OpenWrt uCentral schema
The device will reject any configuration that causes warnings if strict mode is enabled.
The unique ID of the configuration. This is the unix timestamp of when the config was created.
The fqdn to retrieve public ip of internet connection.
A device has certain properties that describe its identity and location. These properties are described inside this object.
This is a free text field, stating the administrative name of the device. It may contain spaces and special characters.
The hostname that shall be set on the device. If this field is not set, then the devices serial number is used.
This is a free text field, stating the location of the device. It may contain spaces and special characters.
This allows you to change the TZ of the device.
"UTC"
"EST5"
"CET-1CEST,M3.5.0,M10.5.0/3"
This allows forcing all LEDs off.
The device shall create a random root password and tell the gateway about it.
System-config string that holds the password for main (root / admin) user to apply.
The TIP vendor IEs that shall be added to beacons
Add an IE containing the device's name to beacons.
Add an IE containing the device's serial to beacons.
A provider specific ID for the network/venue that the device is part of.
This section describes the system-wide (unit) PoE controller configuration object.
This configuration mode controls the power management algorithm used by the Power sourcing equipment to deliver power to the requesting PDs. "class" option - Class-based power management. "dynamic" option - Power management is done by the POE controller and the maximum power for a port is not reserved for each port. "static" option - The power deducted from the total power pool is the maximum power for that port. This mode ensures that the maximum power specified by you for the interface is always reserved and cannot be shared by other PDs.
"class"
"dynamic"
"dynamic-priority"
"static"
"static-priority"
Configure a power alarm threshold for the Power sourcing equipment (in percentages %).
This sections describes the system-wide (unit) multicast configuration object.
Global config for controlling whether IGMP snooping is enabled. If this global setting is disabled, all VLANs are treated as disabled, whether they are enabled or not.
Global config for controlling whether MLD snooping is enabled. If this global setting is disabled, all VLANs are treated as disabled, whether they are enabled or not.
Global config for the unknown multicast flood control feature. This enables the system to forward unknown multicast packets only to a multicast router (mrouter).
Global IGMP querier config. This enables all Vlan interfaces to act as a querier.
A device has certain global properties that are used to derive parts of the final configuration that gets applied.
Define the IPv4 range that is delegatable to the downstream interfaces This is described as a CIDR block. (192.168.0.0/16, 172.16.128/17)
"192.168.0.0/16"
Define the IPv6 range that is delegatable to the downstream interfaces This is described as a CIDR block. (fdca:1234:4567::/48)
"fdca:1234:4567::/48"
Define a list of non-interface specific BLACKHOLE (to-nowhere) routes.
No Additional ItemsDefines a BLACKHOLE route's prefix.
"192.168.1.0/24"
VRF id.
Define a list of non-interface specific UNREACHABLE routes.
No Additional ItemsDefines a UNREACHABLE route's prefix.
"192.168.1.0/24"
VRF id.
This section defines the linkk speed and duplex mode of the physical copper/fiber ports of the device.
The list of physical network devices that shall be configured. The names are logical ones and wildcardable.
No Additional Items"LAN1"
"LAN2"
"LAN3"
"LAN4"
"LAN*"
"WAN*"
"*"
This is a free text field, stating the administrative name of the port. It may contain spaces and special characters, not exceeding 64 characters.
"cloud_uplink_port"
The link speed that shall be forced.
The duplex mode that shall be forced.
This allows forcing the port to down state by default.
The services that shall be offered on this L2 interface.
No Additional Items"quality-of-service"
This section describes the ethernet poe-port configuration object.
Option to force admin state over selected port. Setting to <false> immediately shuts down power. Setting to <true> starts PoE hanshake (Power sourcing equipment < - > Powered Device) sequence and in case of success, power is being delivered to Powered Device.
Option to force device's PSE (Power sourcing equipment) to invoke a PoE port reset sequence. This option can be used to reset PoE port without flickering it via <admin-mode> down/up sequence.
The detection mode is used to set the type of devices that are allowed for powering up. The PoE controller can be configured to detect only IEEE standard devices or pre-IEEE legacy devices (which were pre-standard - non-IEEE 802.3af compliant). For example, if "dot3af" is used (PoE, max up to 15.4 W), and Powered Device drains >15.4W, Power sourcing equipment won't allow this port to drain power.
"2pt-dot3af"
"2pt-dot3af+legacy"
"4pt-dot3af"
"4pt-dot3af+legacy"
"dot3bt"
"dot3bt+legacy"
"legacy"
Option to configure user defined absolute power limit PoE port can dain (in milliwatts, mW).
Option to set priority to each PoE port. When the PoE switch has less power available and more ports are required to supply power, higher priority ports are receive power in preference to lower priority ports.
"critical"
"high"
"medium"
"low"
This section describes the per-port specific 802.1X (port access control) configuration.
Configure PAE processing on port, as well as select this port as an Authenticator (configure PAC role to authenticator). False configures the switch to not process PAC
Configure PAE processing on port, as well as select this port as an Authenticator (configure PAC role to authenticator). force-authorized - Disables IEEE 802.1X authentication and causes the port to change to the authorized state without any authentication exchange required. The port sends and receives normal traffic without IEEE 802.1X-based authentication of the client. force-unauthorized - Causes the port to remain in the unauthorized state, ignoring all attempts by the supplicant to authenticate. The Device cannot provide authentication services to the supplicant through the port. auto - Enables IEEE 802.1X authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port changes from down to up or when an EAPOL-start frame is received. The Device requests the identity of the supplicant and begins relaying authentication messages between the supplicant and the authentication server. Each supplicant attempting to access the network is uniquely identified by the Device by using the supplicant MAC address.
Multi-auth - While in this mode, multiple devices are allowed to independently authenticate through the same port.
Multi-domain - While in this mode, the authenticator will allow one host from the data domain and one from the voice domain.
Multi-host - While in this mode, the first device to authenticate will open to the switchport so that all other devices can use the port. These other devices are not required to be authenticated independently.
Single-host - While in this mode, the switchport will only allow a single host to be authenticated and to pass traffic at a time.
Configure a VLAN as a guest VLAN on an interface if the switch receives no response in an authentication event.
Value must be greater or equal to 1 and lesser or equal to 4094
Configure the unauthenticated VLAN to use when the AAA server fails to recognize the client credentials
Value must be greater or equal to 1 and lesser or equal to 4094
Enables bypass when a device does not support 802.1X authentication (e.g., printers, IP phones)
Defines the time period (in minutes) for which a MAC address is allowed access to the network without requiring reauthentication, after being authenticated or allowed via MAC Authentication Bypass (MAB).
Associates this port to a trunk or a port-channel.
Value must be greater or equal to 1 and lesser or equal to 64
This section describes the 802.3ad Link Aggregation Control Protocol (LACP) configuration for the current interface.
Enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface.
Configures the port LACP role as actor or partner.
Configures the LACP negotiation activity mode as active or passive.
Configures the port's LACP administration key.
Value must be greater or equal to 1 and lesser or equal to 65535
Configures the LACP port priority.
Value must be greater or equal to 1 and lesser or equal to 65535
Configures the LACP System priority.
Value must be greater or equal to 1 and lesser or equal to 65535
Configures the port channel's LACP administration key (optional).
Value must be greater or equal to 1 and lesser or equal to 65535
Configures the timeout to wait for the next LACP data unit.
Configurations of LLDP on a specified interface.
Enables LLDP transmit, receive, or transmit and receive mode on the specified port.
Configures an LLDP-enabled port to advertise the management address for this device.
Configures an LLDP-enabled port to advertise the management IPv6 address for this device, if available.
Configures an LLDP-enabled port to advertise its port description.
Configures an LLDP-enabled port to advertise its system capabilities.
Configures an LLDP-enabled port to advertise the system description.
Configures an LLDP-enabled port to advertise its system name.
Configures an LLDP-enabled port to advertise the supported protocols.
Configures an LLDP-enabled port to advertise port-based protocol-related VLAN information.
Configures an LLDP-enabled port to advertise its default Native VLAN ID (PVID).
Configures an LLDP-enabled port to advertise its VLAN name.
Configures an LLDP-enabled port to advertise its link aggregation capabilities.
Configures an LLDP-enabled port to advertise its MAC and physical layer specifications.
Configures an LLDP-enabled port to advertise its maximum frame size.
Configures an LLDP-enabled port to advertise its Power-over-Ethernet capabilities.
Configures an LLDP-MED-enabled port to advertise its location identification details.
Enables or disables the advertisement of this TLV.
Configure the two-letter ISO 3166 country code in capital ASCII letters.
The type of device to which the location applies.
The list of LLDP MED Location CA Types to advertise the physical location of the device, that is the city, street number, building and room information.
No Additional ItemsA one-octet descriptor of the data civic address value.
Value must be greater or equal to 0 and lesser or equal to 255
Description of a location.
Must be at least 1 characters long
Must be at most 32 characters long
Enables the transmission of SNMP trap notifications about LLDP-MED changes.
Configures an LLDP-MED-enabled port to advertise its extended Power over Ethernet configuration and usage information.
Configures an LLDP-MED-enabled port to advertise its inventory identification details.
Configures an LLDP-MED-enabled port to advertise its location identification details.
Configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities.
Configures an LLDP-MED-enabled port to advertise its network policy configuration.
Enables the transmission of SNMP trap notifications about LLDP changes.
Configuration for ARP Inspection on specific interfaces or ports in the switch.
Sets a rate limit (packets per second) for the ARP packets received on a port. Ensures that the port does not process ARP packets beyond the configured limit.
Value must be greater or equal to 0 and lesser or equal to 65535
Configures the port as trusted, exempting it from ARP Inspection. Trusted ports bypass ARP validation checks.
Configuration for ingress and egress rate limiting on a specific port (in kbps)
Sets the maximum allowed ingress (input) traffic rate for the port, in kilobits per second (kbps).
Value must be greater or equal to 64 and lesser or equal to 1000000000
Sets the maximum allowed egress (output) traffic rate for the port, in kilobits per second (kbps).
Value must be greater or equal to 64 and lesser or equal to 1000000000
Configuration of IP Source Guard (IPSG) on a physical interface in a Layer 2 switch.
Configures the switch to filter inbound traffic based on source IP address only, or source IP address and corresponding MAC address combined.
Specifies the learning mode to use for validation, either MAC address table or ACL table. The system searches for source addresses in the specified table.
Sets the maximum number of address entries that can be mapped to an interface in the binding table. Includes both static entries and dynamically learned entries via DHCP Snooping.
Value must be greater or equal to 1 and lesser or equal to 65535
A collection of access control entries that define the rules for filtering traffic through a network port.
No Additional ItemsDetermines the priority of multiple ACL policies when more than one is applied to an interface, if any.
Value must be greater or equal to 1 and lesser or equal to 64
Specifies the ACL policy that is applied to incoming traffic on an interface.
Must be at least 1 characters long
Must be at most 32 characters long
"blacklisted-macs"
Tracks the number and type of packets that match the ingress ACL rules on an interface.
Specifies the ACL policy that is applied to outgoing traffic from an interface.
Must be at least 1 characters long
Must be at most 32 characters long
"blacklisted-macs"
Tracks the number and type of packets that match the egress ACL rules on an interface.
Configure the Voice VLAN feature at the interface level, allowing for VoIP traffic to be prioritized on this specific port.
Specify the mode of placing this port on the voice VLAN.
Define the Class of Service (CoS) priority for VoIP traffic passing through this port, ensuring higher priority over other traffic types.
Value must be greater or equal to 0 and lesser or equal to 6
Select the detection method for identifying VoIP traffic on this port, such as OUI-based detection or traffic pattern recognition.
Enable or configure security filtering for VoIP traffic on the interface to protect against unauthorized devices.
Configuration for DHCP Snooping on a port level on a switch
This parameter designates a switch port as ‘trusted’ for DHCP messages, meaning it can forward DHCP offers and acknowledgments, which is essential for connecting to legitimate DHCP servers
It sets a limit on the number of DHCP clients that can be associated with a single port, helping to prevent a single port from exhausting the network’s IP address pool
Value must be greater or equal to 1
Specifies DHCP Option 82 circuit ID suboption information. Often including information like the interface number and VLAN ID, this can be useful for network management and troubleshooting
Must be at least 1 characters long
Must be at most 32 characters long
This section defines the switch fabric specific features of a physical switch.
Enable mirror of traffic from multiple minotor ports to a single analysis port.
No Additional ItemsThe list of ports that we want to mirror.
No Additional ItemsThe port that mirror'ed packets should be sent to.
Enable loop detection on the L2 switches/bridge.
Define which protocol shall be used for loop detection.
Define on which logical switches/bridges we want to provide loop-detection.
No Additional ItemsDefine a list of configuration for each STP instance. Meaning of this field depends on current STP protocol (switch.loop-detection.protocol)
No Additional ItemsIndicates instance to configure. Depends on current STP protocol If RPVSTP/PVSTP - vlan id If MSTP - instance id
Enable STP on this instance.
Bridge priority.
Defines the amount of time a switch port stays in the Listening and Learning states before transitioning to the Forwarding state.
Determines how often switches send BPDU.
Specifies the maximum time that a switch port should wait to receive a BPDU from its neighbor before considering the link as failed or disconnected.
This section describes the global 802.1X (port access control) configuration.
Enabled processing of PAE frames on ports that have .1X configured.
Define a list of RADIUS server to forward auth requests to.
No Additional ItemsRemote radius server address (IP or hostname).
"192.168.1.1"
"somehost.com"
The port that the RADIUS authentication agent is running on.
Value must be greater or equal to 1 and lesser or equal to 65535
Secret key text that is shared between a RADIUS server and the switch.
"somepassword"
The server's priority (used when multiple servers are present. Bigger prio value = higher priority).
Value must be greater or equal to 1 and lesser or equal to 64
This section describes the per-port specific port-isolation matrix (to which ports selected port can forward traffic to) configuration. Omitting this configuration completely fully disables any port-isolation configuration on this given port.
Allow selected port to forward traffic in the provided session-based format.
No Additional ItemsSession id to configure.
Configuration object for uplink interface(s)
List of interfaces (either physical or trunk ports)
No Additional ItemsConfiguration object for downlink interface(s)
List of interfaces (either physical or trunk ports)
No Additional ItemsSets the load-distribution method among ports in aggregated links for both static and LACP based trunks.
Enables Jumbo frames
DHCP Snooping configuration parameters
Enables DHCP Snooping on the network switch, which is a security feature that prevents unauthorized DHCP servers from offering IP addresses
Sets a limit on the number of DHCP packets per second that can be received on an untrusted interface to prevent DHCP flooding attacks
Value must be greater or equal to 1 and lesser or equal to 2048
This option ensures that the MAC address in a DHCP request matches the source MAC address of the packet, providing an additional layer of security
This refers to the insertion of information option 82 in DHCP packets, which adds more details about the client’s location and network information for tracking and control purposes
This parameter allows for the encoding of sub-options within option 82 to further specify client information
It specifies the remote ID sub-option in option 82, which typically includes information like the circuit ID or remote host identifier
Must be at least 1 characters long
Must be at most 32 characters long
This defines the policy for handling packets with option 82, determining whether they should be forwarded or dropped based on the configuration
This section defines the Multicast VLAN Registration (MVR) general configuration.
Enable/Disable MVR globally on the switch.
This command configures the interval (in seconds) at which the receiver port sends out general queries. The maximum value is determined based on 12 hours as maximum interval, and minimum as 1 second as allowed value.
Value must be greater or equal to 1 and lesser or equal to 43200
Enable the MVR proxy switching mode, where the source port acts as a host, and the receiver port acts as an MVR router with querier service enabled.
Configure the expected packet loss, and thereby the number of times to generate report and group-specific queries when changes are learned about downstream groups, and the number of times group-specific queries are sent to downstream receiver ports. Right configuration ensures that multicast group memberships are correctly maintained even if some control messages are lost due to network issues.
Value must be greater or equal to 1 and lesser or equal to 255
Configure the switch to forward only multicast streams that a source port has dynamically joined or to forward all multicast groups.
Configure the Multicast VLAN Registration (MVR) domains.
No Additional ItemsUnique identifier for a Multicast Domain defined under the MVR.
Value must be greater or equal to 1 and lesser or equal to 10
Enable/disable Multicast VLAN Registration (MVR) for a specific domain.
Per domain Level Multicast VLAN ID. Specifies the VLAN through which MVR multicast data is received. This is the VLAN to which all source ports must be assigned.
Value must be greater or equal to 1 and lesser or equal to 4094
Configures the source IP address assigned to all MVR control packets sent upstream on all domains or on a specified domain.
"192.168.0.5"
List of MVR groups (or profiles) configuration.
No Additional ItemsThe name of a MVR group that consists of one or more MVR group addresses
Must be at least 1 characters long
Must be at most 16 characters long
Start IP address on the range of MVR group addresses that maps to a profile/MVR group
Statically configure all multicast group addresses that will join an MVR VLAN. Map a range of MVR group addresses to a profile
Value must be greater or equal to 1 and lesser or equal to 10
Configuration options for LLDP on a global level in a OLS switch.
Enables or disables LLDP globally at a switch level.
Configures the time-to-live (TTL) value sent in LLDP advertisements. The TTL tells the receiving LLDP agent how long to retain all information from the sending LLDP agent if it does not transmit updates in a timely manner.
Configures how many medFastStart packets are transmitted during the activation process of the LLDP-MED Fast Start mechanism.
Configures the periodic transmit interval for LLDP advertisements (in seconds).
Configures the delay (in seconds) before reinitializing after LLDP ports are disabled or the link goes down.
Configures a delay (in seconds) between successive transmissions of advertisements initiated by a change in local LLDP state.
Value must be greater or equal to 1 and lesser or equal to 8192
Configures the interval (in seconds) for sending SNMP notifications about LLDP changes.
Enables MC-LAG or disables it.
This section defines the MC-LAG configuration parameters for the switch.
List of MC-LAG domain configurations for the switch.
No Additional ItemsSpecifies the MC-LAG domain ID to identify the grouping of peer switches.
Value must be greater or equal to 1 and lesser or equal to 1024
Configures the peer-link, which could be a physical port or a trunk group that connects the two MC-LAG peer switches.
Defines the type of peer-link, either 'port' or 'trunk-group'
Specifies the port or trunk-group ID for the peer-link.
Value must be greater or equal to 1 and lesser or equal to 64
Configures the MC-LAG group, which binds the interfaces into a multi-chassis LAG.
Defines the unique MC-LAG group identifier.
Value must be greater or equal to 1 and lesser or equal to 128
List of interfaces that participate in the MC-LAG group.
No Additional ItemsInterface names that are part of the MC-LAG group.
"eth0"
"eth1"
LACP configuration settings for the MC-LAG group.
Enables or disables LACP for the MC-LAG group.
Configures the LACP role as 'actor' or 'partner'
Sets the LACP timeout as either 'short' or 'long'.
Specifies the system priority used by the switch for LACP negotiations.
Value must be greater or equal to 1 and lesser or equal to 65535
Enables dual-active detection to prevent split-brain scenarios in MC-LAG.
This parameter enables or disables the overall configuration of the Voice VLAN feature on the switch. When enabled, it allows the system to classify and prioritize voice traffic.
Specifies the VLAN ID assigned to the Voice VLAN. This is the unique identifier for the VLAN that will be used for prioritizing voice traffic.
Value must be greater or equal to 1 and lesser or equal to 4094
Defines the time, in minutes, that a dynamic Voice VLAN entry remains in the VLAN after voice traffic is no longer detected. It helps manage resources by removing inactive voice devices from the VLAN after this time elapses.
Value must be greater or equal to 5 and lesser or equal to 43200
Configures the Organizationally Unique Identifier (OUI) for identifying the voice devices (like IP phones).
No Additional ItemsThe specific MAC address pattern that corresponds to voice devices, as determined by the OUI. It is used for identifying and classifying voice traffic.
A mask applied to the MAC address to help match the OUI more precisely. It ensures that the correct portion of the MAC address is evaluated to identify a device as a voice device.
A descriptive label or comment for the OUI configuration. This can help administrators keep track of which OUI belongs to which type of voice device or vendor.
Must be at least 1 characters long
Must be at most 32 characters long
"A VoIP Phone"
Global configuration for ARP Inspection on the switch.
Enable or disable ARP Inspection globally.
Validate that the destination MAC address in the Ethernet header matches the target MAC address in the ARP body for ARP responses.
Validate ARP packets for unexpected or invalid IP addresses, such as 0.0.0.0, 255.255.255.255, and IP multicast addresses.
Allow ARP packets where the sender IP address is 0.0.0.0.
Validate that the source MAC address in the Ethernet header matches the sender MAC address in the ARP body for both ARP requests and responses.
Configuration for IP Source Guard global static bindings in a Layer 2 switch.
List of static bindings for IP Source Guard.
No Additional ItemsSpecifies the mode for adding a static address to the Source Guard ACL or MAC address binding table. It determines whether the binding is based on MAC addresses or ACLs.
A valid unicast MAC address for binding to the Source Guard filtering table.
The VLAN ID associated with the static binding for Source Guard filtering. Must be a valid, configured VLAN on the switch.
A valid unicast IPv4 address to associate with the Source Guard filtering table.
The physical interface (e.g., ethernet0, ethernet1) where the Source Guard binding applies.
Configuration for enabling or disabling specific event categories and their sub-events.
Enable/Disable Port Status events.
Enable/Disable Port Status category.
Enable/Disable carrier down event.
Enable/Disable carrier up event.
Enable/Disable Module events.
Enable/Disable Module category.
Enable/Disable module plugout event.
Enable/Disable module plugin event.
Enable/Disable STP events.
Enable/Disable STP category.
Enable/Disable loop detected event.
Enable/Disable loop cleared event.
Enable/Disable state change event.
Enable/Disable RSTP events.
Enable/Disable RSTP category.
Enable/Disable loop detected event.
Enable/Disable loop cleared event.
Enable/Disable state change event.
Enable/Disable Firmware Upgrade events.
Enable/Disable Firmware Upgrade category.
Enable/Disable download start event.
Enable/Disable download in progress event.
Enable/Disable download failed event.
Enable/Disable validation start event.
Enable/Disable validation success event.
Enable/Disable validation failed event.
Enable/Disable firmware backup event.
Enable/Disable install start event.
Enable/Disable install failed event.
Enable/Disable reboot start event.
Enable/Disable upgrade success event.
Enable/Disable DHCP Snooping events.
Enable/Disable DHCP Snooping category.
Enable/Disable DHCP Snooping violation detected event.
Enable/Disable DHCP Snooping violation cleared event.
Contains all the access control rule definitions
All items must be unique
No Additional ItemsThe identifier or name for the Access Control List
Must be at least 1 characters long
Must be at most 32 characters long
Type of the access control list
access control rules under this ACL
Each additional property must conform to the following schema
Type: array of objectAll items must be unique
No Additional ItemsDefines whether to permit or deny traffic matching the rule
Specifies the source MAC address to filter on
The mask applied to the source MAC address
Specifies the destination MAC address for the filter
The mask applied to the destination MAC address
Identifies the protocol encapsulated in the Ethernet frame by its EtherType
Specifies a VLAN ID to filter traffic from a specific VLAN
Value must be greater or equal to 1 and lesser or equal to 4094
The mask applied to the VLAN ID
Value must be greater or equal to 1 and lesser or equal to 4095
Filters packets based on the custom EtherType field (HEX) in the Ethernet frame
The mask applied to the EtherType field
Filters based on the Class of Service (CoS) field in the frame
Value must be greater or equal to 0 and lesser or equal to 7
The mask applied to the CoS field
Value must be greater or equal to 0 and lesser or equal to 7
The IPv4 address of the source to filter on
The subnet mask applied to the source IPv4 address
The IPv4 address of the destination to filter on
The subnet mask applied to the destination IPv4 address
Filters based on the IP protocol number
Value must be greater or equal to 0 and lesser or equal to 255
Define a global list of dns servers.
No Additional ItemsThis section describes the logical network interfaces of the device. Interfaces as their primary have a role that is upstream, downstream, guest, ....
This is a free text field, stating the administrative name of the interface. It may contain spaces and special characters.
"LAN"
The role defines if the interface is upstream or downstream facing.
This option makes sure that any traffic leaving this interface is isolated and all local IP ranges are blocked. It essentially enforces "guest network" firewall settings.
The routing metric of this logical interface. Lower values have higher priority.
Value must be greater or equal to 0 and lesser or equal to 4294967295
The MTU of this logical interface.
Value must be greater or equal to 1280 and lesser or equal to 1500
The services that shall be offered on this logical interface. These are just strings such as "ssh", "lldp", "mdns"
No Additional Items"ssh"
"lldp"
Setup additional VLANs inside the bridge
This section describes the vlan behaviour of a logical network interface.
This is the pvid of the vlan that shall be assigned to the interface. The individual physical network devices contained within the interface need to be told explicitly if egress traffic shall be tagged.
Value must be lesser or equal to 4094
Value must be lesser or equal to 4094
Value must be lesser or equal to 4094
This section describes the bridge behaviour of a logical network interface.
The MTU that shall be used by the network interface.
Value must be greater or equal to 256 and lesser or equal to 65535
1500
The Transmit Queue Length is a TCP/IP stack network interface value that sets the number of packets allowed per kernel transmit queue of a network interface device.
5000
Isolates the bridge ports from each other.
This section defines the physical copper/fiber ports that are members of the interface. Network devices are referenced by their logical names.
The list of physical network devices that shall be added to the interface. The names are logical ones and wildcardable. "WAN" will use whatever the hardwares default upstream facing port is. "LANx" will use the "x'th" downstream facing ethernet port. LAN* will use all downstream ports.
No Additional Items"LAN1"
"LAN2"
"LAN3"
"LAN4"
"LAN*"
"WAN*"
"*"
Enable multicast support.
Controls whether a given port will learn MAC addresses from received traffic or not. If learning if off, the bridge will end up flooding any traffic for which it has no FDB entry. By default this flag is on.
Only allow communication with non-isolated bridge ports when enabled.
Enforce a specific MAC to these ports.
Reverse Path filtering is a method used by the Linux Kernel to help prevent attacks used by Spoofing IP Addresses.
Shall the port have a vlan tag.
This section describes the IPv4 properties of a logical interface.
This option defines the method by which the IPv4 address of the interface is chosen.
"static"
This option defines a list of CONNECTED routes (with VRF id) in CIDR notation.
No Additional ItemsDefines a CONNECTED route's prefix (network).
"192.168.1.0/24"
VRF id.
This option defines the static IPv4 gateway of the logical interface.
No Additional ItemsDefines a NEXTHOP route's prefix (network).
"192.168.1.0/24"
Gateway (nexthop) address.
"192.168.1.1"
VRF id.
Optional metric value (define a NH route's weight / metric).
This option defines a list of BROADCAST routes (with VRF id) in CIDR notation.
No Additional ItemsDefines a BROADCAST route's prefix (network).
"192.168.1.0/24"
VRF id.
The unknown multicast flood control feature enables the system to forward unknown multicast packets only to a multicast router (mrouter).
Enable or disable IGMP snooping on per-VLAN basis.
Configures the IGMP version. Configurable versions are IGMPv1, IGMPv2, and IGMPv3
3
Configure this interface to act as a querier (multicast router)
Removes the group state when it receives an IGMP Leave report without sending an IGMP query message
Defines the interval between sending IGMP general queries
Defines the maximum response time (milliseconds) advertised in IGMP group-specific queries
Configures a query maximum response time (in seconds) that is advertised on IGMP queries.
Configures a Layer 2 port of a VLAN as a static member of an IGMP multicast group(s).
No Additional ItemsSpecify egress port(s) to forward mcast traffc of static group to.
No Additional ItemsSpecify IPV4 address (group) this interface is statically configured to be member of.
"225.0.0.1"
MVR attributes on a given interface
Configure an interface as an MVR receiver or source port. A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering.
Switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. Applies to only receiver role ports.
Map the port to a specific domain.
Value must be greater or equal to 1 and lesser or equal to 10
include the devices hostname inside DHCP requests
true
Define which DNS servers shall be used. This can either be a list of static IPv4 addresse or dhcp (use the server provided by the DHCP lease)
No Additional Items"8.8.8.8"
"4.4.4.4"
Enables DHCP Snooping on a VLAN
Configuration for ARP Inspection on specific VLANs in the switch.
Enable or disable ARP Inspection for a specified VLAN.
Specifies an ARP ACL to apply to one or more VLANs.
Must be at least 1 characters long
Must be at most 32 characters long
Validate ARP packets against only the specified ACL without checking address bindings in the DHCP snooping database.
This section describes the DHCP server configuration
The last octet of the first IPv4 address in this DHCP pool.
10
The number of IPv4 addresses inside the DHCP pool.
100
How long the lease is valid before a RENEW must be issued.
Use host at this IPv4 address to forward packets between clients and servers on different subnets.
This option selects what info shall be contained within a relayed frame's circuit ID. The string passed in has placeholders that are placed inside a bracket pair "{}". Any text not contained within brackets will be included as freetext. Valid placeholders are "Interface, VLAN-ID"
This section describes the static DHCP leases of this logical interface.
The MAC address of the host that this lease shall be used for.
"00:11:22:33:44:55"
The offset of the IP that shall be used in relation to the first IP in the available range.
10
How long the lease is valid before a RENEW muss ne issued.
Shall the hosts hostname be made available locally via DNS.
This section describes an IPv4 port forwarding.
The layer 3 protocol to match.
The external port(s) to forward.
The internal IP to forward to. The address will be masked and concatenated with the effective interface subnet.
The internal port to forward to. Defaults to the external port if omitted.
This section describes the IPv6 properties of a logical interface.
This option defines the method by which the IPv6 subnet of the interface is acquired. In static addressing mode, the specified subnet and gateway, if any, are configured on the interface in a fixed manner. Also - if a prefix size hint is specified - a prefix of the given size is allocated from each upstream received prefix delegation pool and assigned to the interface. In dynamic addressing mode, a DHCPv6 client will be launched to obtain IPv6 prefixes for the interface itself and for downstream delegation. Note that dynamic addressing usually only ever makes sense on upstream interfaces.
This option defines a static IPv6 prefix in CIDR notation to set on the logical interface. A special notation "auto/64" can be used, causing the configuration agent to automatically allocate a suitable prefix from the IPv6 address pool specified in globals.ipv6-network. This property only applies to static addressing mode. Note that this is usually not needed due to DHCPv6-PD assisted prefix assignment.
"auto/64"
This option defines the static IPv6 gateway of the logical interface. It only applies to static addressing mode. Note that this is usually not needed due to DHCPv6-PD assisted prefix assignment.
"2001:db8:123:456::1"
For dynamic addressing interfaces, this property specifies the prefix size to request from an upstream DHCPv6 server through prefix delegation. For static addressing interfaces, it specifies the size of the sub-prefix to allocate from the upstream-received delegation prefixes for assignment to the logical interface.
Value must be greater or equal to 0 and lesser or equal to 64
This section describes the DHCPv6 server configuration
Specifies the DHCPv6 server operation mode. When set to "stateless", the system will announce router advertisements only, without offering stateful DHCPv6 service. When set to "stateful", emitted router advertisements will instruct clients to obtain a DHCPv6 lease. When set to "hybrid", clients can freely chose whether to self-assign a random address through SLAAC, whether to request an address via DHCPv6, or both. For maximum compatibility with different clients, it is recommended to use the hybrid mode. The special mode "relay" will instruct the unit to act as DHCPv6 relay between this interface and any of the IPv6 interfaces in "upstream" mode.
Overrides the DNS server to announce in DHCPv6 and RA messages. By default, the device will announce its own local interface address as DNS server, essentially acting as proxy for downstream clients. By specifying a non-empty list of IPv6 addresses here, this default behaviour can be overridden.
No Additional ItemsSelects a specific downstream prefix or a number of downstream prefix ranges to announce in DHCPv6 and RA messages. By default, all prefixes configured on a given downstream interface are advertised. By specifying an IPv6 prefix in CIDR notation here, only prefixes covered by this CIDR are selected.
This section describes an IPv6 port forwarding.
The layer 3 protocol to match.
The external port(s) to forward.
The internal IP to forward to. The address will be masked and concatenated with the effective interface subnet.
The internal port to forward to. Defaults to the external port if omitted.
This section describes an IPv6 traffic accept rule.
The layer 3 protocol to match.
The source IP to allow traffic from.
The source port(s) to accept.
Must contain a minimum of 1 items
The destination IP to allow traffic to. The address will be masked and concatenated with the effective interface subnet.
The destination ports to accept.
Must contain a minimum of 1 items
This Object defines the properties of a broad-band uplink.
This uplink uses WWAN/LTE
Specific value:"wwan" The local protocol that the modem supports.
Commonly known as APN. The name of a gateway between a mobile network and the internet.
The authentication mode that shall be used.
The PIN that shall be used to unlock the SIM card.
This option is only required if an authentication-type is defined.
This option is only required if an authentication-type is defined.
Define what kind of IP stack shall be used.
This Object defines the properties of a PPPoE uplink.
This uplink uses PPPoE
Specific value:"pppoe" The username used to authenticate.
The password used to authenticate.
This Object defines the properties of a mesh interface overlay.
This field must be set to mesh.
Specific value:"mesh" This Object defines the properties of a vxlan tunnel.
This field must be set to vxlan.
Specific value:"vxlan" This is the IP address of the remote host, that the VXLAN tunnel shall be established with.
The network port that shall be used to establish the VXLAN tunnel.
Value must be greater or equal to 1 and lesser or equal to 65535
4789
This Object defines the properties of a l2tp tunnel.
This field must be set to vxlan.
Specific value:"l2tp" This is the IP address of the remote host, that the L2TP tunnel shall be established with.
The username used to authenticate.
The password used to authenticate.
This Object defines the properties of a GRE tunnel.
This field must be set to gre.
Specific value:"gre" This is the IP address of the remote host, that the GRE tunnel shall be established with.
Healthcheck will probe if the remote peer replies to DHCP discovery without sending an ACK.
Set “Don't Fragment” flag on encapsulated packets.
This Object defines the properties of a GREv6 tunnel.
This field must be set to gre6.
Specific value:"gre6" This is the IPv6 address of the remote host, that the GRE tunnel shall be established with.
Healthcheck will probe if the remote peer replies to DHCP discovery without sending an ACK.
This section describes all of the services that may be present on the AP. Each service is then referenced via its name inside an interface, ...
The LLDP description field. If set to "auto" it will be derived from unit.name.
The LLDP location field. If set to "auto" it will be derived from unit.location.
This section can be used to setup a SSH server on the AP.
This option defines which port the SSH server shall be available on.
Value must be lesser or equal to 65535
This option defines if password authentication shall be enabled. If set to false, only ssh key based authentication is possible.
This option whether SSH server should be enabled or disabled.
This section can be used to setup the upstream NTP servers.
This is an array of URL/IP of the upstream NTP servers that the unit shall use to acquire its current time.
No Additional Items"0.openwrt.pool.ntp.org"
Start a NTP server that provides the time to local clients.
true
This section can be used to configure the MDNS server.
Enable this option if you would like to enable the MDNS server on the unit.
This section can be used to setup a persistent connection to a rTTY server.
The server that the device shall connect to.
"192.168.1.10"
This option defines the port that device shall connect to.
Value must be lesser or equal to 65535
The security token that shall be used to authenticate with the server.
Must be at least 32 characters long
Must be at most 32 characters long
"01234567890123456789012345678901"
Shall the connection enforce mTLS
This section can be used to configure remote syslog support.
IP address of a syslog server to which the log messages should be sent in addition to the local destination.
"192.168.1.10"
Port number of the remote syslog server specified with log_ip.
Value must be greater or equal to 100 and lesser or equal to 65535
2000
Sets the protocol to use for the connection, either tcp or udp.
Size of the file based log buffer in KiB. This value is used as the fallback value for logbuffersize if the latter is not specified.
Value must be greater or equal to 32
Filter messages by their log priority. the value maps directly to the 0-7 range used by syslog.
Value must be greater or equal to 0
Enable the webserver with the on-boarding webui
The port that the HTTP server should run on.
Value must be greater or equal to 1 and lesser or equal to 65535
This option whether http server should be enabled or disabled.
This section allows enabling the IGMP/Multicast proxy
This option defines if the IGMP/Multicast proxy shall be enabled on the device.
This section can be used to setup a radius security proxy instance (radsecproxy).
The radius secret used to communicate with the proxy.
The various realms that we can proxy to.
No Additional ItemsDefines whether the real should use radsec or normal radius.
The realm that that this server shall be used for.
No Additional ItemsAuto discover radsec server address via realm DNS NAPTR record.
The remote proxy server that the device shall connect to.
"192.168.1.10"
The remote proxy port that the device shall connect to.
Value must be lesser or equal to 65535
The radius secret that will be used for the connection.
The device will use its local certificate bundle for the TLS setup and ignores all other certificate options in this section.
The local servers CA bundle.
The local servers certificate.
The local servers private key/
The password required to read the private key.
Defines whether the real should use radsec or normal radius.
The realm that that this server shall be used for.
No Additional ItemsThe URI of our Radius server.
"192.168.1.10"
The network port of our Radius server.
Value must be greater or equal to 1024 and lesser or equal to 65535
1812
The shared Radius authentication secret.
"secret"
The URI of our Radius server.
"192.168.1.10"
The network port of our Radius server.
Value must be greater or equal to 1024 and lesser or equal to 65535
1812
The shared Radius authentication secret.
"secret"
Defines whether the real should use radsec or normal radius.
The realm that that this server shall be used for.
No Additional ItemsThe message that is sent when a realm is blocked.
This section can be used to configure the online check service.
Hosts that shall be pinged to find out if we are online.
No Additional Items"192.168.1.10"
URLs to which a http/s connection shall be established to find out if we are online. The service will try to download http://$string/online.txt and expects the content of that file to be "Ok". HTTP 30x is support allowing https redirects.
No Additional Items"www.example.org"
The interval in seconds in between each online-check.
How often does the online check need to fail until the system assumes that it has lost online connectivity.
The action that the device shall execute when it has detected that it is not online.
No Additional ItemsThis section can be used to define eBPF and cBPF blobs that shall be loaded for virtual data-planes and SDN.
A list of programs that can be loaded as ingress filters on interfaces.
No Additional ItemsThe name of the ingress filter.
The base64 encoded xBPF.
This section describes the QoS behaviour of the unit.
The physical network devices that shall be considered the primary uplink interface. All classification and shaping will happen on this device.
No Additional ItemsDefines the upload bandwidth of this device. If it is not known or the device is attached to a shared medium, this value needs to be 0.
Defines the download bandwidth of this device. If it is not known or the device is attached to a shared medium, this value needs to be 0.
The QoS feature can automatically detect and classify bulk flows. This is based on average packet size and PPS.
The differentiated services code point that shall be assigned to packets that belong to a bulk flow.
The required PPS rate that will cause a flow to be classified as bulk.
A list of predefined named services that shall be classified according to the communities DB.
No Additional ItemsA list of classifiers. Each classifier will map certain traffic to specific ToS/DSCP values based upon the defined constraints.
No Additional ItemsThe differentiated services code point that shall be assigned to packet that match the rules of this entry.
Each entry defines a layer3 protocol and a port(range) that will be used to match packets.
No Additional ItemsThe port match can apply for TCP, UDP or any IP protocol.
The port of this match rule.
The last port of this match rule if it is a port range.
Ignore the ToS/DSCP of packets and reclassify them.
Each entry defines a wildcard FQDN. The IP that this resolves to will be used to match packets.
No Additional ItemsMatch for all suffixes of the FQDN.
Ignore the ToS/DSCP of packets and reclassify them.
This Object defines the properties of a wireguard-overlay.
This field must be set to wireguard-overlay.
Specific value:"wireguard-overlay" The private key of the device. This key is used to lookup the host entry inside the config.
The network port that shall be used to establish the wireguard tunnel.
Value must be greater or equal to 1 and lesser or equal to 65535
The network port that shall be used to exchange peer data inside the tunnel.
Value must be greater or equal to 1 and lesser or equal to 65535
The descritption of the root node of the overlay.
The public key of the host.
The public IP of the host (optional).
The list of private IPs that a host is reachable on inside the overlay.
No Additional ItemsThe list of all known hosts inside the overlay.
No Additional ItemsThe unique name of the host.
The public key of the host.
The public IP of the host (optional).
The list of subnets that shall be routed to this host.
No Additional ItemsThe list of private IPs that a host is reachable on inside the overlay.
No Additional ItemsThe descritption of the root node of the overlay.
The network port that shall be used to establish the vxlan overlay.
Value must be greater or equal to 1 and lesser or equal to 65535
The MTU that shall be used by the vxlan tunnel.
Value must be greater or equal to 256 and lesser or equal to 65535
If set to true hosts will only be able to talk with the root node and not forward L@ traffic between each other.
This section can be used to configure a GPS dongle
Adjust the systems clock upon a successful GPS lock.
The baudrate used by the attached GPS dongle
This section can be used to setup a Telnet server on the device.
This option whether telnet server should be enabled or disabled.
Enable the webserver with the on-boarding webui
The port that the secure HTTP server should run on.
Value must be greater or equal to 1 and lesser or equal to 65535
This option whether secure http server should be enabled or disabled.
There are several types of mertics that shall be reported in certain intervals. This section provides a granual configuration.
Statistics are traffic counters, neighbor tables, ...
The reporting interval defined in seconds.
Value must be greater or equal to 60
A list of names of subsystems that shall be reported periodically.
No Additional ItemsConfigure maximum number of FDB entries device's allowed to report. If omitted, device-default number should be used (2000). Setting to zero means no entries should be reported, flag should be raised. If device's current FDB size exceeds configured value, flag should be raised as well.
Health check gets executed periodically and will report a health value between 0-100 indicating how healthy the device thinks it is
The reporting interval defined in seconds.
Value must be greater or equal to 60
This is makes the AP probe local downstream DHCP servers.
This is makes the AP probe remote upstream DHCP servers.
This is makes the AP probe DNS servers.
This is makes the AP probe DNS servers.
DHCP snooping allows us to intercept DHCP packages on interface that are bridged, where DHCP is not offered as a service by the AP.
A list of the message types that shall be sent to the backend.
No Additional ItemsConfigure the unsolicited telemetry stream.
The reporting interval defined in seconds.
The event types that get added to telemetry.
No Additional ItemsConfigure the realtime events that get sent to the cloud.
The event types that get added to telemetry.
No Additional ItemsThis object allows passing raw uci commands, that get applied after all the other configuration was ben generated.
No Additional ItemsMust contain a minimum of 2 items
[
"set",
"system.@system[0].timezone",
"GMT0"
]
[
"delete",
"firewall.@zone[0]"
]
[
"delete",
"dhcp.wan"
]
[
"add",
"dhcp",
"dhcp"
]
[
"add-list",
"system.ntp.server",
"0.pool.example.org"
]
[
"del-list",
"system.ntp.server",
"1.openwrt.pool.ntp.org"
]
Additional Properties of any type are allowed.
Type: object