+++
title = "openwrt: Migrating to DSA"

[taxonomies]
tags = ["openwrt", "dsa", "vlan", "linux"]
+++

After upgrading the routers in my home network to the latest `openwrt-22.03`
version, one of my routers, the [avm 7360sl][avm-7360sl], moved to the new
[distributed switch architecture][linux-dsa] (`DSA`).

In my home network I currently run two separate networks each with their own
`VLANs` and an additional access point (**archer c7**) to extend the wifi
range. The access point and the **avm** router are connected via tagged ports
transferring tagged ethernet packets (VLAN trunk).
In the figure below the network setup is shown.

<img src="home-nw.svg">

Since the **avm** box moved from `swconfig` to `DSA` I had to migrate my
current `VLAN` setup on the **avm** box.

The description below documents this setup, and may be of help to anybody :^)

## AVM 7360SL

With `DSA` the switch ports appear as own devices, here the `lanX` devices.

<img src="portal-devices.png">

VLANs are directly configured on the `bridge` devices and appear as sub-devices
of the bridge. See above, the `br-lan.10` and `br-lan.20` which correspond to
the VLANs 10 and 20.
The **Local** setting of the VLAN controls if the corresponding sub-device is
created or not.

The **lan1** port is configured as **tagged (T)** for our VLANs. This means for
outgoing packets the VLAN tag is not removed and incoming packets should be
tagged. Additionally, we configured that incoming packets that are untagged
should be tagged with VLAN 99 **primary VLAN (U|*)**. This port is used as VLAN
trunk to connect the access point.

<img src="portal-vlan-dsa.png">

For the configuration nothing has changed, besides using the new bridge
sub-devices.

<img src="portal-interfaces.png">

## Archer C7

For completeness of the setup, the following shows the configuration of the
access point.

The access point defines two networks `lan` and `guest` similar to the networks
defined on the router above. The interfaces bridge the following devices
together:
- **br-lan**: eth0.10 + home wifi
- **br-guest**: eth0.20 + guest wifi

<img src="archer-interfaces.png">

> NOTE: The `guest` interface is setup as `unmanaged` because it does not need
> an IP address, since nobody connected to the guest network should be able to
> connect to the access point. The access point also does not define any
> firewall rules, as all firewall rules are centrally defined on the **avm**
> box.

The switch is configured as shown below. The two interesting configurations are
that the **CPU (eth0)** interface is tagged for all VLANs and that the **LAN1**
port is tagged as well.

<img src="archer-vlan-swconfig.png">

Similar to the avm setup above, the **LAN1** port is tagged for our VLANs and
hence used as VLAN trunk to connect to the avm router.

The **eth0** port is tagged, such that we get sub-devices **eth0.10** and
**eth0.20** for use in our different networks.

<img src="archer-devices.png">

## References

- [DSA Mini-Tutorial][openwrt-dsa]
- [VLAN switch configuration][openwrt-vlan]
- [Switch documentation][openwrt-vlan]
- [AVM 7360SL][avm-7360sl]
- [TP-Link Archer C7][archer-c7]

[linux-dsa]: https://www.kernel.org/doc/html/latest/networking/dsa/dsa.html
[avm-7360sl]: https://openwrt.org/toh/avm/fritz.box.wlan.7360
[archer-c7]: https://openwrt.org/toh/tp-link/archer_c7
[openwrt-dsa]: https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial
[openwrt-vlan]: https://openwrt.org/docs/guide-user/network/vlan/switch_configuration
[openwrt-swconf]: https://openwrt.org/docs/guide-user/network/vlan/switch