(really) Disable the VLAN Tagging on DGA #853
Comments
|
I fixed it :) :) :) Looks like the GUI did not disable the VLAN tagging correctly
in the lan part I replaced with
and removed this line
lan part of the network config on my router I enabled the VLAN 7 tagging Now MagentaTV IPTV is working :) |
|
|
Hi Luke, thx for your answer :)
If you find some time, maybe you can be so kind and have a look to my config for the case that there are any big problems related to a stable connection or to establish a new connection. the USG shall do the tagging many thanks in advance :) |
Use this one, eth0 is added to wan bridge instead of adding modem to lan bridge |
|
Hi Luke, thx for your answer :)
Sorry for the bothering questions but I want to make sure and of course I want to understand how it works :) |
|
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
@LuKePicci Here is the main part of my current working config. It would be great if you could provide a secure network config where I'm still able to access my modem via the private LAN of my OpenWrt router. Thanks in advance. |
|
Your current configs are a bit confusing. DGA: (first part) Openwrt: Your openwrt wan interface is using vid 2, make sure you set it as tagged in the switch vlan config, then make sure there is a vlan 42 marked as tagged as well on the same port. DGA (second part) In all the above, you could also consider changing vid 2 with vid 7, such that on your openwrt router you would configure the ISP connection with the same settings they provide, i.e. with vid 7. This is just for aesthetics. |
|
@LuKePicci Anyway I will try it again with your mentioned settings and report if it worked! |
|
Where do I have access to the swtich config on the DGA? It doesn't use swconfig so I can't confgure it this way. I'm also using a DGA4132 not a 4130 if that makes any difference. |
|
You have no swconfig, since the switch driver is a DSA one. OpenWrt is slowly moving to DSA too. Tch ported switch configuration in UCI ao you can configure thee external switch the same way as you nomally do from UCI for swconfig switches. Take this example from my dga4131 (still inside /etc/config/network): Yours should be something like this: What is eth1 on your other openwrt box? a single standalone WAN port or a port of a switch? In the latter case you need to configure its switch the same way (you can do it from LuCI) |
|
@LuKePicci The WAN port of my OpenWrt Router (WRT3200ACM) is a single standalone port. Here is my first try with the vlan config on the DGA4132 but I haven't commited any changes yet as I know that I could loose all access if the config is wrong and my feeling is telling me that it's not right yet. Please let me know if this looks right to you. |
|
wan_switch 0t 8t implies you need to use eth0.2 in wan, not the untagged eth0, and set the linksys to use eth1.2 as wan ifname You should also have eth5 in lan bridge, it's the 5G wireless radio. If you remove it from there, you will loose wireless radio configurability, i.e. you will also become unable to shut it down. You don't need to change anything in the linksys switch config, as its eth1 is not part of the integrated managed switch.
maybe a backup will come handy :-) |
|
I've disabled wifi completly via interface config but I'll add it back in the vlan part. |
|
It is best to keep the 2.4GHz wireless rafio enabled during tests as that is not affected by the switch/vlan configs, |
|
@LuKePicci Anyway I haven't had much luck with the config. I couldn't access the modem over my private lan anymore and there was also no pppoe connection possible anymore with the following config. Linksys switch config: DGA network config: I've also tried to change into together with and setup my Linksys switch config as usual, eth1.2 untagged @WAN-port and with this config I could establish a pppoe connection but still couldn't access my modem (GUI, ssh, ping). Do you have any idea what's wrong with my config? I must have made a mistake somewhere... |
This is wrong, there is no vid option defined for switch configs, and you are not using a linksys switch port to connect the SGA, so you don't need to touch any switch config on it. Just use eth1.7 for internet connection and eth1.42 for dga lan access.
This is wrong too. You can't use eth0 because switch port 8 (cpu) is untagged already for another vlan. On vlan 2 you correctly set 8t, so here use eth0.2
You can't do both things, 0* 8t means it's untagget as seen from the linksys (0*) but tagged (8t) inside the DGA SoC, so you need no vlan id 2 in the linksys, but you need to use eth0.2 in the DGA. If you set 0t 8t then you need to apply two untagging stages in the linksys for vid 2 (linksys<->dga) and vid 7 (linksys<->ISP). |
|
@LuKePicci
So if I understand this correctly I do need to two vlans for my WAN Port eth1.7 (pppoe-wan) and eth1.42 (modem-interface) on my Linksys with the option ports '0t 8t' config @config switch_vlan 'wan_switch' on the DGA? It would be fine to set the vlan 7 tag for pppoe with my Linksys as long as I don't loose access to my DGA. Whatever is more simple (+secure) and works is fine for me.
Afaik I can't set two untagging stages with my Linksys (Cannot save due to invalid values): This config would mean that I don't do the vlan tagging part for wan (vlan7) on my DGA right? So this means my current wan config on the DGA is wrong? I know that you try to point me to the config related things that I do wrong but as you can see I don't know how to help myself with this. I wonder how the official bridge mode of technicolor would look like or would it be as insecure as the one with the tch-gui? For the reference here is my full Linksys network config: And my current DGA network config where the pppoe connect is working but modem access doesn't: I would much appreciate it if you could point to the parts that needed to be changed in order to make this config work. Please let me know if you need more information. |
Given eth1.7 is always set on the linksys, then you need either to use 0t 8t for wan_switch on vlan 7 (hence putting eth0.7 in the bridge to wanptm0), or 0* 8t on vlan 2 (putting eht0.2 in the bridge to ptm0)
Sure you can, you can virtually have eth1.2.7, it's just tagging over tagging. Of course you need not to confuse tagging of an interface and switch vlan management. You cannot configure a switch to map an untagged port to another with two or more tags. As I can see from your linksys configs, the eth1 port is part of the switch as well, it is not an independent port, so you will need to configure the linksys switch vlans accordingly. Linksys DGA (note I explicitly defined waneth0 on vid 7, that's the same as using eth0.7 |
|
Thank you so much for not giving up on me! :) Regarding to vid's on the Linksys. I've noticed that with the provided config there are no vid's anymore and as I'm using a second OpenWrt (D-Link DIR860L) device as a smart switch + wifi AP I might need vid for LAN(vlan1) and Guest(vlan3) to keep things in order. I realy don't want to bother you with my guest and ebtables setup but here are my custom firewall ebtales rules. Maybe you can have a look at it and tell me if the removal of vid's from the Linksys router could be problematic/brake my setup. Linksys, custom firewall rules: D-Link DIR, custom firewall rules: D-Link DIR, lan + switch config: |
|
@LuKePicci Linksys Firewall part: Regarding config interface 'dga'. This interface is a direct replacement for my old modem interface and it should be added to my WAN-Firewall zone like my old modem interface before right? What could be the problem? Any idea? Should I reset my DGA and start with a fresh config? |
|
I've fixed the problem with my D-Link AP (LAN + Guest setup) by changing the following at the Linksys switch config: into I've also added back my ebtables rules and everything seems to work fine without the vid's at the Linksys! But the main problem with the Modem access is still there and I have no clue how to fix or debug it. |
You actually do so with that config. You tag with vid 7 on the linksys, you untag the vid 7 before bridging (waneth0), and tag it again after bridging (wanptm0). You may wonder why we don't simply bridge eth0 and ptm0 in their untagged stages, and that's because eth0 comes from switch port 8 as like as other eth1 to eth3, but we used 8* already for them. The other sulution is to present an untagged LAN1 port towards the DGA and internally tag once more on vid 2 towards the DGA SoC, then untag the vid 2 before bridging (eth0.2), then finally bridge it to the untagged ptm0. This way the tag with vid 7 applied on the linksys goes up to the ISP. I think the first solution is cleaner and easier to understand if you are not a vlan master.
Sure there are, the vid is that one you have as option vlan.
I confirm my proposed linksys config was not intended to support such a situation, I simply reverted every switch config to what I thought to be the default config and applied vlan bridging for the DGA thing. I need a full linksys config from your original setup supporting this scenario to integrate them together.
Yeah, actually it should be on a separate zone but it's fine to put it in WAN zone for testing. I probably gave you wrong switch port numbers for the linksys, so it would be helpful if you show me a linksys default switch vlan config |
That is correct
Just ping 192.168.100.1 from inside the linksys and keep tcpdump -i mgmteth0 going from inside the DGA |
|
Default switch vlan config: My current state:
|
|
So my port number guessing was correct. I can't spot any issue in your current config. Try to inspect with tcpdump |
There is no mgmteth0 availible at the DGA tcpdump GUI but I'll try it over the console, I haven't used tcpdump for ages... So mgmteht0 doesn't seem to exist but I do have it set in my network config. I can remember that I've disabled some services on my DGA in the past (which imho where not needed for me in bridge mode, odhcpd, dnsmasq, dhcpsnooper, mcsnooper, wansensing, mobiled, watchdog-tch and a couple more). Could this potentaly be the problem? To be fair, I haven't fully rebooted my DGA for the last 16 days. I've always ran /etc/init.d/network reload + restart when changing anything in my network config and in the past I was always successfull with it. Please let me know if you have any other ideas. |
AHAH! it must me mgmteth0 here |
config device 'mgmteth0' Edit: OMG! It works!!!!! I'm so sorry for some reason if had this wrong at config device 'mgmteth0'..... |
|
Sure! |
Again, thank you so much for not giving up on me! Hopefully this will help someone in the future. |
|
@LuKePicci With the default bridge mode config I could always see ~30% cpu usage while maxing out my vdsl connection (concurrent Down+Upload). This fact leads me to the conclusion that the default bridge mode with tch-gui wasn't very effective or wasn't performing as it should. Now I'm asking myself if this coult be related to the fact that my Linksys Router is doing the vlan 7 tagging for my pppoe connection now or if this generally is related to the new DGA config? Anyway I feel like that the default bridge mode config, which is set via tch-gui, should be adjusted to be more secure with better performance. Since the recommended changes at the network config I came to the conclusion that my old config wasn't very good/effective but as far as I know ptm0.x would also end up in the lan interface section with the default bridge mode config. Or were there already changes made in terms of this in the latest GUI version(s)?
Since everything is working fine now I would also like to put the dga interface into a seperate firewall zone. First I was thinking about the LAN-zone but I guess that you were talking about a new seperate firewall-zone for the dga interface (eth1.42)? |
Nope, as I was saying in aprevious message the Linksys apply the tag, but the DGA is removing it before entering the bridge and applying it back after exiting the bridge. I can't really say why you see such a performance improvement, but I would probably consider some extra unwanted load was occurring on the main router connected to lan ip interface for a traffic flow it wasn't really involved into.
Yes, and that is pretty insecure. The ISP has direct L2 access to DGA lan.
Absolutely wrong, you need to put that eth1.42 into a new zone (let's say 'mgmt') wuth enabled masq and basic forwarding rules for lan->mgmt, similarly to what you have for lan->wan. No forwarding is needed between mgmt->wan or viceversa. |
Yeah, that's what I mean, the default bridge mode config which is set by tch-gui seems to be insecure and on top doesn't perform very well in terms of cpu usage, at least with the DGA4132/4130. Maybe we should let @Ansuel know about it so it can be adjusted in future versions of the GUI. Anyway I still wonder how the official bridge mode of some technicolor devices is set up...
Thanks, I'll try configure it like this when I'm back home later on. |
|
So here is my current firewall zone config for the DGA access:
Btw another thing I've noticed is that the broadband card at tch-gui does show "@bridge not connected" with the current bridge mode config the but I guess is just a cosmetic thing as everything is working well. |
Hello,
looks like VLAN tagging is not complete disabled if I uncheck the checkbox in the GUI
I am not sure if this is a problem with the GUI or with the openwrt related system so I already ask in the openwrt forum:
https://forum.openwrt.org/t/full-bridge-mode-on-technicolor-dga-4132-pppoe-not-working-vlan-issue/46817
below you can find a copy of my question
Hello,
maybe its not 100% related to OpenWrt because as far as I know there is a slightly different version running on Technicolor DGA 4132 but I am new so maybe I am wrong.
This is a copy and paste from my question in an other forum
###########
Hello from Germany,
yesterday I got my DGA4132, was already rooted.
Today I updated the GUI to the latest stable version 9.4.70-184d06d3
Configuration:
DGA 4132 - Port DSL --> Internet
DGA 4132 - Port LAN 1 (eth0) --> WAN 1 to my Router (UniFi USG PRO 4)
DGA 4132 - Port LAN 2 (eth1) --> UniFi Switch (to access the GUI) <-- from my Router (UniFi USG PRO 4)
DGA 4132 - Port LAN 3 (eth2) --> not connected
DGA 4132 - Port ETH/LAN (eth3) --> There is nothing plugged in to to ETH/WAN Port on the right side and this port is configured as LAN port
I have a VDSL 250 (Profile 35b) contract by the German Telekom
The Telekom is using VLAN 7 and is also providing IPTV (Multicast IGMPv3)
Because the DGA is in Bridge Mode there should be no other conflicting options (like IGMP proxy) except the VLAN Tagging.
Regarding the recommendations in the German Onlinkosten forum I shall enable VLAN 7 tagging on the DGA and disable it on the USG (Router)
I tried it with both options for Notation: Device and Dot and did also a restart of the network
/etc/init.d/network restart
without success
After this I disabled VLAN 7 Tagging on the DGA and enabled it on the USG (router)
in this case I was not able to establish a PPPoE connection.
I disabled VLAN 7 tagging again on the USG (router) so that VLAN tagging was disabled on both devices.
IPTV was still not running but this was expected but I still had an Internet connection and this is normally not expected with a German Telekom VDSL connection.
This is how my etc/config/network looks like with "Using VLAN 7 Device"
Using VLAN 7 Dot
VLAN disabled on the DGA
Before I was using a "Speedport Smart 3" in Modem/Bridge Mode (there were no options for configuration) and the USG (router) was doing the VLAN 7 tagging.
This was working without problems so my favourite solution would be that the DGA is working like the old Modem ^^
So the configuration on the USG side should be fine because it was running before.
Any ideas ? Please keep in mind that I am new to DGA 😉
EDIT:
ifconfig with disabled VLAN 7 tagging on DGA
but ptm0.7 is still there ?
The text was updated successfully, but these errors were encountered: