Hello,
I have recently bought Turris Omnia and Turris MOX devices and I tam not able to configure them for my purposes.
I want to have two bridge interfaces on both devices - LAN brigde and TV bridge. I was trying to create trunk port (lan1 port on Omnia and eth0 and MOX ). I tried multiple configuration from OpenWrt forums but every time port on MOX do not went up. My wish is to avoid bridging VLANs. Do you have any tips?
Could you share your firewall and network configs?
I am using 5 different firewall zones/VLANs on different trunk ports since years without issues.
Yes, sure. Here are configuration which I tried to implement.
Turris Omina
Network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd45:6486:874d::/48'
# LAN
config device
option name 'lan1.99'
option type '8021q'
list ports 'lan1'
option vid '99'
config interface 'lan'
option proto 'static'
option ip6assign '60'
option ip6ifaceid 'eui64'
option _turris_mode 'managed'
list ipaddr '192.168.99.1/24'
option device 'br-lan'
config device 'br_lan'
option name 'br-lan'
option type 'bridge'
list ports 'lan1.99'
list ports 'lan2'
list ports 'lan3'
# WAN
config interface 'wan'
option device 'eth2'
option proto 'dhcp'
option ipv6 '0'
config interface 'wan6'
option device '@wan'
option proto 'none'
config device 'dev_wan'
option name 'eth2'
# IOT
config interface 'iot'
option proto 'static'
option ipaddr '192.168.88.1'
option netmask '255.255.255.0'
option device 'br-iot'
config device
option name 'lan0'
option mtu '1500'
config device
option type 'bridge'
option name 'br-iot'
option mtu '1500'
option bridge_empty '1'
option ipv6 '0'
list ports 'lan0'
# TV
config device
option name 'lan1.15'
option type '8021q'
option vid '15'
list ports 'lan1'
config interface 'TV'
option proto 'none'
option device 'br-tv'
config device
option type 'bridge'
option name 'br-tv'
list ports 'lan4'
list ports 'lan1.15'
and firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option sentinel_fwlogs '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule 'wan_ssh_turris_rule'
option name 'wan_ssh_turris_rule'
option enabled '0'
option target 'ACCEPT'
option dest_port '22'
option proto 'tcp'
option src 'wan'
config rule 'wan_http_turris_rule'
option name 'wan_http_turris_rule'
option enabled '0'
option target 'ACCEPT'
option dest_port '80'
option proto 'tcp'
option src 'wan'
config rule 'wan_https_turris_rule'
option name 'wan_https_turris_rule'
option enabled '0'
option target 'ACCEPT'
option dest_port '443'
option proto 'tcp'
option src 'wan'
config rule 'turris_wan_6in4_rule'
option enabled '0'
config rule 'turris_wan_6to4_rule'
option enabled '0'
config zone
option input 'ACCEPT'
option forward 'ACCEPT'
option name 'iot'
option output 'ACCEPT'
list device 'lan0'
list network 'iot'
config forwarding
option dest 'lan'
option src 'iot'
config forwarding
option dest 'wan'
option src 'iot'
config forwarding
option dest 'iot'
option src 'lan'
config include 'sentinel_firewall'
option type 'script'
option path '/usr/libexec/sentinel/firewall.sh'
And here is Turris MOX
Network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd92:3810:cb8d::/48'
# LAN
config device
option name 'eth0.99'
option type '8021q'
option ifname 'eth0'
option vid '99'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.99'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option _turris_mode 'managed'
option ip6assign '60'
option device 'br-lan'
option ipaddr '192.168.99.2'
option gateway '192.168.99.1'
# TV
config device
option name 'eth0.15'
option type '8021q'
option ifname 'eth0'
option vid '15'
config interface 'TV'
option proto 'none'
option device 'br-tv'
and firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config include
option path '/etc/firewall.user'
config rule 'turris_wan_6in4_rule'
option enabled '0'
config rule 'turris_wan_6to4_rule'
option enabled '0'
Without going into details and just from having a quick look: delete all those config parts:
config device
option name 'lan1.99'
option type '8021q'
list ports 'lan1'
option vid '99'
It is enough to define the VID implicitly in the bridge via
list ports 'lan1.99'
Due to some unsolved DSA bug the traffic will go anyways via CPU and therefore there will be no hardware offloading (for which any additional config details might be needed).
Apply this to all of your config and you should be fine.
Regarding non-lan interfaces: you will need some traffic rules that allow access to dhcp (ports 67-68) on lan interface.
Regarding MOX: do you use it as dump access point? If yes, you may disable firewall (+dnsmasq + odhcp) as Omnia is doing all those already.
It works! Thanks for your advice 
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.