It seems te be a bit different then I mentioned above. Here is a more complete description:
In all cases the kernel is compiled with CONFIG_BRIDGE_VLAN_FILTERING=y.
root@bpi-r64:~# cat /etc/rc.local
#!/bin/sh -e
ip link set eth0 up
ip link add name br0 type bridge vlan_filtering 1 vlan_default_pvid 3
#ip link add name br0 type bridge
ip link set br0 up
ip link set lan0 master br0
ip link set lan0 up
ip addr add 192.168.1.33/24 broadcast 192.168.1.255 dev br0
ip route add 192.168.1.0/24 dev br0
ip route add default via 192.168.1.1
The BPI-R64 is connected with lan0 to a lan port of my router. Then I connect my phone with mac aa:bb:cc:dd:ee:ff to my router. Then I disable the wifi of my phone so no more packets with this mac are sent on the network.
Bridge created with vlan_filtering 1 vlan_default_pvid 3
tried to create a bridge and then enable vlan-filtering, but this breask bridge, also if i disable vlan_filtering
brctl addbr lanbr0
brctl addif lanbr0 wan
ip link add link lanbr0 name lanbr0.500 type vlan id 500
ip addr add 192.168.50.3/24 dev lanbr0.500
ip link set wan up
ip link set lanbr0 up
ip link set lanbr0.500 up
ping 192.168.50.1 #works
echo 1 > /sys/class/net/lanbr0/bridge/vlan_filtering
#ping no more working
echo 0 > /sys/class/net/lanbr0/bridge/vlan_filtering
#ping still not working
i guess i need to tell vlans for bridge again for vlan-filtering
so now i used your settings except vlan 500 instead of 3 and wan instead of lan0
ip link add name br0 type bridge vlan_filtering 1 vlan_default_pvid 500
ip link set br0 up
ip link set wan master br0
ip link set wan up
ip addr add 192.168.50.3/24 dev br0
ping 192.168.50.1 #works
cat /sys/class/net/br0/bridge/vlan_filtering
1
after a while the ping does not work anymoreā¦setting interfaces down/up does not workā¦so iām stuck here
bridge fdb | grep 12:23:34:45:56:67
sometimes shows one (self was missing) entry sometimes 2
on the other side i created vlan with mac 12:23:34:45:56:67
i show the fbd, put vlan down on the other side and try to delete
root@bpi-r64:~# bridge fdb | grep 12:23:34:45:56:67
12:23:34:45:56:67 dev wan vlan 500 master br0
12:23:34:45:56:67 dev wan vlan 500 self
root@bpi-r64:~# bridge fdb del 12:23:34:45:56:67 dev wan vlan 500 self
[ 1739.687177] DEBUG: Passed dsa_switch_event 480
[ 1739.692067] DEBUG: Passed dsa_switch_fdb_del 169
[ 1739.699142] DEBUG: Passed dsa_switch_fdb_del 172
[ 1739.704323] DEBUG: Passed mt7530_port_fdb_del 1354
[ 1739.709654] DEBUG: Passed mt7530_fdb_write 366
[ 1739.714537] DEBUG: Passed mt7530_fdb_write 381
[ 1739.720015] DEBUG: Passed mt7530_port_fdb_del 1359 ret:0
[ 1739.725701] DEBUG: Passed dsa_switch_event 482 err:0
root@bpi-r64:~# bridge fdb | grep 12:23:34:45:56:67
12:23:34:45:56:67 dev wan vlan 500 master br0
12:23:34:45:56:67 dev wan vlan 500 self
root@bpi-r64:~#
so all releated is called, but entry is still thereā¦vlan_filtering seems to be buggy
root@bpi-r64:~# ip link add name lanbr0 type bridge vlan_filtering 1 vlan_default_pvid 500
Garbage instead of arguments "vlan_filtering ...". Try "ip link help".
root@bpi-r64:~# cat /proc/con
config.gz consoles
root@bpi-r64:~# zcat /proc/config.gz | grep -i vlan
CONFIG_BRIDGE_VLAN_FILTERING=y
CONFIG_VLAN_8021Q=y
seems it is caused by my own compiled iproute2ā¦i guess bridge command is used (had only installed āipā to /usr/local/sbin). runing /sbin/ip works
canāt get it working with ip only (tagged vlan 500 on wan)
ip link add name lanbr0 type bridge
ip addr add 192.168.50.3/24 dev lanbr0
ip link set wan master lanbr0
ip link set wan up
ip link set lanbr0 up
ip link set dev lanbr0 type bridge vlan_filtering 1 vlan_default_pvid 500
bridge vlan add dev lanbr0 vid 500 pvid tagged self
without bridge ping works
ip link set wan nomaster
ip link del lanbr0
ip link add link wan name v500 type vlan id 500
ip addr add 192.168.50.3/24 dev v500
ip link set v500 up
ping 192.168.50.1
You are attaching a vlan device to the wan interfaceā¦ That is something completly differentā¦
Have your removed wan (and lanbr0) from /etc/network/interfaces?
First set bridge as vlan_enabled with vlan_default_pvid, before adding anything. Then you can just add wan to the bridge as normal, because you have set vlan_default_pvid.
ip link set eth0 up # This first helped a lot on the dsa switch of marvell chips
ip link add name lanbr0 type bridge vlan_filtering 1 vlan_default_pvid 500
ip link set lanbr0 up
ip link set wan master lanbr0
ip link set wan up
ip addr add 192.168.50.3/24 broadcast 192.168.50.255 dev lanbr0
ip route add 192.168.50.0/24 dev lanbr0
ip route add default via 192.168.1.1
wan will automatically have pvid & egress 500
Or:
Just enable systemd-networkd.service and use the files in the first post.
i dropped IP-Address (ip addr delā¦) from wan (no lanbr0, wan not in any bridge)
but still does not work (with ip from debian, not my self compiled), have not defined routes and eth0 is already up
cannot ping the other end of the vlanā¦the other end sees the packets on lan0-port, seems without vlan because i see it on dsa-port, but not on vlan-port (vlan on bridge directly) tcpdump with ā-e vlanā does not see any packets
+ /sbin/ip addr del 192.168.0.18/24 dev wan
+ /sbin/ip link add name lanbr0 type bridge vlan_filtering 1 vlan_default_pvid 500
+ /sbin/ip link set lanbr0 up
+ /sbin/ip link set wan master lanbr0
[ 41.157958] lanbr0: port 1(wan) entered blocking state
[ 41.163852] lanbr0: port 1(wan) entered disabled state
[ 41.179671] DEBUG: Passed mt7530_fdb_write 366
[ 41.184753] DEBUG: Passed mt7530_fdb_write 381
[ 41.192226] DEBUG: Passed mt7530_fdb_write 366
[ 41.198753] DEBUG: Passed mt7530_fdb_write 381
[ 41.205138] DEBUG: Passed mt7530_fdb_write 366
[ 41.210260] DEBUG: Passed mt7530_fdb_write 381
[ 41.217158] DEBUG: Passed mt7530_fdb_write 366
[ 41.222111] DEBUG: Passed mt7530_fdb_write 381
[ 41.228162] device wan entered promiscuous mode
[ 41.236411] lanbr0: port 1(wan) entered blocking state
[ 41.241863] lanbr0: port 1(wan) entered forwarding state
+ /sbin/ip link set wan up
+ /sbin/ip addr add 192.168.50.3/24 broadcast 192.168.50.255 dev lanbr0
root@bpi-r64:~# /sbin/bridge vlan show
port vlan ids
wan 500 PVID Egress Untagged
lan1 1 PVID Egress Untagged
lan2 1 PVID Egress Untagged
br0 1 PVID Egress Untagged
lanbr0 500 PVID Egress Untagged
I see you still have br0 also in your system. You will most like have a gateway defined on br0 or wan, so ifupdown (/etc/network/interfaces) will also have some routes defined. These can be conflicting.
Ping is not working, most likely because routing is not setup correcttly anymore.
The above examples of mine, you do have to empty your etc/network/interfaces, get rid of interfering routes.
To be able to use ping, routing needs to be setup correctly.
Easiest way is through ifupdown or systemd-networkd as you only have the setup a gateway address, and all routing setup is done for you.
Mixing a vlan disabled bridge, together with a vlan enabled bridge, on the dsa ports may also be an extra source of bugs to encounter. For first tests I would use only one bridgeā¦
I see packets on the right end,so no routing problem. In case i ping same subnet as bridge vlan-ip it is added by default (directly connected).
Problem is that outgoing packets have no vlan-tagā¦but maybe your example use vlan only internal (mapping traffic on wan to vlan,but not adding vlan tag to egress traffic)
port should not matterā¦wan of my test-r64 is connected to my local lan, on the other āsideā my main-router (r2) has on lanbr0 (bridge over 2 lan-ports) interface tagged vlan 500 defined (lanbr0.500 with ip 192.168.50.1) (same for lan-port of my laptop for confirming vlan working on main-r2)
but i still see no vlan-tag on packets reaching my main-router
# tcpdump -i lan0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lan0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:55:45.377481 IP 192.168.50.3 > 192.168.50.1: ICMP echo request, id 459, seq 44, length 64
12:55:46.401448 IP 192.168.50.3 > 192.168.50.1: ICMP echo request, id 459, seq 45, length 64
listening on lanbr0.500 or with -e vlan i see no packets
