Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:network:dsa:dsa-mini-tutorial [2022/03/15 11:18] – Include link to Youtube video; make WIP items more clear; remove unused bits richb-hanoverdocs:guide-user:network:dsa:dsa-mini-tutorial [2023/10/19 02:58] – [Introduction] saudiqbal
Line 27: Line 27:
 ===== Terminology ===== ===== Terminology =====
  
-DSA distinguishes between **devices** and **interfaces**.+//NOTE: This section is under heavy revision (mid-September 2022). Please refer to the **DSA Terminology** conversation on the OpenWrt-devel mailing list for the latest information. http://lists.openwrt.org/pipermail/openwrt-devel/2022-September/thread.html //
  
-  * **Devices** are physical connections that convey bits/frames to other computers. They operate at layer 2 in the protocol stack, have a MAC address along with several other configurable parameters.  +<del>DSA distinguishes between **interfaces** and **networks**.
-    //Network devices// identify and configure hardware components of the device: individual Ethernet switch ports, wireless radios, USB networking devices, VLANs, or virtual ethernets.   +
-    Alternatively, //bridge devices// group several //network devices// together so they can be treated as a single entity. A bridge device functions like a separate unmanaged (hardware) switch, forwarding traffic between member ports as needed at the hardware level to maintain performance. Each physical port can be a member of only a single bridge device.+
  
-  * **Interfaces** route IP packets and operate at layer 3 in the protocol stack. An interface is associated with a single //device// that sends/receives its packets. Interfaces get their IP address parameters by the choice of protocol: Static, DHCP, PPP, 6in4, Wireguard, OpenVPN, etc.+  * **Interfaces** (sometimes called "network interfaces" or "devices") are the software names given to physical connections that convey bits/frames to other computers. They operate at layer 2 in the protocol stack and generally have a MAC address along with several other configurable parameters. //(TRUE?)// 
 +    * //Interfaces// identify and configure hardware components of the device: individual Ethernet switch ports, wireless radios, USB networking devices, VLANs, or virtual ethernets.  //(TRUE?)// 
 +    * A //bridge// is an interface that groups several individual interfaces together so they can be treated as a single entity. A bridge functions like a separate unmanaged (hardware) switch, forwarding traffic between member ports as needed at the hardware level to maintain performance. Each interface can be a member of only a single bridge. //(TRUE?)// 
 + 
 +  * **Networks** route IP packets and operate at layer 3 in the protocol stack. //(TRUE?)// 
 +    * A //network// is associated with a single //interface// that sends/receives its packets. //(TRUE?)// 
 +    * //Networks// get their IP address parameters by the choice of protocol: Static, DHCP, PPP, 6in4, Wireguard, OpenVPN, etc. //(TRUE?)//
    
-**Naming:** //Devices// are assigned a name like ''lan1'', ''lan2'', ''wan'', ''wlan1'', ''vlan1'', etc. By convention, a bridge device gets a prefix of ''br-'', like ''br-lan''. //Interfaces// by convention, have upper-case names, such as ''LAN'', ''WAN'', ''WG1'', etc.+**Naming Conventions:** //Interfaces// are assigned a name like ''lan1'', ''lan2'', ''wan'', ''wlan1'', ''vlan1'', etc. By convention, a bridge gets a prefix of ''br-'', like ''br-lan''. //Networks// by convention, have upper-case names, such as ''LAN'', ''WAN'', ''WG1'', etc.</del>
  
 ===== OpenWrt and DSA ===== ===== OpenWrt and DSA =====
Line 46: Line 50:
   - Multiple networks using VLANs   - Multiple networks using VLANs
   - Multiple networks using VLAN tagging   - Multiple networks using VLAN tagging
 +
 +//**NOTE:** THE TERMINOLOGY FOR LuCI IS NOT ENTIRELY CONSISTENT WITH THE DEFINITIONS ABOVE. STAY TUNED AS THIS PAGE IS UPDATED.//
  
 ==== 1. Bridging all LAN ports ==== ==== 1. Bridging all LAN ports ====
Line 237: Line 243:
  option netmask '255.255.255.0'  option netmask '255.255.255.0'
 </code> </code>
 +
 +==== 5. Firewall zones for VLANs ====
 +
 +Every interface should have a correctly configured firewall zone.
 +However, if you want to only use layer 2 and not layer 3 routing on a VLAN (only switching, no traffic between VLANs), you can set the interface as unmanaged (option proto 'none'), in which case do not set a firewall zone for the interface.
 +
 +Keep in mind, that at least one interface should have an address (static or DHCP) in order to connect to the device for administrative purposes. That interface must be associated with a firewall zone (or rules) to accept input.
 +
 +Example, where VLAN 1, 2 and 3 are only used for switching and VLAN 1 can be used to connect to the device:
 +
 +config/network
 +<code>
 +config device 'switch'
 + option name 'switch'
 + option type 'bridge'
 + option macaddr 'REDACTED'
 + list ports 'lan1'
 + list ports 'lan2'
 + list ports 'lan3'
 + list ports 'lan4'
 +
 +config bridge-vlan 'lan_vlan'
 + option device 'switch'
 + option vlan '1'
 + list ports 'lan1:u*'
 + list ports 'lan4:t'
 +
 +config bridge-vlan
 + option device 'switch'
 + option vlan '2'
 + list ports 'lan1:u*'
 + list ports 'lan4:t'
 +
 +config bridge-vlan
 + option device 'switch'
 + option vlan '3'
 + list ports 'lan3:u*'
 + list ports 'lan4:t'
 +
 +config interface 'lan'
 + option proto 'dhcp'
 + option device 'switch.1'
 +
 +config interface 'iot'
 + option proto 'none'
 + option device 'switch.2'
 +
 +config interface 'guest'
 + option proto 'none'
 + option device 'switch.3'
 +</code>
 +
 +config/firewall
 +<code>
 +config defaults
 + option syn_flood '1'
 + option input 'ACCEPT'
 + option output 'ACCEPT'
 + option forward 'REJECT'
 +
 +config zone
 + option name 'lan'
 + option input 'ACCEPT'
 + option output 'ACCEPT'
 + option forward 'ACCEPT'
 + list network 'lan'
 +</code>
 +
 +==== 6. Security Considerations with VLANs ====
 +
 +See [[https://en.wikipedia.org/wiki/VLAN_hopping#Double_tagging|Wikipedia - VLAN Hopping]]
 +
 +  * If using separated VLANs, it is often recommended not to use VLAN 1 for any data networks. This is because VLAN 1 is often hardcoded as a default on a lot of networking equipment and is therefore more often used in attacks and prone to accidental misconfiguration.
 +
 +  * It is also often recommended to change the native VLAN on all trunk ports to an unused VLAN ID to explicitly only allow tagged traffic on trunk ports. Note that some hardware doesn't allow to mix tagged with untagged VLAN on one port, so this method cannot be used on it.
 +
 +  * Similarly, for added security any unused LAN ports can be also added (as u|*) to an unused VLAN ID.
 +
 +As an example let's assume a setup where: 
 +  * VLANS 10, 20 and 30 are used for seperated VLANs without any layer 3 routing
 +  * the ports lan1 and lan2 are trunked ports with all VLANs 
 +  * port lan3 is only for untagged VLAN 1
 +  * port lan4 is unused
 +  * VLAN 90 is not used anywhere else and is only there for added security
 +
 +<code>
 ++---------+-------+------+------+------+------+
 +| VLAN ID | Local | lan1 | lan2 | lan3 | lan4 |
 ++---------+-------+------+------+------+------+
 +|    10          |    |  u|* |    |
 ++---------+-------+------+------+------+------+
 +|    20          |    |    |    |
 ++---------+-------+------+------+------+------+
 +|    30          |    |    |    |
 ++---------+-------+------+------+------+------+
 +|    90          u|* |  u|* |    |  u|* |
 ++---------+-------+------+------+------+------+
 +</code>
 +
 +<code>
 +config device 'switch'
 + option name 'switch'
 + option type 'bridge'
 + option macaddr 'REDACTED'
 + list ports 'lan1'
 + list ports 'lan2'
 + list ports 'lan3'
 + list ports 'lan4'
 +
 +config bridge-vlan 'lan_vlan'
 + option device 'switch'
 + option vlan '10'
 + list ports 'lan1:t'
 + list ports 'lan2:t'
 + list ports 'lan3:u*'
 +
 +config bridge-vlan
 + option device 'switch'
 + option vlan '20'
 + list ports 'lan1:t'
 + list ports 'lan2:t'
 +
 +config bridge-vlan
 + option device 'switch'
 + option vlan '30'
 + list ports 'lan1:t'
 + list ports 'lan2:t'
 +
 +config bridge-vlan
 + option device 'switch'
 + option vlan '90'
 + list ports 'lan1:u*'
 + list ports 'lan2:u*'
 + list ports 'lan4:u*'
 + option local '0'
 +
 +config interface 'lan'
 + option proto 'dhcp'
 + option device 'switch.10'
 +
 +config interface 'iot'
 + option proto 'none'
 + option device 'switch.20'
 +
 +config interface 'guest'
 + option proto 'none'
 + option device 'switch.30'
 +</code>
 +
 +Note: Because local is not checked for VLAN 90, OpenWrt won't even create a device for it and there should be no interface for it, unlike the other VLANs.
 +
  
  • Last modified: 2024/10/15 17:13
  • by palebloodsky