Hello,
I would like to extend Turris router with a managed switch. On Turris side I have 5 interfaces: LAN, WAN, WIFI1, WIFI2 and SWITCH.
Previously, I changed the protocol LAN interface from bridge to static address. Then, I created the switch interface and named it this way: lan1.33.
In network → devices in devices tab I have VLAN (802.1q) as type. Now, I’m stuck because I don’t know how can I tag the switch interface from Turris router.
How can I make it ?
Hello
A VLAN (lan1.x) can be created in LuCi on the path network => network interfaces => device tab. I read on the forum that only VLANs 1 to 15 work from LuCi! All VLAN IDs can be configured from the console (CLI). The VLAN interface should be placed in the network bridge if there are to be several VLAN interfaces or LAN interfaces directly under one bridge)
On the network interfaces tab, a “logical” interface is then defined, which is addressed using IPv4/IPv6, DHCP, etc.
I also try VLAN interfaces, but when creating them, some are functional (packets are marked with a VLAN tag and data is transmitted, but other interfaces are not, I still don’t know what I’m doing wrong). Also, when removing such interfaces from the LuCi GUI, the Turris router (for me) shuts down all its network interfaces and the router can no longer be communicated with.
I would like someone with experience to describe the correct creation of VLANs on a Turris router. Can be using CLI over SSH.
I believe it can be functional, just knowing the right procedure.
Before doing anything, make sure you have some way of getting back into the device if you lock yourself out. Serial console, break off one of the LAN ports and use it as a management port, or whatever else you please, but it will save you a lot of headaches.
There are two ways to configure VLANs when using DSA switch configuration (as is used in Turris).
The first way:
The second way:
Instead of adding all ports to a bridge and using VLAN filtering, you can also just use two separate bridge devices and add vlan-tagged ports and use those as your interfaces.
For example, if you want lan0-2 to be LAN, lan3 to be DMZ, and lan4 to be trunk, you would want the existing br-lan to consist of lan0, lan1, lan2, and lan4.30. Then, make a new interface, br-dmz, and give it lan3 and lan4.31.
Personally, I use the first approach, but many people will find the second approach easier to work with. It’s just two different ways of looking at the problem (‘view the router as having a single port that connects to a managed switch internally’ vs ‘configure and use each port directly and let DSA figure it out’).
Thank you. I will try the procedure you described.
Thanks @mattventura and @cernikradek
However, I have a question. For the step 2, all lanX port are added to the bridge. But, should eth0 which is the CPU should be part of it ?
Yes, sorry, forgot to mention that. Although, on mine, it’s eth2 instead of eth0.
The only time you wouldn’t add eth0/eth2 to the bridge is if you wanted that VLAN to be switched between switch ports, but never hit the CPU.
Can you source the information?
That is not correct, in LuCI in Bridge VLAN filtering you can mark the VLAN as being Local and that means the CPU will see the traffic in that corresponding VLAN.
After that, you still need to create a L3 interface with corresponding parent interface.
Just a note of a bug in vlan filtering driver:
Patch that broke things got removed in master. Probabbly Turris team should backport it sooner.
Edit:
Edit 2:
So I would stick to second approach until its fixed in TOS
So I opt-in for the bridge interface with all ports (lanX).
I tried to make it simple. So, I created some VLAN in the managed switch. All devices connected to the managed switch get the correct IP address (from the managed switch).
I connected the managed switch to the lan1 on TO and in Bridge VLAN filtering I tagged VLAN 1 (managed switch connected to TO use PVID 1 and the port is also tagged).
None of the devices connected to the managed switch can access Internet.
FYI, I have 3 interfaces on TO:
Few pictures to explain what I’ve done:
To summarize, the devices in DESK are from the managed switch and they cannot ping the TO interface connected to the managed switch and so, they cannot access internet.
Maybe firewall? Do you have DHCP service enabled on the DESK interface?
On TO DESK interface do not have DHCP because it is supposed to be the devices on the managed switch side.
For the firewall I accepted everything just to be sure it won’t be an issue.
Maybe it will be more easier with a diagram:
So in the diagram above DESK interface is not there. I don’t think what I did on TO side is correct for DESK as physically it goes through the managed switch interface connected to the TO.
You should not enable masquerading on the DESK or SWITCH zone. It is useful only on WAN zone.
Anyway, I still do not understand your network setup, what is responsible for DHCP for „devices on the managed switch side“ etc.
So, the managed switch is responsible for DHCP. Also, the managed switch use a static IP address (on the interface connected to TO) and can ping TO.
I decided to start again, trying to make it more simple.
DHCP is managed only by TO.
On the managed switch I have the following:
On TO I have the following:
So, VLAN 33 get the IP address from TO, everything seems fine. However, VLAN34 and VLAN35 doesn’t get any IP address and RX from those interfaces stay at 0.
Only DESK is shown here but same issue with SERVER
below the VLANS:
I have the feeling to miss something, I’m wondering if the issue is related to some routing.
FYI: a laptop is connected on port 0 on TO and the switch is connected on port 1
Problem solved.
TO config was fine !
Issue was on managed switch. The trunk port must be part of all VLANs and tagged.
Thank you all guys.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.
