VLANs in OpenWrt 21

OneMarcFifty

21 Dec 202128:26

Summary

TLDRThis video script provides a comprehensive guide to VLAN configuration in OpenWrt 21, addressing changes from version 19 and introducing new features like Distributed Switch Architecture (DSA) and bridge VLAN filtering. It explains VLAN basics, how to define VLAN interfaces, and configure switch ports. The script also covers setting up a second access point, securing access points, and offers insights into OpenWrt's evolving architecture, ensuring viewers can effectively manage VLANs for network segmentation.

Takeaways

😀 OpenWrt 21 still supports VLAN functionality in the same way as Version 19, despite changes in the user interface and configuration options.
🔄 Two significant updates in OpenWrt 21 are the introduction of Distributed Switch Architecture (DSA) and bridge VLAN filtering, which alter the switch configuration and VLAN handling.
📦 VLANs allow the use of a single physical Ethernet cable to carry multiple virtual networks, segmented by tagging packets with identifiers.
🖇️ VLAN tagging involves adding an identifier to Ethernet packets to determine which network they belong to, akin to attaching a color-coded sticker to packets.
🔌 OpenWrt can create VLAN-aware network interfaces, such as eth0.21 and eth0.56, for different VLANs, which can be connected to physical ports or WiFi networks.
🛠️ The switch configuration in OpenWrt defines how VLANs are dispatched to Ethernet ports, while the VLAN definition itself is about tagging packets and creating interfaces.
📚 OpenWrt 21 introduces a new way to define VLAN interfaces through the 'devices' tab, using VLAN 802.1Q as the device type, which simplifies the process.
📡 For devices without integrated switch hardware, such as Raspberry Pis or virtual machines, VLANs can still be used in conjunction with a managed switch.
🔒 OpenWrt 21's bridge VLAN filtering allows for VLANs to be assigned to a bridge rather than individual physical devices, enhancing flexibility in network segmentation.
🛡️ Security considerations include disabling unnecessary routing on access points and avoiding the use of VLANs 0, 1, and 2 to prevent potential security risks.
📈 Not all architectures in OpenWrt 21 utilize DSA, with some still using the traditional swconfig method, indicating a transition period for some devices.

Q & A

What was the general feedback from viewers regarding VLANs in OpenWrt 21?
-The general feedback was that viewers were wondering where the VLANs went in OpenWrt 21, as everything seemed to have changed.
Has the VLAN functionality in OpenWrt 21 changed compared to version 19?
-Surprisingly, the VLAN functionality in OpenWrt 21 has not changed at all; it still works exactly the same as in version 19.
What are the two new features introduced in OpenWrt 21 related to VLANs?
-The two new features in OpenWrt 21 are Distributed Switch Architecture (DSA), which changes the switch configuration, and bridge VLAN filtering.
What is Distributed Switch Architecture (DSA) and how does it affect OpenWrt devices?
-Distributed Switch Architecture (DSA) changes the way the switch portion of OpenWrt devices is configured, replacing the swconfig.
What is the purpose of VLAN tagging in Ethernet packets?
-VLAN tagging is used to identify which LAN the packets belong to, allowing multiple virtual LANs to be run over a single wire or cable.
How can VLANs be defined in OpenWrt versions 19 and 21?
-VLANs can be defined in OpenWrt by creating interfaces with a VLAN ID appended to the physical interface name, like eth0.21 and eth0.56 for VLANs 21 and 56, respectively.
What is the significance of the 'local' box in the bridge VLAN configuration in OpenWrt 21?
-Ticking the 'local' box in the bridge VLAN configuration allows the VLAN to be used locally on the router to create interfaces, whereas unticking it means the VLAN can only be used on the switch.
How does OpenWrt 21 handle the configuration of VLANs differently from version 19?
-In OpenWrt 21, VLANs are filtered on a bridge rather than on the physical device, and each switch port is shown as a separate network device, thanks to the DSA.
What is the difference between 'egress tagged' and 'egress untagged' in the context of VLANs?
-'Egress tagged' means packets are sent out with a VLAN tag, suitable for connecting to VLAN-aware devices. 'Egress untagged' means packets are sent without a VLAN tag, suitable for connecting to non-VLAN-aware devices.
How can one prevent an access point from acting as a router in OpenWrt?
-To prevent an access point from acting as a router, one can disable routing by setting the ipv4 forwarding flag to 0 and remove IP addresses from all but one interface.
Why is it advised not to use VLANs 0, 1, and 2 in OpenWrt?
-VLANs 0, 1, and 2 are hard-coded on some devices for LAN and WAN and could potentially present a security risk, which is why it's advised not to use them.
What is the current status of the Distributed Switch Architecture (DSA) in OpenWrt regarding different architectures?
-As of December 2021, not all architectures in OpenWrt are using DSA. Some, like the Archer C7, still use swconfig due to limitations in assigning switch ports to multiple Ethernet cards.