Bridge Duplicating MAC Addresses & ICMP Packets on VLAN Setup

Ryo · February 19, 2025, 8:53pm

I am experiencing an issue where ICMP packets are being duplicated on my OpenWrt bridge, and brctl showmacs shows duplicate MAC addresses for the same interface. I’ve tried several troubleshooting steps, but the issue persists. I need help figuring out what’s causing this and how to fix it.

Setup Details:

Device: Linksys E8450 (UBI) / mediatek/mt7622
OpenWrt Version: OpenWrt 24.10.0 r28427-6df0e3d02a / LuCI openwrt-24.10 branch 25.014.55016~7046a1c
Network Setup:
    WAN is a trunk port carrying VLANs.
    Each VLAN is assigned to a separate bridge (one VLAN per bridge).
    Wireless interfaces are assigned to bridges.
    STP is disabled, but enabling it didn’t help.
    Hairpin mode was disabled but also didn’t fix the issue.
    VLAN filtering is not enabled, as I only have one VLAN per bridge.
    TCPDump shows ICMP packet duplication on the bridges.

Config:

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd6c:5c84:7d3d::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option type '8021q'
	option ifname 'wan'
	option vid '2'
	option name 'wan.2'
	option mtu '9000'
	option ipv6 '0'
	option macaddr 'E8:9F:80:5C:08:E5'

config device
	option type '8021q'
	option ifname 'wan'
	option vid '3'
	option name 'wan.3'
	option mtu '9000'
	option ipv6 '0'
	option macaddr 'E8:9F:80:5C:08:E6'

config device
	option type '8021q'
	option ifname 'wan'
	option vid '4'
	option name 'wan.4'
	option mtu '9000'
	option ipv6 '0'
	option macaddr 'E8:9F:80:5C:08:E7'

config device
	option type '8021q'
	option ifname 'wan'
	option vid '5'
	option name 'wan.5'
	option mtu '9000'
	option macaddr 'E8:9F:80:5C:08:E8'

config device
	option type 'bridge'
	option name 'Server0_bridge'
	list ports 'wan.2'
	option mtu '9000'
	option ipv6 '0'
	option macaddr 'E8:9F:80:5C:08:E4'

config interface 'Server0_2_BR'
	option proto 'none'
	option device 'Server0_bridge'

config device
	option type 'bridge'
	option name 'LAN_bridge'
	list ports 'wan.4'
	option mtu '9000'
	option ipv6 '0'
	option macaddr 'E8:9F:80:5C:08:E2'

config device
	option type 'bridge'
	option name 'MGMT_Bridge'
	list ports 'wan.3'
	option mtu '9000'
	option ipv6 '0'
	option macaddr 'E8:9F:80:5C:08:E3'

config device
	option type 'bridge'
	option name 'GUEST_Bridge'
	list ports 'wan.5'
	option mtu '9000'
	option ipv6 '0'
	option macaddr 'E8:9F:80:5C:08:E1'

config interface 'MGMT_3_BR'
	option proto 'static'
	option device 'MGMT_Bridge'
	option ipaddr '192.168.3.8'
	option netmask '255.255.255.0'
	option gateway '192.168.3.1'
	option dns '192.168.3.1'

config interface 'LAN_4_BR'
	option proto 'none'
	option device 'LAN_bridge'

config interface 'Guest_5_BR'
	option proto 'none'
	option device 'GUEST_Bridge'

config device
	option name 'wan'
	option mtu '9001'
	option ipv6 '0'

Packet duplication on both the bridge and the wan.4 interface.

tcpdump -i LAN_bridge -nn icmp
listening on LAN_bridge, link-type EN10MB (Ethernet), snapshot length 262144 bytes
19:41:28.682628 IP 192.168.4.100 > 192.168.4.1: ICMP 192.168.4.100 udp port 37837 unreachable, length 151
19:41:29.608654 IP 192.168.4.100 > 192.168.1.93: ICMP echo request, id 34130, seq 2292, length 64
19:41:29.608783 IP 192.168.4.100 > 192.168.1.93: ICMP echo request, id 34130, seq 2292, length 64
19:41:29.612288 IP 192.168.1.93 > 192.168.4.100: ICMP echo reply, id 34130, seq 2292, length 64

What the bridges are up to:

 brctl show
bridge name	bridge id		STP enabled	interfaces
LAN_bridge		7fff.e89f805c08e2	no		wl0-ap2
							wan.4
GUEST_Bridge		7fff.e89f805c08e1	no		wl0-ap1
							wan.5
br-lan		7fff.e89f805c08ea	no		lan4
							lan2
							lan3
							lan1
Server0_bridge		7fff.e89f805c08e4	no		wan.2
							wl0-ap0
MGMT_Bridge		7fff.e89f805c08e3	no		wan.3

The macs on the bridge

brctl showmacs LAN_bridge
port no	mac addr		is local?	ageing timer
  2	8a:cb:c0:0c:c8:f7	no		   0.00
  1	e8:9f:80:5c:08:e7	yes		   0.00
  1	e8:9f:80:5c:08:e7	yes		   0.00
  2	ee:9f:80:5c:08:eb	yes		   0.00
  2	ee:9f:80:5c:08:eb	yes		   0.00

Why are ICMP packets being duplicated across the bridge and VLAN interface?

This does not occur when i connect to the switch OpenWRT is also connected to so, I think it's OpenWRT.

Thank you for your help.

psherman · February 19, 2025, 9:09pm

This is likely your issue.

With DSA configs, generally speaking there should only be a single bridge per switch chip, and bridge-vlans are how you configure the VLANs themselves.

https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial

Let me know if you need help adjusting your config.

brada4 · February 19, 2025, 10:21pm

You need ip-bridge to show dsa shortcuts in fib.

Ryo · February 20, 2025, 1:10am

Thanks you. I did go on an adventure leaning about how this should have been properly configured. I read the docs and watched the YouTube video on this and it did help.

Here's what it might look like for others if you are wanting to use OpenWRT as an access point and trunk multiple VLANS to the WAN port on your device.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdbb:c2e9:b93f::/48'
	option packet_steering '1'

config device
	option type 'bridge'
	option name 'VLAN_BR'
	option mtu '9000'
	option ipv6 '0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config bridge-vlan
	option device 'VLAN_BR'
	option vlan '2'
	list ports 'lan2:u*'
	list ports 'wan:t'

config bridge-vlan
	option device 'VLAN_BR'
	option vlan '3'
	list ports 'lan1:u*'
	list ports 'wan:t'

config bridge-vlan
	option device 'VLAN_BR'
	option vlan '4'
	list ports 'wan:t'

config bridge-vlan
	option device 'VLAN_BR'
	option vlan '5'
	list ports 'lan3:u*'
	list ports 'lan4:u*'
	list ports 'wan:t'

config interface 'MGMT'
	option proto 'static'
	option device 'VLAN_BR.3'
	option ipaddr '192.168.3.8'
	option netmask '255.255.255.0'
	option gateway '192.168.3.1'
	option dns '192.168.3.1'

config interface 'Server0'
	option proto 'none'
	option device 'VLAN_BR.2'

config interface 'LAN'
	option proto 'none'
	option device 'VLAN_BR.4'

config interface 'Guest'
	option proto 'none'
	option device 'VLAN_BR.5'

psherman · February 20, 2025, 1:15am

Glad you've got it working. The config looks good now.

system · March 2, 2025, 1:16am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.