Ok, the R2 is almost ready to replace the R1. Did a first test today and almost everything works, except my TV receiver for streaming TV service of my provider. In the old R1 there was a switch module which was nice enough to forward all trafic on 1 incoming port to a tagged vlan on the wan port, including DHCP request.
In the R2 I seem to have a config issue. The iptables logging shows all DHCP requests as incoming data on the bridged port, instead of it being bridged. (forwarded to the other port) In the R2 I need to somehow get traffic from lan0 to wan.4 and back without the kernel interfering, including DHCP requests and the returning answers.
if i understand you right, you can create a vlan-interface on wan and bridge/route traffic to another port
#create vlan on a interface
iface lan3.60 inet manual
#now bridge this vlan to another port
iface br0 inet static
bridge_ports lan1 lan3.60
have not tested, but should work because vlans also L2-interfaces…but as i said in another thread i do not suggest bridging between lan and wan…this is for what routing (L3) is for which gives more control about the packets
The bridging between lan and a vlan on wan is just what I need, as the TV receiver needs to be on the assigned vlan of the provider without interference of the router.
The config you show is indeed what I use, but then linking lan0 (untagged without ip) with wan.4 (tagged without ip). The TV receiver needs to get it’s ip address from the provider via vlan 4 to be able to function correctly. The real internet connectivity is via vlan 6 and firewalled like crazy. The main reason I want to bridge lan and wan, is to separate external and internal, however, the TV box needs to be passed trough. (has it’s own, dedicated, cable for that)
The logging in iptables shows incoming DHCP requests to the router via that interface. WIll have to place a tcpdump on both sides of the bridge to check if the dhcp traffic is working as it should ot nor. (and if the iptables log is just a by-product of having the bridge)
When using bridge you cannot use a L3-protocol between these 2 interfaces…this is how a bridge works
The I’ll probably need to move the uplink to one of the lan ports… will have to play a bit with that.
Compared to the R1 without updates it’ll be safer anyway.
That don’t change anything except you use same gmac for lan and wan…
I noticed, whatever I do, at the moment I haven’t found a way to bridge without loosing the tag. Not even bridging 2 tagged ports worked on the R2. Somehow the tag gets lost on the DHCP request. This seems strange to me, as the R1 has no issue with exact the same configuration. Only difference there is the switch setup it has. (managed via swconfig)
the tagged frame should get out where you define the vlan (in my config lan3 tag 60). R2 has also switch,but swconfig is an outdated tool…its function is now done by dsa-driver in kernel.
Then it looks like I need to find a way to configure that… nice, something new to learn.
The issue I seem to have is that frames that should be tagged aren’t forwarded tagged. Somehow dhcp requests are excluded in the dsa-driver. (swconfig included them)
Forwarding is layer 3…tagging is layer 2
You have to define vlan where you need tagging…here on wan
Tagging is needed for the TV receiver, the receiver expects an untagged cable, the internet provider expects the TV traffic tagged on vlan 4. The R1 had 1 switch and there I could ‘bridge’ 2 ports without the CPU port (*) seeing the traffic.
It’s solved by placing a vlan aware switch in front of the router and splitting vlan 4 off to the TV receiver before the firewall sees the traffic.
why not define wan.4 ?
example for defining vlan in /etc/network/interfaces:
iface lan1.6 inet static