Asus RT-AC65P integrated switch weird behavior

adam · January 30, 2025, 4:52pm

Hi All,

I noticed something weird about the integrated switch on the RT-AC65P router.
The bridging is set up as follows:

root@OpenWrt:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br-lan          7fff.04922646bb54       no              wlan0
                                                        switch.1
                                                        wlan1
switch          7fff.04922646bb54       no              lan4
                                                        lan2
                                                        lan3
                                                        lan1

network config excerpt:

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option type 'bridge'
        option name 'switch'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'switch'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'switch.1'

As far as I'm aware, this is how it's supposed to be set up if I were to use multiple vlans with multiple ssid-s. In this test setup, I only have one for simplicity.
I have a PC connected to lan1 and another one to lan2. I also have a phone connected to the wifi and a router connected to wan for internet access.
If I send any traffic (be it ping or whatever) directly from one PC to the phone, the integrated switch sends out the ethernet frames to the other PC and presumably it would send it out on all other ports. Traffic from PC to the internet (so if the ethernet frame destination MAC is the RT-AC65P itself) is handled as expected.
This doesn't seem to happen with the default configuration where the lan ports and the wifi interfaces are directly bridged to br-lan.
I tested it with the latest RC of 24.10.0, 23.05.5, 22.03.7 and 21.02.7. There doesn't seem to be a difference between 24.10.0 RC7 and 23.05.5. Interestingly, it happens rarely on 22.03.7 and doesn't seem to happen at all on 21.02.7.
Am I doing something wrong with the setup, or could this be a bug? It almost seems like the integrated switch has trouble learning MAC addresses via the CPU port.
Has anyone else with similar hardware experienced this?

Edit: I added modified "br-lan" bridge configuration to the config snippet as I forgot to add that initially.

Edit2: Here is the wireless config as well for good measure:

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk2+ccmp'
        option key 'Openwrt1234'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk2+ccmp'
        option key 'Openwrt1234'

pavelgl · January 30, 2025, 5:09pm

adam:

As far as I'm aware, this is how it's supposed to be set up if I were to use multiple vlans with multiple ssid-s.
adam:
config interface 'lan'
        option device 'br-lan'
        ...

You should change option device 'br-lan' to option device 'switch.1'

adam · January 30, 2025, 5:29pm

If I do that, my "lan" interface is no longer a bridge device and I can't bridge the wifi interface to it.

pavelgl · January 30, 2025, 5:38pm

The advice given is based on the snippet you posted.
If you claim it doesn't work, there is something wrong with the rest of the configuration(s).

adam · January 30, 2025, 9:59pm

I didn't say in the post that my setup is not working. It is working with the configuration in the snippet. With your suggestion, the wifi interface is not getting bridged. I not only knew that already, I gave it a try anyway just now.
What the post is about is that there are frames being sent to switchports to which they shouldn't be sent.

elder_tinkerer · January 30, 2025, 10:31pm

Is this an assumption of you or can you see the ethernet frames meant for the phone on the other ports?

pavelgl · January 30, 2025, 11:12pm

My comment was on your statement

Read the manual more carefully and good luck.

https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial#multiple_networks_using_vlans

adam · January 30, 2025, 11:27pm

Thanks for linking that, but that guide doesn't deal with multiple networks and vlan tagging and multiple wifi ssid-s. I don't mind that though, as the config I made is working as intended other than this weird thing with the switching behavior.
I also noticed that I forgot to add the br-lan bridge configuration to the config snippet, which may have influenced your train of thoughts on this matter. I fixed now so kindly take another look if you are still interested in this topic.

adam · January 30, 2025, 11:29pm

I captured the traffic on the ethernet interface (with Wireshark) on the other PC (let's call it PC2) and I see that frames coming from the first PC (call it PC1) destined for the phone are picked up by the capture. Normally, this should not happen, and it doesn't happen with the default config where there is only "br-lan", so only one "layer" of bridging not two (one for the switch and a second one for the vlan interface and wifi interfaces) like the config I posted.

pavelgl · January 31, 2025, 8:33am

The guide is universal and applicable to zero, one, or multiple SSIDs.

Some basic principles:

When creating a bridge device, you only list valid physical ports (lanX, wan, ethX, etc.)
A given physical port can be a member of only one bridge
With DSA devices, you can achieve everything with just one bridge (for some devices this is even your only choice)
The port separation is based on bridge vlan filtering
In the bridge-vlan section, you set the VLAN ID and tagged/untagged port membership (specifying the bridge device name)
A given physical port can be an untagged member of only one VLAN
The device specified in the interface section determines which VLAN will be used by this network. It should consist of the name of the bridge device (no matter br-lan, bridge, switch or whatever), a dot <.> and the vlan id

Here is a sample configuration with three SSIDs.

#/etc/config/network

...

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        
config interface 'lan10'
        option proto 'static'
        option device 'br-lan.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config interface 'lan100'
        option proto 'static'
        option device 'br-lan.100'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'lan2:t'


#/etc/config/wireless

...

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option network 'lan'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt10'
        option encryption 'none'
        option network 'lan10'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWrt100'
        option encryption 'none'
        option network 'lan100'

The output of brctl shows that all wired and wireless ports are members of the same (single) bridge, named br-lan.

root@Xiaomi:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br-lan          7fff.8cdef9a41e54       no              phy0-ap1
                                                        lan2
                                                        phy0-ap0
                                                        phy1-ap0
                                                        lan1

To be able to see the vlan membership (which does the real port separation), you need to install the ip-bridge package.

root@Xiaomi:~# bridge vlan
port              vlan-id
lan2              10 PVID Egress Untagged
                  100
lan1              1 PVID Egress Untagged
br-lan            1
                  10
                  100
phy0-ap0          1 PVID Egress Untagged
phy0-ap1          10 PVID Egress Untagged
phy1-ap0          100 PVID Egress Untagged

If it's still not clear, I give up...

adam · January 31, 2025, 11:10am

No problem with the clarity of it. Every time I did it this way, the wireless interfaces didn't get bridged. I tried it this way again, and got the same result. Then I restarted the wifi radios and then it's got bridged.
Thanks for confirming that I've been doing the bridging of wireless networks wrong! Now things appear to be operating as expected.

system · February 10, 2025, 11:11am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.