Omnia 4.0.5/6: VLAN configuration for guest network

pichlhuber · April 13, 2020, 9:30am

I have trouble with using VLAN tagging whíthin my guest network.

I have several AP with OpenWRT. VLAN1 is normal LAN. VLAN3 is guest network/wifi.
So I added lan0.3 to br-guest_turris:

config interface 'guest_turris'
    option enabled '1'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option bridge_empty '1'
    option ipaddr '192.168.60.1'
    option _turris_mode 'managed'
    option ifname 'lan0.3'

Now I can ping my APs from turris 192.168.60.1 at 192.168.60.3.

root@turris:~# ping -I192.168.60.1 192.168.60.3 
PING 192.168.60.3 (192.168.60.3) from 192.168.60.1 : 56(84) bytes of data.
64 bytes from 192.168.60.3: icmp_req=1 ttl=64 time=0.329 ms

BUT if I ping from AP (192.168.60.3) to turris, the AP gets no ICMP response.
Running tcpdump on turris, I got this error:

IP 192.168.60.3 > 192.168.60.1: ICMP echo request, id 2310, seq 7683, length 64
IP 192.168.60.1 > 192.168.60.3: ICMP 192.168.60.1 protocol 1 port 18250 unreachable, length 92

What’s going wrong?

anon50890781 · April 13, 2020, 9:57am

Which is not best practise. According to the available online Linux documentation VLAN tag management on DSA ports should be handled with the bridge v command.
There are also several threads in this forum and the OpenWrt forum on the subject (DSA VLAN).

Is the TO firewall permitting ingress from the Guest zone to the TO?

pichlhuber · April 13, 2020, 10:55am

No, there is no filewall along the vlan3 interfaces.
In the OpenWRT-forum there is a similar problem: https://forum.openwrt.org/t/dsa-switch-port-vlan-tagging-untagging/16055/14

Using bridge vlan will not solve my problem, with lan0 as br-guest_turris interface

bridge vlan add dev lan0 vid 1 pvid tagged
bridge vlan add dev lan0 vid 3 tagged

root@turris:~# bridge vlan show
port    vlan ids
lan0     1 PVID
            3
lan1     1 PVID Egress Untagged
lan2     1 PVID Egress Untagged
lan3     1 PVID Egress Untagged
lan4     1 PVID Egress Untagged
br-guest_turris  1 PVID Egress Untagged
br-lan   1 PVID Egress Untagged

anon50890781 · April 13, 2020, 11:09am

As per Linux documentation

by default, the bridge does not filter on VLAN and only bridges untagged
traffic. To enable VLAN support, turn on VLAN filtering:

echo 1 >/sys/class/net/<bridge>/bridge/vlan_filtering

or alternatively

ip link set dev <bridge> type bridge vlan_filtering 1

Replace <bridge> with the respective bridge device name.

pichlhuber · April 13, 2020, 11:31am

Of course, I enable this kernel setting and this will not work. the br-guest_turris is still in vlan1

anon50890781 · April 13, 2020, 11:54am

Suppose you meantime changed that (and applied) to

option ifname 'lan0' ?

From the package dump it seems strange that ethertype 802.1Q (0x8100) is not displayed (from both ends). Could you try the tcpdump with -e -vvv options?

perhaps try bridge v a dev br-guest_turris vid 3 tagged self

192.168.60.1 (which you tried to ping from the AP 192.168.60.3) is assigned to the bridge netdev but not the lan0 netdev

pichlhuber · April 28, 2020, 7:25pm

after fiddling around with this bridge command, I give it up.
Using eth0.3 will work for for guest devices.
Ping isn’t working, but actually I accept this.

bernstein · May 13, 2020, 12:18am

with TOS 5.0 it’s rather simple.

assuming your AP is connected to lan0 :

ip link add link lan0 name lan0.3 type vlan id 3
uci set network.guest_turris.ifname 'lan0.3'
uci commit

obviously your AP will have to tag guest traffic for vlan3.
.
i’m using Unifi AP’s so it might be that your AP’s are just not tagging correctly.

EDIT: alternatively it can be done with the bridge vlan command. but that seems rather convoluted.