VLAN Transition from TOS 3 to TOS 6

Software SW help
1

Hello all,

I have been happily plugging away on an Omnia running TOS 3. Yesterday and today I attempted to upgrade by doing a fresh install of TOS 6 using @ dhopfm’s awesome post here: The clean path to Turris OS 6 (and any other major version) - SW help - Turris forum. Unfortuently for both days after banging my head against a wall for a few hours each day, I rolledback to the previously working TOS 3.

Background:

My network topology is:

LAN0 -> UniFi Managed Switch (with clients in default vlan 1, 3, and 4)
LAN1 -> UniFi Managed Switch (with clients in default vlan 1, 3, and 4)
LAN2 -> Off
LAN3 -> UnifiAP (with clients in default vlan 1, 3, and 4)
LAN4 -> Off

VLAN Nominclature/purpose:

VLAN 1 = Default VLAN
VLAN 3 = Workshop
VLAN 4 = IOT

My /etc/config/network and VLAN config on TOS 3:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '{$my_ipv6_prefix}'

config interface 'lan'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.12.0.1'
        option _orig_ifname 'eth0 eth2 radio0.network1 radio0.network2 radio0.network3'
        option _orig_bridge 'true'
        option ifname 'eth0 eth2'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option peerdns '0'
        option dns '10.12.0.21'


config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'
        option noserverunicast '1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 1 2 3 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0t 1t 3t 5t'

config interface 'Workshop'
        option proto 'static'
        option ifname 'eth0.3'
        option ipaddr '10.20.30.1'
        option netmask '255.255.255.0'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '4'
        option ports '0t 1t 3t 5t'

config interface 'IOT'
        option proto 'static'
        option ifname 'eth0.4'
        option ipaddr '10.30.40.1'
        option netmask '255.255.255.0'

For the visual folks that means my switch config looks like:

Switch Config VLAN TOS3
Switch Config VLAN TOS31519×729 63.4 KB

I won’t share existing firewall config because it’s sprawling mess but it works.

In preparing for and troubleshooting during the sessions yesterday and today I have read:

…but I am still lost.

In TOS 6 I have so far tried:

  • Enabling VLAN tagging on the default br-lan like was suggested in @hagrid in one of the above posts and translating the untagged/tagged/off to untagged egress / tagged egress / primary VLAN / off for appropriate ports. (Interface → devices → br-lan → Configure → VLAN Tagging)
  • Creating a Software VLAN hanging off (Interface → devices → New Device → Software VLAN → base-device br-lan)
  • Creating a new bridge with all LAN ports and recreating the tagging pictured above (minus the VLAN 2)
  • Corresponding firewalls were creating for everything to ensure traffic would pass properly.

I’ve been unsuccessful in getting any of the approaches to pass traffic or even see packets. I was careful to only save and not Save & Apply (tho I learned that the hard way crashing my router often).

Asks for community
How can I mimic the above working TOS 3 /etc/network/config in TOS 6 w/ DSA? How can I build out the same VLAN functionality in either the UI or UCI commands?

Any and all help would be hugely appreciated & thanks in advance.

2

Stay with a single bridge (e.g., br-lan) and create the VLANs through the VLAN Filtering page: Network → Interfaces → Devices → br-lan: Configure… → Bridge VLAN filtering. Make sure to have the “Local” flag set unless you know that you don’t need it. It controls whether the CPU is part of the VLAN.

And thanks for the kind feedback regarding the guide. :slight_smile:

1 Like
3

@dhopfm Thank you for the pointer :slight_smile: Couple follow ups:

I would only need to define VLANs 1,3,4 correct? I’ve been leaving the idea of VLAN2 out of my TOS 6 configs as my reading indicates it’s no longer needed like it was in TO3.

Validating steps:

  1. Setup VLAN Tagging on br-lan (save not save & apply!)
  2. Create IOT and Workshop networks:
    2.1 Select appropriate br-lan.N device
    2.2 Setup with static-up protocol
    2.3 Configure DHCP for each
    2.4 Sssign them to the appropriate F/W zones.
    2.5 Save for reach interface
    2.6 Save and apply for all changes above

Firewall Zone:

  • IOT Zone (covers IOT network and allows forwarding to WAN)
  • Workshop zone (covers Workshop network and allows forwarding to WAN)
  • Both firewall zones will start in overly permissive mode to confirm traffic passing then get locked down

Are there any other changes that I need to make to allow traffic to flow?

4

You need to also update the interface definition for your LAN network (the one you use to configure the router), so update the LAN network interface from br-lan to br-lan.1 and then hit the Save & Apply

1 Like
5

TOS by itself doesn’t require any VLANs, neither TOS 3 nor TOS 6. If you don’t have any need for a VLAN 2 you can just leave it away, i.e., not configure it.

6

TIL. Thank you. I suspect I followed a guide or example and internalized it as a TOS need vs. just an example.

7

I wanted to share what a working config looks like in Turris OS 6 to achieve what I have outlined above in hopes that it helps someone else struggling with DSA VLANs a bit. I’ll share snippets of my config and then break it down below.

My /etc/config/network and VLAN config on TOS 6:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '{$my_ipv6_prefix}'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan0'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option proto 'static'
        option ip6assign '60'
        option _turris_mode 'managed'
        list ipaddr '10.12.0.1/24'
        option device 'br-lan.1'
        option delegate '0'

config interface 'wan'
        option device 'eth2'
        option proto 'dhcp'
        option ipv6 '1'

config interface 'wan6'
        option device '@wan'
        option proto 'dhcpv6'

config device 'dev_wan'
        option name 'eth2'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan0:u*'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan0:t'
        list ports 'lan1:t'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'lan0:t'
        list ports 'lan1:t'
        list ports 'lan3:t'

config interface 'Workshop'
        option device 'br-lan.3'
        option proto 'static'
        option ipaddr '10.20.30.1'
        option netmask '255.255.255.0'

config interface 'IOT'
        option device 'br-lan.4'
        option proto 'static'
        option ipaddr '10.30.40.1'
        option netmask '255.255.255.0'

For the visual folks:

br-lan vlan tagging 2022-12-26
br-lan vlan tagging 2022-12-261352×750 53.7 KB

Devices 2022-12-26
Devices 2022-12-26538×976 58.4 KB
Interface 2022-12-26
Interface 2022-12-26293×665 18.9 KB

Watch one, do one, teach one (walking it through):

Start with our goals: I want to segement my default traffic, traffic for a workshop, and traffic for IOT garbage.

VLAN 1 = Default VLAN
VLAN 3 = Workshop
VLAN 4 = IOT

And my specific wired network topology (which matters when chosing what LAN ports participate and which dont):

LAN0 -> UniFi Managed Switch (with clients in default vlan 1, 3, and 4)
LAN1 -> UniFi Managed Switch (with clients in default vlan 1, 3, and 4)
LAN2 -> Off
LAN3 -> UnifiAP (with clients in default vlan 1, 3, and 4)
LAN4 -> Off

VLAN Tagging Setup:
The default VLAN will carry all traffic not explicitly tagged. Thus, when configuring the VLAN Tagging on br-lan we want to select: Egress untagged + Primary VLAN ID. In the config syntax that looks like:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan0:u*'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

In the config syntax Egress Untagged is represented by the u and the Primary VLAN ID is represented by the asterisks.

In the UI this looks like:

VLAN Tagging 2022-12-26

Building out the Workshop VLAN (VLAN 3) starts with the VLAN Tagging. Remember my topology above:

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan0:t'
        list ports 'lan1:t'
        list ports 'lan3:t'

That tags VLAN3 traffic on lan ports 0, 1, and 3. In the UI, we’d select “Egress Tagged” from the dropdown selector. We do the same thing for the IOT VLAN (VLAN 4). Once done with VLAN tagging click Save in the UI.

Note: As of 6.0.4 saving will not dismiss the modal dialog box. Click save once and only once. Then click dismiss. You can confirm the save occured successfully in the next step of the process.

Interface Creation
Once the VLAN Tagging has been setup, we need to build out the Workshop and IOT Interfaces and change our lan device to ensure traffic passes appropriately.

In the config syntax:

config interface 'Workshop'
        option device 'br-lan.3'
        option proto 'static'
        option ipaddr '10.20.30.1'
        option netmask '255.255.255.0'

This creates a static interface with the br-lan.3 device. Do the same for IOT network using br-lan.4.

In the UI this looks like:

Workshop Interfac creation 2022-12-26
Workshop Interfac creation 2022-12-261340×330 20.2 KB

Note: If this device is not available to select, something went sideways with the VLAN Tagging save.

Once the new interfaces are configured we need to change up the LAN device from br-lan to br-lan.1.

In the config syntax we simply need to update the option device:

config interface 'lan'
        option proto 'static'
        option ip6assign '60'
        option _turris_mode 'managed'
        list ipaddr '10.12.0.1/24'
        option device 'br-lan.1'
        option delegate '0'

In the UI:

br.lan.1 2022-12-26
br.lan.1 2022-12-26769×535 44.9 KB

Once all of these changes are ready to go, you can hit Saven & Apply in the UI.

Notes:

  • I went with VLAN 1 because of laziness but you could make this default VLAN ID anything you want (that is supportable by your Turris and Switches).
  • I didn’t cover my firewall config in great detail but in broad strokes:
    • I wanted to restrict cross-network chatter/routing of traffic. The Workshop and IOT zones are configured with Input: Reject / Output: Accept / Forward: Reject.
    • I poked holes from both the Workshop and IOT network to reach my pihole device.
    • Each zone forwards to the WAN only.
  • I setup a DHCP server on each interface.
3 Likes
8

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.