VLAN configuration on Turris Omnia

marek-stopka · February 3, 2018, 10:07pm

Hello, I am trying to configure Turris VLAN’s, I have several IPv4 addresses assigned by my ISP (/29), I would like my server behind Turris to have open public IP and also access to the local LAN… My server is connected to PORT5 on Turris; I have following configuration on Turris:

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 1 2 3'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 6'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '4t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '4'
	option ports '4t'

config interface 'dmz'
	option proto 'static'
	option _orig_ifname 'eth0.3'
	option _orig_bridge 'false'
	option ifname 'eth0.4'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option proto 'static'
	option ipaddr '82.209.54.74'
	option netmask '255.255.255.248'
	option gateway '82.209.54.73'
	list dns '8.8.4.4'
	list dns '8.8.8.8'
	option type 'bridge'
	option _orig_ifname 'eth1'
	option _orig_bridge 'true'
	option ifname 'eth0.3 eth1'

But even though I have VLANs configured properly on my CentOS server it does not seem to work. I cannot connect to either DMZ or WAN… (I used the GUI to create the configuration).

adminX · February 4, 2018, 6:40am

Current Config:

LAN 0-3 are in VLAN1
eth0 and eth2 are in VLAN2
LAN4 is in VLAN3 with tags
LAN4 is in VLAN4 with tags

wan is on a bridge with eth0.3 and eth1
dmz is on eth0.4

Result

eth0 and eth2 are connected
LAN0-3 are a 4port switch
LAN4 is disconnected from all other ports

Possible fix

Remove VLAN 2
add port 5 tagged to VLAN3
this will allow switch port 5 (eth0) to use VLAN3 so eth0.3 can talk to LAN4.3
add port 5 tagged to VLAN4
this will allow switch port 5 (eth0) to use VLAN4 so eth0.4 can talk to LAN4.4
add port 6 not tagged to VLAN1
this will allow switch port 6 (eth2) to reach the LAN

Even after changing this it still looks wrong to me.
The server has access to the dmz network and the unfiltered wan at the same time. This defeats the usefulness of a dmz.

A small overview how the switch is connected:

NOTE: eth0 is connected to the switch port 5 and eth2 is connected to the switch port 6. This is wrong in the image.

marek-stopka · February 4, 2018, 10:07am

Perhaps I wrongly explained what I am trying to achieve;
I would like a trunk port with allowed vlans 3,4 connected to my server;
on server I configure enp4s0.3 as a WAN interface and enp4s0.4 as a DMZ interface (the server should have access to DMZ and WAN because it is a virtualization farm I intend to access from the internet and then VMs there will be connected to different networks, except for the LAN, only L3 connections will be used for traffic going to home LAN).

I was under the impression that if I create a trunk like this and then put these ports into relevant bridges it should simply work. Instead of using the VLAN switches I would be able to set-up some additional rules using ebtables in this case.

LAN4 should not be disconnected from other ports considering that both virtual (tagged) interfaces are put into bridges that should “bridge them”; there is no other port in the DMZ yet because I have no second server (yet). I have firewall configured to enable all forward traffic from LAN to DMZ and then I will add few rules from DMZ to LAN (access to a network printer, perhaps few other things; I could route it as L3 over the WAN interface, but I rather do route it as L3 over the internal Turris ports (prevents ISP from listening).)

adminX · February 5, 2018, 7:00am

This is a bit the way it works with upstream (non-OpenWRT) kernels.

The Omnia has 3 ethernet interfaces. One is connected to WAN and the other two are connected to its internal VLAN-capable switch.
You created one trunk port in your switch but the VLANs have no other ports in them.
To let your Omnia take part in the VLANs you have to add it to them using port 5(eth0) or port 6(eth1).

marek-stopka · February 7, 2018, 1:24pm

I do not want those ports in any VLAN, I want those VLAN tagget ports in a bridge so I can use ebtables to filter traffic; so let me refine my question…

How do I make a tagged VLAN port on a switch appear as an interface in the OpenWRT environment so I can bridge it with whatever interfaces I like and configure respective ebtables rules?

mattventura · February 7, 2018, 7:21pm

You do this by also configuring port 5 and/or 6 as a trunked port, so that the tagged traffic is able to flow back to the Omnia’s CPU. The switch is a black box to the rest of the device - if you don’t enable a VLAN on one of the two ports that connect to eth0 or eth2, the Omnia won’t have any idea that VLAN even exists. Think about how you would configure it if you were using a completely external switch.

marek-stopka · February 7, 2018, 8:17pm

You’ve just became my personal hero; someone should update the documentation, because it is not obvious from it… But it works now, I can get to the WAN using VLAN 3 on the trunk port, I have not tested the DMZ yet!

NOTE: Update it so that it is made obvious that the port marked CPU in the GUI is a trunk port between the OpenWRT kernel and the switch.

Thank you so much, if you are from Prague (or better Ostrava) I owe you a beer!