN configuration it's also possible for selected port to use VLAN tagged traffic. | With proper bridge VLAN configuration it's also possible for selected port to use VLAN tagged traffic. | ||
| It also requires assigning OpenWrt interface to the correct software VLAN. | It also requires assigning OpenWrt interface to the correct software VLAN. | ||
| + | //This item needs careful vetting... // | ||
| Example: | Example: | ||
| Line 231: | Line 244: | ||
| </ | </ | ||
| - | ==== Unfinished bits to be incorporated if still relevant... ==== | + | ==== 5. Firewall zones for VLANs ==== |
| - | **Notes from Arınç ÜNAL (arinc9)** | + | Every interface should have a correctly configured firewall zone. |
| + | However, if you want to only use layer 2 and not layer 3 routing on a VLAN (only switching, no traffic between VLANs), you can set the interface as unmanaged (option proto ' | ||
| - | The current naming OpenWrt has is incorrect and confusing. The " | + | Keep in mind, that at least one interface should |
| - | When you run ip link, each entry represents an interface on the system. Some are physical, some are logical interfaces. | + | Example, where VLAN 1, 2 and 3 are only used for switching and VLAN 1 can be used to connect to the device: |
| - | UCI treats "config | + | config/network |
| + | < | ||
| + | config device | ||
| + | option name ' | ||
| + | option type ' | ||
| + | option macaddr ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| - | If you head to Network | + | config bridge-vlan ' |
| + | option device ' | ||
| + | option vlan ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| - | So, in my opinion: | + | config bridge-vlan |
| + | option device ' | ||
| + | option vlan ' | ||
| + | list ports 'lan1:u*' | ||
| + | list ports ' | ||
| - | | + | config bridge-vlan |
| + | option device ' | ||
| + | option vlan ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| - | * "config device" should be renamed to "config interface" | + | config |
| + | option proto ' | ||
| + | option | ||
| + | |||
| + | config interface | ||
| + | option proto ' | ||
| + | option device ' | ||
| - | **End of Preface** | + | config interface ' |
| + | option proto ' | ||
| + | option device ' | ||
| + | </ | ||
| + | |||
| + | config/ | ||
| + | < | ||
| + | config defaults | ||
| + | option syn_flood ' | ||
| + | option input ' | ||
| + | option output ' | ||
| + | option forward ' | ||
| + | |||
| + | config zone | ||
| + | option name ' | ||
| + | option input ' | ||
| + | option output ' | ||
| + | option forward ' | ||
| + | list network ' | ||
| + | </ | ||
| + | |||
| + | ==== 6. Security Considerations with VLANs ==== | ||
| + | |||
| + | See [[https:// | ||
| + | |||
| + | | ||
| + | |||
| + | * It is also often recommended to change the native VLAN on all trunk ports to an unused VLAN ID to explicitly only allow tagged traffic on trunk ports. Note that some hardware doesn' | ||
| + | |||
| + | * Similarly, for added security any unused LAN ports can be also added (as u|*) to an unused VLAN ID. | ||
| + | |||
| + | As an example let's assume a setup where: | ||
| + | * VLANS 10, 20 and 30 are used for seperated VLANs without any layer 3 routing | ||
| + | * the ports lan1 and lan2 are trunked ports with all VLANs | ||
| + | * port lan3 is only for untagged VLAN 1 | ||
| + | * port lan4 is unused | ||
| + | * VLAN 90 is not used anywhere else and is only there for added security | ||
| + | |||
| + | < | ||
| + | +---------+-------+------+------+------+------+ | ||
| + | | VLAN ID | Local | lan1 | lan2 | lan3 | lan4 | | ||
| + | +---------+-------+------+------+------+------+ | ||
| + | | 10 | ||
| + | +---------+-------+------+------+------+------+ | ||
| + | | 20 | ||
| + | +---------+-------+------+------+------+------+ | ||
| + | | 30 | ||
| + | +---------+-------+------+------+------+------+ | ||
| + | | 90 | ||
| + | +---------+-------+------+------+------+------+ | ||
| + | </ | ||
| + | |||
| + | < | ||
| + | config device ' | ||
| + | option name ' | ||
| + | option type ' | ||
| + | option macaddr ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | |||
| + | config bridge-vlan ' | ||
| + | option device ' | ||
| + | option vlan ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | |||
| + | config bridge-vlan | ||
| + | option device ' | ||
| + | option vlan ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | |||
| + | config bridge-vlan | ||
| + | option device ' | ||
| + | option vlan ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | |||
| + | config bridge-vlan | ||
| + | option device ' | ||
| + | option vlan ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | list ports ' | ||
| + | option local ' | ||
| + | |||
| + | config interface ' | ||
| + | option proto ' | ||
| + | option device ' | ||
| + | |||
| + | config interface ' | ||
| + | option proto ' | ||
| + | option device ' | ||
| + | |||
| + | config interface ' | ||
| + | option proto ' | ||
| + | option device ' | ||
| + | </ | ||
| + | Note: Because local is not checked for VLAN 90, OpenWrt won't even create a device for it and there should be no interface for it, unlike the other VLANs. | ||