I own a couple of Zyxel Armor Z2 devices, but I haven't updated the firmware in years. A few days ago I updated to the latest snapshot so I have moved from the old switch system to the newer DAS based system.
I generally use this particular device as more of an access point rather than as a router, so wanted all the ports (lan1, lan2, lan3, lan4 and wan) on the same bridge and VLAN which all worked fine, but I found that packets were being duplicated, something which showed up quite clearly when doing a ping because every response was a DUP.
This isn't a problem I have with a very similar configuration using the E8450, so I eventually concluded that the problem must relate to the fact that the Zyxel Armor-Z2 having an eth0 and an eth1. Sure enough once I entered the command "/sbin/ifconfig eth1 down" the problem of duplicate packets ceased, but this doesn't feel like the right answer.
Does anybody else have experience with this, or can you suggest a better solution?
Many thanks to both of you for the quick response. It is a pretty simple /etc/config/network file right now, and I am using VLAN-1, which I use with no issue on other hardware such as the E8450's which also use DSA.
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'wan'
config device
option name 'lan1'
option macaddr '8c:59:73:fe:8e:d6'
config device
option name 'lan2'
option macaddr '8c:59:73:fe:8e:d6'
config device
option name 'lan3'
option macaddr '8c:59:73:fe:8e:d6'
config device
option name 'lan4'
option macaddr '8c:59:73:fe:8e:d6'
config interface 'lan'
option device 'br-lan.1'
option proto 'dhcp'
option delegate '0'
config device
option name 'wan'
option macaddr '8c:59:73:fe:8e:d7'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'wan:t'
config device
option name 'br-lan.1'
option type '8021q'
option ifname 'br-lan'
option vid '1'
option macaddr 'F2:69:5D:86:44:BD'
option ipv6 '0'
VLAN 0 is not valid under any circumstances. The valid range is 1-4094. For untagged frames, the 802.1q tag simply isn't there. Period. This means that it's not VLAN ID 0, it means that there is no 802.1q header at all.
I don't think you have a full understanding of how DSA works.
Once you setup bridge-VLANs, you do not use the raw bridge anymore. Period.
In setups where there are no bridge-vlan stanzas, the switch is configured as a basic unmanaged switch. When bridge-VLANs are included in a configuration, all interfaces should use bridge-vlan based devices, not the base bridge. If one wants to have untagged frames on any given port, it is specified by adding :u* after the port name.
Yes, the standard permits it. (although there is debate about if it should be used in this way, generally speaking, but that's a different topic).
However, DSA is implemented such that the base bridge is never used in any interfaces once bridge-VLANs are configured. In DSA, if you want to have untagged ports (or hybrid untagged+tagged), you do so explicitly in the bridge-vlan stanzas, and then those devices are used in the network interfaces.
Looking at the VLAN 1 bridge-vlan, make the untagged ports explicit like this:
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
list ports 'wan:t'
Many thanks, that worked perfectly. It is greatly appreciated, although I am still not really sure why it worked.
Can I ask, what happens if I want the Armor-Z2 to use a different MAC Address on different tagged VLANs? I would normally have the wan device using three tagged VLANs and I did that under the older OpenWRT firmware having it present a different MAC Address for each VLAN. I know it arguably isn't necessary, but if I don't do that the DHCP server on the main router box doesn't appear to make a record of the IP address it has given for the different VLANs because it stores the information using the MAC Address as the unique key.
While I haven't spent the time to experiment with the 802.1q stanzas, it does seem to break things. It's not necessary to create those stanzas because the ports are automatically tagged as needed based on the bridge-vlan configurations. Explicitly setting the port tag status will ensure that all packets sent and received will be associated with the correct VLAN. (TBH, I'm still not certain about the difference between lan1, lan1:u, and lan1:u*, and nobody has been able to give a proper answer as to why there are three ways to write a line that should be untagged; but in my experience here, if you want a port untagged, set it explicitly with :u*)
AFAIK, you can set different MACs per port, but not per-VLAN.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!
