Upgrade and vlans

My T. Omnia installed package tos3to4-notify asking me to upgrade to TOS 5.

How ever in documentation I see
" Network switch configuration now uses DSA. See the up to date documentation on how to configure VLANs."

I use vlans. This doc does not say ANYTHING about bridging with vans, etc.

So will my vlan configuration disappear once it upgrades ?

Waiting to have time for this, how can I prevent upgrade (as for now I have completely disabled automatic updates, I prefer a working router to a safe router which prevents me to access what I want to access)

https://forum.turris.cz/t/switching-and-vlan-on-tos5/15861/5

This does not answer : will my configuration work or not ?
Ansd the documentation does not teach me anything, it lacks many things : how can I choose which vlan is sent untagged (pvid/native vlan) on a port ? How can I select which vlans are sent on which ports ?
How are bridges manged with the vlans ?

With only this doc, I would believe that my today’s configuration is no more possible (I have several vlans on LAN side, but also a vlan bridged between WAN and LAN. But native vlan is different on WAN and LAN side)

And I cannot afford a broken router, for which I would have to find many pages in order to understand what broke,

So how can i be SURE that nothing will break when upgrading, or is there a rollback procedure somewhere, which can be executed without internet access ?

1 Like

I think there is a migration script for doing the switch from swconfig (TurrisOS v.3.x) to DSA - this was mentioned by a team member quite some time ago. But you’d better ask this question in the respective thread: We sent migration notification for Turris Omnia in 3.11.23 RC - #2 by Pepe

This is how it looks on my Omnias with current 5x firmware.

The only configuration needed (apart from firewall rules later on of course) is the interfaces in /etc/config/network:

  1. Define you VLAN as “Interface”.
  2. List all member ports as “ifname”.
    2.1. For an untagged port just the plain physical interface name.
    2.2. For a tagged port you add the VLAN-ID to the interface name after a dot.

Say I want to define a VoIP-LAN with the VLAN-ID 66.
I want the pyhsical Port LAN3 of my router as member for untagged traffic.
I want the pyhsical Port LAN4 of my router as member for tagged traffic.

config interface 'voip_vlan'
	option type 'bridge'
	option proto 'static'
	list ifname 'lan3'
	list ifname 'lan4.66'
	option ip6hint '66'
	option ip6ifaceid '::1'
	option ip6assign '64'
	list ipaddr '192.168.66.1/24'

Does that help?

I did not find any working doc about config files…
Where is the list of all possible options and their meaning ?
Where is the list of config files ?

your example might help with a knowledge of options

Witrh this I could just define my “TV bridge” between, humm .100 and .100 but what are those interfaces, I cannot say. Where does the names come from ?

And it does not answer that on port 2 I want vlan 10 as native vlan, while on port 3 I want vlan 20 as native vlan (keeping the whole list of other vlans on them and bridging together)
Should I define as many bridges as valn I use ?

Too many questions for an automatic upgrades, too many undocumented features (fpor me if a features is undocumented then it is absent).

Cearly with today’s documentation, TOS 5 is for me unusable.

The DSA link is a joke : it is not a doc but a collection of examples made with tools for scripting, no hint on how to put this in a configuration, not even proper examples since they do not present how to select which vlans are present or absent tagged or not at each port of the bridge.

1 Like

I’m not a dev of Turris or OpenWrt. All I know I got from the docs on Turris and OpenWrt or by looking at the files in /etc/config/.

The only options relevant to VLAN are

  • option type 'bridge' anything else would not make any sense.
  • list ifname is the list of hardware network interfaces you want as members of your VLAN/Bridge.

All others are IPv4/IPv6 address configurations, no relevant to VLAN.

I really don’t know what else do you want/need?

I’m slowly starting to believe, people have problems with VLAN on the later OpenWrt and Turris releases, because it used to be difficult before and now its easy.

interfaces, I cannot say. Where does the names come from ?
config interface with the name of your own choice. They will show up with these names in the Luci web interface under NetworkInterfaces and under NetworkFirewall to assign them as members to your firewall zones.
lan0 to lan4 are the Ethernet-sockets on the back of your router and are labelled there as such.

For the sake of completeness:

config globals 'globals'

config interface 'loopback'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'
    option ifname 'lo'

config interface 'wan'
    option proto 'dhcp'
    option ifname 'eth2'

config interface 'wan6'
    option proto 'dhcpv6'
    option noserverunicast '1'
    option reqaddress 'try'
    option reqprefix '48'
    option ifname '@wan'

config interface 'voip_vlan'
    option type 'bridge'
    option proto 'static'
    list ifname 'lan0'
    list ifname 'lan4.66'
    option ip6hint '66'
    option ip6ifaceid '::1'
    option ip6assign '64'
    list ipaddr '192.168.66.1/24'

config interface 'tv_vlan'
	option type 'bridge'
	option proto 'static'
	list ifname 'lan1'
	list ifname 'lan4.100'
	option ip6hint '100'
	option ip6ifaceid '::1'
	option ip6assign '64'
	list ipaddr '192.168.100.1/24'

config interface 'vlan_10'
	option type 'bridge'
	option proto 'static'
	list ifname 'lan2'
	list ifname 'lan4.10'
	option ip6hint '10'
	option ip6ifaceid '::1'
	option ip6assign '64'
	list ipaddr '192.168.10.1/24'

config interface 'vlan_20'
	option type 'bridge'
	option proto 'static'
	list ifname 'lan3'
	list ifname 'lan4.20'
	option ip6hint '20'
	option ip6ifaceid '::1'
	option ip6assign '64'
	list ipaddr '192.168.20.1/24'

So we now have the following:
View by Ports:

  • LAN0 has PVID 66 (voip_vlan), connect your phone here.
    • Untagged traffic is expected (end-node devices unaware of VLANs)
    • untagged ingress traffic is tagged with VLAN 66 and forwarded to other VLAN members.
    • tagged ingress traffic other than VLAN66 is discarded.
    • tagged egress traffic from VLAN 66 is untagged and forwarded.
  • LAN1 has PVID 100 (tv_vlan), connect your TV here.
  • LAN2 has PVID 10
  • LAN3 has PVID 20
  • LAN4 is member of VLANs 66, 100, 10 and 20 (connect your VLAN capable switch here)
    • Tagged ingress and egress traffic of any VLANs this port is a member of will be forwarded.
    • Untagged or tagged by any other VLAN, will not be forwarded.

View by VLANs:

  • VLAN 66 has LAN0 and LAN4 as members. LAN0 as PVID port and LAN4 for tagged traffic.
  • VLAN 100 has LAN1 and LAN4 as members, LAN1 as PVID, LAN4 tagged.
  • VLAN 10 has LAN2 and LAN4 as members, LAN2 as PVID, LAN4 tagged.
  • VLAN 20 has LAN3 and LAN4 as members, LAN2 as PVID, LAN4 tagged.

All you need is list ifname with (tagged) or without (untagged) a VLAN-ID after a dot. It really can’t get easier then that.

1 Like

I do not see the WAN, nor where the lanx interfaces are defined. As for now I have eth* interfaces
I cannot look in the files since I have TOS 3 and not 5.
I cannot test, and I cannot afford to break.
Soi I’ll stayt with TOS 3, and never upgrade, but replace it by somethig else

I do not look at openwrt docs, I already did for some FW problem in TOS3 and discovered options where not the same. How can I know what part is Ok, what part is not ? Guess ?

That’s not serious. Docs speak almost only of non network features, so I deduce that Turris Omnia 5 is no more an OS for router but for other things.

Not for me, I juste regret having paid ~ 300 € for someting to become useless 1 and a half year later.

You choice of course. But please don’t be so afraid. You claim to be a network engineer for a hoster and network operator. So you know this stuff.

But it looks to me as you prefer to spend even more money to get less. I’m just wondering which home-networking device will get your complicated VLAN configuration? And how much time you will need to set it all up from scratch on a completely new device, compared to a small chance of maybe needing to correct a small error in a migrated configuration.

Upgrade and it will most likely work. If its not, a glance at /etc/config/network will tell you what’s wrong.
Don’t be afraid. Its not Cisco, Zyxel, HPE or Aruba, where you need a couple of trainings and certificates to be able to just display the list of interfaces. Its Turris, which means, its OpenWrt, which means its Linux.

I choose to switch to Turris from HPE, Aruba and Zyxel at all of my customers networks.
Because its so easy, compared to the big names. Because performance and throughput is way better, because there is a community for support and not a call center of a multi-billion-conglomerate.
To my surprise even reliability is better, compared to e.g. Zyxel.

My Omnias are doing fine in Hotels, Bars, Coffee-Shops, Restaurants, Co-working spaces.
I use VLANS to separate public client networks with hundreds of devices from private point-of-sale systems, VoIP systems and admin-access and VPNs in each of them. That’s all about networking and nothing else. And I never needed any more documentation then what was available.

The only problem I had with the migration to 5x in March, was that I was not able to charge more then a half hour to my customers.

So yeah go on, spend more money and time, if it helps with you fear. :wink:

P.S.
Forgot to mention the IPTV HD streaming for public viewings of bigger live sports events at the restaurant with up to five TV-screens, also trough a dedicated VLAN with IGMP multicast. All in sync.

2 Likes

For the sake of completeness I added the WAN interface to my previous post listing of /etc/config/network.

The LANx interfaces are per-defined by the labels on the sockets on the back of your routers hardware.

For the wan interface eth2 is used as interface name, because its provided by the SOC, not directly by a physical port. The physical port which eth2 connects to could either be the Ethernet port labelled WAN or the SPF-Port labelled SPF.

2 Likes

You don’t see lanx, because they are not present on TOS 3. In TOS 3, you have CPU with it’s interfaces and then you configure switch via switchconfig while looking at which ports are connected where and manually passing it to ports connected to CPU. In TOS 5, you don’t configure switch explicitely. Kernel does that for you. You will have lanx interfaces representing physical ports on the box and you can setup vlans and bridges as normal with those interfaces. And kernel will figure out switch and CPU ports configuration for you. It is no longer needed to specify it by hand and you get interface for every port directly making it much easier to manage.

Docs are usually updated to be up to date with the latest version. There is currently TOS 5 based on OpenWrt 19.07, but the latest OpenWrt docs might already be for recently released OpenWrt 20.02 - TOS 6 that will take us some time to prepare. But mostly I found that where options were version dependent, it was explicitelly mentioned.

Nothing is certain till you try. But there is always a schnapps. You can even export your whole filesystem to external storage to be extra sure it will survive.

Ok, so does [OpenWrt Wiki] Converting to DSA apply ?
And if it is the case, How can I "Gather all of the switchport interfaces (wan, lan1, lan2, etc.) in one bridge interface. Remove them from other bridges if they exist. " ?

(and if this applies, it would be a good idea to link it from Turris doc)

Based on the previous examples, I would do something like this:

config interface 'my_brige'
	option type 'bridge'
	list ifname 'lan0'
	list ifname 'lan1'
	list ifname 'lan2'
	list ifname 'lan3'
	list ifname 'lan4'
    list ifname 'eth2' # a.k.a wan
	option proto 'static'
	list ipaddr '192.168.0.1/24'
    option ip6hint '0'
	option ip6ifaceid '::1'
	option ip6assign '64'

Remove? Bridges are defined in /etc/config/network as interface with option type bridge. If an ifname is not part of any such definition then its not part of any bridge.

But I’m slowly getting the feeling that we’re talking past each other. If you want to cobble everything together as one network, you won’t need VLANs in the first place.

Could you describe your network, in a non-technical way, without using the terms “bridge” or “VLAN”. What devices are plugged in where and how they should talk to each other, or why they should NOT talk to each other? More or less as you would describe it to your grandmother.

2 Likes

I have a wiorking config on TOS 3. I do not want to change iT. Yes I use technical terms because they are the most appropriate, and yes I known exactly what I am speaking of.

If you want a “layman” explanation :slight_smile: ISP arrives at one place in the flat. From there there are RJ45 cables to 3 different rooms.
ISP also provides a set top box for the TV to which I must send Vlan 100 from the WAN side untouched (VLAN is part of the requirements).

I have a network for trusted devices, and one for untrusted ones which must reach internet, but not the trusted network. There is also a “common network” for devices to be used by both trusted and untrusted ones (eg. printer).

Those logical networks are physically in different rooms, each room has its manageable switch to distribute the logical networks (if you prefer this to the term vlan) to the devices.

It works in TOS 3. However TOS5 doc does not speak AT ALL about this kind of settings only speaking of non network ones.

Thus my question about the openwrt doc page (does it apply) and more specific questions about what it says to do.

Hi edav

Sorry for the long delay, I was on holidays.

Let’s assume, you have three rooms each with a smart switch. The rooms connect to lan1, lan2 and lan3, while one TV is connected directly to router on lan4. Another TV is located in room 1.

/etc/config/network:

config globals 'globals'

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

config interface 'trusted_lan'
    option type 'bridge'
    option proto 'static'
    list ifname 'lan1.10'
    list ifname 'lan2.10'
    list ifname 'lan3.10'
    option ip6hint '10'
    option ip6ifaceid '::1'
    option ip6assign '64'
    list ipaddr '192.168.10.1/24'

config interface 'untrusted_lan'
    option type 'bridge'
    option proto 'static'
    list ifname 'lan1.20'
    list ifname 'lan2.20'
    list ifname 'lan3.20'
    option ip6hint '20'
    option ip6ifaceid '::1'
    option ip6assign '64'
    list ipaddr '192.168.20.1/24'

config interface 'common_lan'
    option type 'bridge'
    option proto 'static'
    list ifname 'lan1.30'
    list ifname 'lan2.30'
    list ifname 'lan3.30'
    option ip6hint '30'
    option ip6ifaceid '::1'
    option ip6assign '64'
    list ipaddr '192.168.30.1/24'

config interface 'TV_lan'
    option type 'bridge'
    option proto 'dhcp'
    list ifname 'lan1.100'
    list ifname 'lan4'
    list ifname 'eth2.100'

Does that make sense now?