Posted: Mon May 05, 2025 17:44 Post subject: First Look: DSA VLAN Filtering [EA8500]
After many hours of testing the new DSA Vlan Filtering options in dd-wrt, with much trial and error and some pointers from BS, it is mostly working.
The concept seems to be that the Bridges, or in my case, br1 does the heavy lifting with all vlan handling. The biggest issue I am seeing is in regards to the default vlan1, I cannot access the router on the Trunk port whether vlan1 is tagged or untagged and the managed switch configured both ways accordingly in an attempt to get passed this. This could be a bug as this is still in very early development....or just a misconfiguration on my behalf too.
There is a new bridge command that lets you see the internal configuration of bridges and vlans:
As you can see in this current configuration, br1 and lan1 both have a tagged vlan1 and tagged vlans 10-12. These vlans are using lan1 as the Trunk port and using wlan0 w/VAPs for each PVID to assign the proper subnets to each access point. This works. The hell of it is, I have to have both a cable plugged into the trunk port and another plugged into another lan port just to access the router via br0. Changing tagged or untagged vlan1 on br1 and/or lan1 does not fix this.
NOTE: The older (ie pre-60771 builds on AX Routers) DSA vlan tagging also still works but was told it uses more resources than the vlan filtering method. I will test on an AX router soon.
FireShot Capture 163 - DD-WRT (build 60942).png
Description:
Filesize:
141.04 KB
Viewed:
1059 Time(s)
_________________ - Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: VLANs, Samba, WG, Entware - r60xxx
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk over 5ghz - r60xxx
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r60xxx
- Linksys MX4300: (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r60xxx
- Linksys MR7350: WDS Station for extended Ethernet r60xxx
- Linksys MR7500, MX8500: None in production. Just testing. r60xxx
- OSes: Fedora 40, 10 RPis (2,3,4,5), 23 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.
- Forum member #248
Yeah, r60983 is bugged. I found that both the Vlan Filtering switch and trunk switches were not writing to nvram correctly. I suspect it's a Webui issue as I could manually set them. I have reported these issues already. This testing was done on 60942 and with the exception of vlan1, seems to mostly work. It's also been running on my main gateway now for 27 hours with vlans, but not vlan filtering.
While this is still very much a work-in-progress, BS has a great track record of getting bugs sorted out rather quickly.
By chance, did you have serial port access to the R7800? One thing I noticed on my ea8500 is that occasionally (not always) when making changes to the Networking tab, br0 gets locked out. The serial console reports something like "waiting for br0 to become free. Usage count = 2". You can ONLY see this error with the serial console as once br0 gets in this state, Ethernet access is blocked and probably wlanN as well. This bug has been around for quite a while now and was reported last year, but until recently I have only seen this on AX routers. A power toggle takes care of the problem and gets me back in immediately. _________________ - Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: VLANs, Samba, WG, Entware - r60xxx
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk over 5ghz - r60xxx
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r60xxx
- Linksys MX4300: (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r60xxx
- Linksys MR7350: WDS Station for extended Ethernet r60xxx
- Linksys MR7500, MX8500: None in production. Just testing. r60xxx
- OSes: Fedora 40, 10 RPis (2,3,4,5), 23 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.
- Forum member #248
now in r60983 it does not work anymore, as soon as I configure any port with VLAN1 I have NO access to the R7800 neither via LAN nor via WLAN.
The answer I get is that I should leave VLAN1 alone and not use it. (lol)
and i still think it's great how some people destroy a well-established system that has been tested for hundreds of hours and was bug-free out of envy and pure ignorance.
If any questions or problems arise here in the future, I will no longer answer them but refer them to you who got us into all this trouble.
And I will also delete the stickies, I don't care, I don't need them and I can configure VLANs.
And I don't intend to use dd-wrt any longer anyway, because it's important to me that the firmware is stable and works. (which you can't say about dd-wrt)
Then the last 5 people here alone can be annoyed with recurring bugs that have not been solved for years. _________________ Quickstart guides:
now in r60983 it does not work anymore, as soon as I configure any port with VLAN1 I have NO access to the R7800 neither via LAN nor via WLAN.
The answer I get is that I should leave VLAN1 alone and not use it. (lol)
and i still think it's great how some people destroy a well-established system that has been tested for hundreds of hours and was bug-free out of envy and pure ignorance.
If any questions or problems arise here in the future, I will no longer answer them but refer them to you who got us into all this trouble.
And I will also delete the stickies, I don't care, I don't need them and I can configure VLANs.
And I don't intend to use dd-wrt any longer anyway, because it's important to me that the firmware is stable and works. (which you can't say about dd-wrt)
Then the last 5 people here alone can be annoyed with recurring bugs that have not been solved for years.
On almost all enterprise networking gear its advisable to never use VLAN 0 or 1 and doing so is at your own peril. So this is not uncommon at all and its always advisable to use VLAN 2 and higher if you don't want to have a bad time. This is in no way unique or unusual.
It is also bad practice as you have a higher chance of leaking traffic into the default plane on a lot of gear if any mistakes are made.
It works now, well at least my configuration does.
I'll post an example of a trunk here.
VLAN1 VLAN3 VLAN4 are fully tagged on the trunk.
VLAN1 = LAN
VLAN3 = Guests
VLAN4 = Wireguard
LAN2 = Trunk Port
br0.3 and br0.4 have no IP addresses on the WAP
you can add IP addresses if you need management access to the GUI...
However, it is advisable not to do this as otherwise you will need additional firewall rules
i hope this makes the changeover easier for some...
question to the users: does this really look easier than the "switch config" ?
Joined: 06 Jun 2006 Posts: 7726 Location: Dresden, Germany
Posted: Mon May 12, 2025 17:23 Post subject: Re: First Look: DSA VLAN Filtering [EA8500]
lexridge wrote:
After many hours of testing the new DSA Vlan Filtering options in dd-wrt, with much trial and error and some pointers from BS, it is mostly working.
The concept seems to be that the Bridges, or in my case, br1 does the heavy lifting with all vlan handling. The biggest issue I am seeing is in regards to the default vlan1, I cannot access the router on the Trunk port whether vlan1 is tagged or untagged and the managed switch configured both ways accordingly in an attempt to get passed this. This could be a bug as this is still in very early development....or just a misconfiguration on my behalf too.
There is a new bridge command that lets you see the internal configuration of bridges and vlans:
As you can see in this current configuration, br1 and lan1 both have a tagged vlan1 and tagged vlans 10-12. These vlans are using lan1 as the Trunk port and using wlan0 w/VAPs for each PVID to assign the proper subnets to each access point. This works. The hell of it is, I have to have both a cable plugged into the trunk port and another plugged into another lan port just to access the router via br0. Changing tagged or untagged vlan1 on br1 and/or lan1 does not fix this.
NOTE: The older (ie pre-60771 builds on AX Routers) DSA vlan tagging also still works but was told it uses more resources than the vlan filtering method. I will test on an AX router soon.
vlan1 is the default vlan for "untagged packets". you tagged vlan1 on port1. from my point of view this could lead to the problem. no matter where you bridged it that vlan1 is forwarded within the switch chipset since you reuse the same vlan on other ports. just a guess. avoiding vlan1 as instruced by the bridge filtering documentation of linux could be the solution. another way is setting br0 bridge to trunking. then the default rule is not added. but pvid 0 is assigned. from what i see in your config. create vlan1 on br1 so get br1.1 since these packets are received tagged on br1. thats another thing _________________ "So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
Posted: Mon May 12, 2025 17:41 Post subject: Re: First Look: DSA VLAN Filtering [EA8500]
BrainSlayer wrote:
vlan1 is the default vlan for "untagged packets". you tagged vlan1 on port1. from my point of view this could lead to the problem. no matter where you bridged it that vlan1 is forwarded within the switch chipset since you reuse the same vlan on other ports. just a guess. avoiding vlan1 as instruced by the bridge filtering documentation of linux could be the solution. another way is setting br0 bridge to trunking. then the default rule is not added. but pvid 0 is assigned. from what i see in your config. create vlan1 on br1 so get br1.1 since these packets are received tagged on br1. thats another thing
Yes and things have changed a lot since that first post. For instance, we didn't yet have the option of Trunking on the bridge at that time, which we do now (which is a game changer). Also, I have since dumped br1 and tagged vlan1 and everything is now done on br0. This was indeed a learning experience as this DSA/Vlan Filtering work-in-progress was ongoing and changing almost daily. I think it's very solid now and I plan to put my test config into production either this afternoon or tomorrow. Thanks BS.
Current working configuration w/Vlan Filtering and trunking enabled:
It works now, well at least my configuration does.
I'll post an example of a trunk here.
Great post! Thanks for this.
ho1Aetoo wrote:
question to the users: does this really look easier than the "switch config" ?
In my opinion, DSA is a little easier than the switch config tab. However, throwing in Vlan Filtering does complicate things but the configurability of it is pretty darned amazing. But backing up a bit, with Switch Config tab builds, there was no way to unbridge a specific LAN port. We had eth0 and eth1 and that's it. With DSA each Interface can be unbridged and independent. Nice for some, but probably not the masses.
Thing is, we now have two completely different ways to configure vlans. ie You can use only the Vlan Tagging section at the top of the Networking tab to create all your vlans and then use Bridge Assignments to place them (with a slight performance hit on older routers), OR you can use the Vlan Filtering option without needing any Bridge Assignments (which uses switch h/w acceleration when present). Not saying one is better than the other, but personally I will take expanded flexibility any day.
Something else cool with Vlan Filtering, you can turn it off with two (or three if trunking is enabled) clicks without needing to reconfigure anything and you can leave the vlan filters in place. _________________ - Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: VLANs, Samba, WG, Entware - r60xxx
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk over 5ghz - r60xxx
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r60xxx
- Linksys MX4300: (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r60xxx
- Linksys MR7350: WDS Station for extended Ethernet r60xxx
- Linksys MR7500, MX8500: None in production. Just testing. r60xxx
- OSes: Fedora 40, 10 RPis (2,3,4,5), 23 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.
- Forum member #248
*full disclosure* I'm a GUI user currently---haven't set anything up in the startup scripts or anything.
I've *almost* got my setup on my MR7350 working using your work as a reference---it appears that the LAN connections are filtered and tagged as is appropriate, but I noticed that my wlans didn't seem to get configured correctly.
My setup is using the MR7350 as an AP connected to a switch, which is connected to my firewall. I'll share my config once I actually have things working a bit more. Aside from the wlan WPA security just bricking (I had to disable wireless security to connect to any SSID), I also wouldn't get an IP address from my firewall (which is running my DHCP servers) through the wlan, but I would through the LAN ports.
I don't think the wlan issue was due to the VLAN config---it seemed like things became unstable after upgrading firmware. I'm planning to do a full wipe of settings to fix that.
One goofy behavior after upgrading firmware was that I had to delete my tagged ports, save & apply, then recreate the tagged ports in order for my VLAN bridges to be created. I think there are likely other settings which need to be created from scratch for things to work correctly.
One question I do have is this: what are the VLAN bridges intended to be used for, if anything, for the DSA setup? All I did with mine was set them to 'unbridged' and call it a day.
The VLAN bridges are required so that the router/WAP itself has access to the VLANs.
The VLAN bridges are also required to assign IP addresses and DHCP servers to the VLANs or if you want to have management access to the router/WAP. (GUI access via vlanX)
On a pure WAP these VLAN bridges are not necessarily needed (actually only if you want to access the GUI of the WAP via vlan3/vlan4)
But I already explained that in my post _________________ Quickstart guides:
