GNU/Linux universally distinguishes between two types of network interfaces:

eth0, eth1, eth4, radio0, radio1, wlan0 .. always represent an actual connection between a computer system and a network such as a NIC or WNIC. As soon as the driver is loaded into the Kernel, one or more physical interfaces become available.

lo, eth0:1, eth0.1, vlan2, br0, pppoe-dsl, gre0, sit0 tun0, imq0, teql0, .. are NOT actual physical network devices. They are software representations with similar properties to physical connections but with more flexibility. They are generally associated with a physical interface such as eth0.1 or eth1.1 etc but can also associated with virtual ones. One exception is the loopback interface lo.

A virtual network interface can be associated with a physical interface (eth1.1)or another virtual interface (eth1.1.1) or stand alone such as a loopback interface lo.

A virtual network interface can also :

• have one or more aliases: eth4.5, eth4.6, ..
• be split into multiple (up to 4096) VLANs: eth4.0, eth4.1, eth4.3, vlan0,
• be bridged with one another to form a bridged interface: br0, br-lan(the opposite of VLANs),
• be a tunnel interface and used to send packets over a tunneling protocol: pppoe-dsl, tun0, vpn1,
• be spawned by daemon to manipulate incoming packages: imq0, teq1,
• be created automatically depending on the operating mode of a WNIC : ath0, ath1, ath_monitor.

The Linux wireless subsystem works a little differently. There is always one physical interface for each WNIC called the master interface. Then, depending on the mode the master interface is configured to, ad-hoc (IBSS), managed , AP , WDS, mesh point, monitor, different virtual interfaces are created. This is done automatically by default. When wifi is activated, there always will be the master interface and (at least) one virtual interface!

UCI is a small utility designed to centralize configuration in OpenWRT.

/etc/config/network is the network configuration file.
/etc/config/wireless is the wireless configuration file.

UCI creates an abstraction layer for configuring interfaces. In /etc/config/network you allocate a name like lan or bob or alice or whatever to each ifname-variable for every device and then this name is consistently used through the entire UCI configuration. But this can only be used in conjunction with UCI!

Most GNU/Linux distributions offer two packages in their repositories, which contain a couple user space utilities to perform the configuration: net-tools and iproute2 (see net-tools VS iproute2):

OpenWrt does not but instead has each program packaged separately!

net-tools and iproute2 are available as separate opkg-packages, core utilities like ifconfig, route, netstat and vconfig are contained in busybox as applets.

To get a better grasp of the whole current Linux WLAN-Stack, check this pdf (page 6) by Johannes Berg. Basically mac80211 is framework analog to the Advanced Linux Sound Architecture but for drivers for SoftMAC WNICs.

For diverse reasons¹ wireless devices have an API different from that of Ethernet devices.

¹ For once the specifications of IEEE 802.11 regulate quite precisely the whole communications process, so it makes sense to NOT implement this requirements in each driver but only once for all drivers. Then there is the problem of the diverging frequency regulations world wide.

• wireless.utilities

Before getting too far into the details, it's important to first comprehend what VLANs are and how they work:

• Virtual LAN and IEEE 802.1Q and http://www.ieee802.org/1/pages/802.1Q.html and http://www.javvin.com/protocolVLAN.html

A VLAN (Virtual LAN) is, in basic terms, a group of physical interfaces on a switch that behave as if they are a separate standalone switch. This allows us to use one physical switch, but partition it into multiple LANs, each one completely isolated from the others. The switch must support VLAN configurations - most cheap switches don't allow this, but high end manageable switches do, as does the internal switch on the OpenWrt.

VLANs are used when you need to separate traffic between groups of devices, but you only want to use one physical switch. For example you might want one VLAN outside your firewall, for public web/mail servers, and another VLAN for your internal machines such as desktops and boxes with private data. They can't be placed on the same LAN for security reasons, so you use VLANs to isolate the groups of ports.

Let's say we have a 10 port switch, and we configure ports 1-5 as VLAN1 and 6-10 as VLAN2. All devices which are plugged into ports 1 thru 5 behave as if they are on their own switch, and devices in ports 6-10 act as if they're in another switch. The main rule is that communication between ports on separate VLANs is blocked - even if you configure devices with the same subnet, they will not be reachable to devices in other VLANs.

And of course, it's also possible to configure it differently - if you later decide you need to put another device in VLAN1 and you've only used 4 ports in VLAN2, you can reconfigure _any_ of the VLAN2 ports into VLAN1 (not just port 6). So then you might end up with VLAN1 as ports 1-5 and 8, and VLAN2 as ports 6,7,9,10.

The number of VLANs that you can configure on any device (including OpenWrt) is limited to 4096 as the field for the VLAN tag has 12Bits for the VID (VLAN ID).

The subject of VLANs can get very complicated and extensive, but this quick summary covers what's needed for using VLANs on the OpenWrt platform.

If you have a switch with multiple VLANs, you may want to attach a device (such as another switch) that needs to talk to more than one VLAN. This could be a firewall, which will take packets from one VLAN, filter them, then pass them to another VLAN. Alternatively, you might have a second switch that has the same two VLANs on them, and you want the two switches to exchange packets between each other for both VLANs, whilst maintaining the separation.

Rather than wasting ports by using separate ports per VLAN, we use a process known as trunking. One port on the switch must be configured as a trunk port, and this port will have connectivity to all VLANS for which it's set to be a trunk port. If you have a switch with 3 VLANs, you can configure one (or more) trunk port(s) to have connectivity to all VLANs, or just a subset of the VLANs.

How does the switch maintain isolation with this port? This is done with "tagging". Every packet sent or received from the trunk port has a little tag attached to it, indicating what VLAN it is for or from. So a device receiving packets looks at the tag to see what VLAN that packet is from. When the device sends traffic to the switch, it will add a tag itself, and the switch will look at the tag and send the packet to the VLAN indicated.

In the example of an attached firewall, a packet coming in from the internal LAN will be sent out the trunk port to the firewall, tagged with the internal VLAN number. The firewall will process the packet, then send it back to the switch with a tag for the external VLAN, and the switch will look at this tag and send it to the outside device.

You can see that a device such as a firewall will see each separate VLAN as if it's a different network interface. The internal VLAN is like a NIC on the inside of the network, and the external interface behaves just like a NIC on the outside. Because of this, most hosts and firewalls that support VLAN tags are setup such that each VLAN tag is as if it was another separate network interface, even though it's the same physical wire.

In networking, a bridge is a link between two Ethernet interfaces in such a way as to link them together to the same LAN. If you have a box with two bridged Ethernet interfaces, then connect each interface to separate

switches, the two switches are effectively linked together as if they're connected with a cable. You can also link together a wired Ethernet interface with a wireless interface - the two are then linked together, much like a wireless AP or bridge.

One useful feature of bridging is that the Linux box which is doing the bridging can listen to and send its own traffic. It does this by creating another interface. If you link eth0 and eth1, they will be bound to an interface br0 (or br1, etc). You can then assign an IP address to br0 and it will behave like a normal network interface attached to this bridged network. You cannot configure an IP address on the bridge members (eth0 or eth1), it needs to be done on the bridge interface.

This knowledge of bridges is important below.

Two network interfaces can also be bonded together (please see Link aggregation and Channel bonding and Ubuntu Wiki)

→ Internal Layout provides some examples on how physical interfaces are connected to Computer ports.

This wireless router is actually three devices in one - a Linux host, VLAN-configurable switch, and a wireless radio. The Linux host(eth0) and switch (port 5) are connected internally with a Gigabit Media Independent Interface. The external ethernet ports 0-4 also belong to the same switch. The diagram below shows the architecture.

By default, the switch is configured as two VLANs - vlan0 and vlan1.

• Ethernet ports 1-4 (labelled LAN 1-4) are configured to vlan0.
• Ethernet port 0 (labelled WAN) is configured to vlan1.

Any one of the individual external ports can actually be reassigned to either of the two pre-configured VLANs or even additional user-configured VLANs. The WAN port could be changed to a LAN port or vice-versa. The labels on the chassis simply reflect the default configuration.

The native VLAN - vlan1 does not need to be configured. Only the second VLAN - vlan0 needs to be configured to tag its packets to separate the two data streams.

The vlan0 interface is done a bit differently. By default, the wifi interface (eth2) is bridged to the LAN ports, ie any host associated on the wireless port is automatically in the same VLAN/subnet as hosts on the LAN ports. This is done with bridging (see above). As described above, when a bridge is created, a new logical interface is created, called br0, and also as above, this br0 interface is the one that needs to have any IP address configured. So, by default, vlan0 does not have an IP address configured, instead, the LAN interface address is configured on the br0 interface.

There's also another interface visible from the shell - "eth1". This doesn't appear to be linked to anything, and is probably an unused wire on the Ethernet controller, so it's ignored in all configuration. Pretend it doesn't exist. :) This is the case on the Asus WL-500gP, it may differ on other models

With a knowledge of how interfaces are partitioned, it's now easier to understand how to configure interfaces under OpenWrt.

The following block configures the physical ports into VLANS:

vlan0hwname=et0
vlan0ports="1 2 3 4 5*"
vlan1hwname=et0
vlan1ports="0 5*"

The "hwname" part is always "et0". The device "et0" is the switch itself and tells the system which switch to configure with VLANS. As there's only one switch, this must always be set to "et0". If you do not include port 5 in the VLAN then the traffic will remain on the switch and will never be seen by the cpu.

The ports then are configured. The vlan0 (LAN) is configured with four ports, plus the internal tagged port, port 5. The vlan1 (WAN) is configured with only the one port, plus also the tagged port.

This configuration then gives us "vlan1", tied to the WAN port, and "vlan0" tied to the other ports. As mentioned earlier, you can change any other port to be the WAN port - just set the vlan1 port to be something else,

not that you really need to!

Vlan 1, which connections the WAN port to the CPU, is then configured with an IP address and mapped to the logical 'wan' interface name:

wan_ifname=vlan1
wan_ipaddr=a.b.c.d
wan_netmask=255.255.255.0
wan_proto=static

Next the LAN side is configured. The bridge must be created and the IP address is assigned to the bridge not a vlan, but overall it's similar:

lan_ifname=br0
lan_ifnames="vlan0 eth2"
lan_proto=static
lan_ipaddr=w.x.y.z
lan_netmask=255.255.255.0

The variable "lan_ifname", which sets the actual interface to configure the IP parameters with, should of course be br0 for a bridged interface.

Then the variable "lan_ifnames" actually sets the interfaces which are to be bound to the bridge interface, in this case the vlan0 interface and the wireless interface. The vlan0 ports were defined earlier as wired ports 1-4, so these plus the wireless interface are now one single logical LAN.

That's basically how the entire network device architecture is on this box. Below is an example of adding another VLAN.

→ DMZ

If you're running some public servers and are security conscious, you'll probably want to make use of a DMZ (Demilitarized Zone). This is a third VLAN in a network, configured with different rules to the internal secure network. Generally the DMZ is configured to allow access to certain ports from the internet that wouldn't normally be allowed to inside hosts.

Under OpenWrt, a DMZ is easy to configure. A third VLAN is created, and one or more physical ports are mapped to this VLAN, then suitable firewall rules are created for this VLAN. The picture below shows how a DMZ

configuration would look inside the device:

The configuration lines that would be changed for this are:

vlan0ports="2 3 4 5*"
vlan2hwname=et0
vlan2ports="1 5*"
dmz_ifname=vlan2
dmz_proto=static
dmz_ipaddr=192.168.1.22
dmz_netmask=255.255.255.0

This configuration firstly changes the vlan0 to exclude port 1 which will be our DMZ port. Then the DMZ vlan is created, with ports 1 and 5 (remember 5 is the internal tagged port). Then the logical interface 'dmz' is configured and attached to vlan2. To bring up the new interface, just run "ifup dmz". And of course do your firewall configuration.

You could even add more DMZ interfaces - you've got a total of six interfaces to play with (including the wireless port) so what we see is that this device is capable of some very impressive routing features - the limit is your imagination.

Provided by Trent W. Buck aka twb on #openwrt

Problem: server has room for only one physical NIC, but it needs access to the internet (i.e. an upstream network) as well as absolute dominion over two downstream networks: admin and prisoner.

To achieve this, we will create three VLAN on both the OpenWrt k7.09 and the Ubuntu 8.04 server. Further, all (or all but one) of the VLAN need to be tagged across the physical line between the OpenWrt and the Ubuntu server.

Use `robocfg show` to display VLAN status. It's probably better (more portable) to cat something in `/proc/switch/`, but I don't know what.

    OpenWrt# uci show network.eth0
    network.eth0=switch
    network.eth0.vlan0=1 5*
    network.eth0.vlan1=0 5
    network.eth0.vlan2=1t 2 5
    network.eth0.vlan3=1t 3 4 5

In this example port 0 is from WAN, port 1 goes to the server, port 2 and port 3 and 4 respectively go to the downstream networks. The * at 5* denotes PVID - default port vlan. This makes vlan0 the default for untagged packages from port 5. Packages leaving for port 5 (the CPU) are always implicitly tagged (in this notation). Port 1 (server port) services three vlans: 0, 2 and 3. Packages coming from vlan2 and 3 are explicitly tagged as they leave the switch through port 1 so the server may distinguish them - this is the '1t'. This means vlan0 packages leave untagged.

On the Ubuntu server (virtual) interfaces eth0, eth0.2 and eth0.3 are used as corresponding devices. Since vlan0 is untagged and the default 'native' vlan, there is no eth0.0. Vlan ID '0' cannot be used for tagging as it is a reserved value denoting this native vlan.

Note that we do not set up interfaces eth0.2 or eth0.3 with an IP address, because the OpenWrt MUST NOT be accessible (at the IP layer) from the admin and prisoner networks.

    Ubuntu# cat /etc/network/interfaces
    auto lo eth0 eth0.2 eth0.3

    iface lo inet loopback
    iface eth0 inet dhcp
    iface eth0.2 inet static
      address 192.168.67.1
      network 192.168.67.0
      netmask 255.255.255.0
      broadcast 192.168.67.255
    iface eth0.3 inet static
      address 192.168.68.1
      network 192.168.68.0
      netmask 255.255.255.0
      broadcast 192.168.68.255

Note that the Ubuntu VLAN package says not to use vlan1, because it's generally reserved for… stuff. It seems to work for me here, probably because vlan1 is non-tagged.

See also: http://forum.openwrt.org/viewtopic.php?id=5087