Can ping VLAN from WIFI but not local interface using DSA

lyzxyzzy · May 28, 2021, 2:40pm

Port #4 is a VLAN trunk with two networks on it.

root@router:~# brctl show
bridge name	bridge id		STP enabled	interfaces
br-dmz		7fff.c4411ef3b880	no		lan4.4
br-lan		7fff.c4411ef3b880	no		wlan0
							lan2
							lan4.5
							wlan1
							lan3
							lan1

From a device on wifi (wlan1) ping works to a port #4 connected device

ping 192.168.5.7
PING 192.168.5.7 (192.168.5.7) 56(84) bytes of data.
64 bytes from 192.168.5.7: icmp_seq=1 ttl=64 time=3.26 ms
64 bytes from 192.168.5.7: icmp_seq=2 ttl=64 time=2.94 m

From a device on br-lan ping does not work to a port #4 connected device

ping 192.168.5.7
PING 192.168.5.7 (192.168.5.7) 56(84) bytes of data.
From 192.168.5.4 icmp_seq=1 Destination Host Unreachable
From 192.168.5.4 icmp_seq=2 Destination Host Unreachable
From 192.168.5.4 icmp_seq=3 Destination Host Unreachable

The opposite is true as well. The 192.168.5.7 host is able to ping hosts which are on wifi and not those on br-lan

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdca:ff61:062b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan3'
	list ports 'lan4.5'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option ifname 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.5.1'
	list dns_search 'example.com'

config interface 'wan'
	option ifname 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '208.67.222.123'
	list dns '208.67.220.123'

config interface 'wan6'
	option ifname 'wan'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'br-dmz'
	list ports 'lan4.4'

config interface 'DMZ'
	option ifname 'br-dmz'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.4.1'

config device
	option type '8021q'
	option ifname 'lan4'
	option vid '4'
	option name 'lan4.4'

config device
	option type '8021q'
	option ifname 'lan4'
	option vid '5'
	option name 'lan4.5'

System is a Belkin RT3200 running Firmware Version OpenWrt SNAPSHOT r16769-ddcb970274 / LuCI Master git-21.124.24916-0faf9a4

It seems to be something with ARP as a tcpdump doesn't show a reply to the arp query unless one of the IPs is on wifi

10:38:40.849210 ARP, Request who-has 192.168.5.7 tell 192.168.5.132, length 46
10:38:41.849221 ARP, Request who-has 192.168.5.7 tell 192.168.5.132, length 46
10:38:46.070638 ARP, Request who-has 192.168.5.239 tell 192.168.5.7, length 42
10:38:46.167480 ARP, Reply 192.168.5.239 is-at ac:12:03:77:f4:7f, length 28
10:38:49.649370 ARP, Request who-has 192.168.5.7 tell 192.168.5.132, length 46
....
10:42:55.319736 ARP, Request who-has 192.168.5.7 tell 192.168.5.239, length 28
10:42:55.319929 ARP, Reply 192.168.5.7 is-at 18:c0:4d:02:30:1a, length 42

Is there anything wrong in the configs?

anomeome · May 28, 2021, 6:06pm

The network config seems suspect, an example of some of that which is current:

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
#	option ula_prefix 'fde2:1857:9a33::/48'
	option ula_prefix 'auto'
	option packet_steering '1'

config device 'wan_wan_dev'
	option name 'wan'
	option macaddr 'xx:xx...'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option name 'switch0'
	option type 'bridge'
	option macaddr 'xx:xx...'
	list ports 'lan4'
	list ports 'lan3'
	list ports 'lan2'
	list ports 'lan1'
	option igmp_snooping '1'
	option vlan_filtering '1'
	option stp '1'
### STP gens an error in dmesg ###

config bridge-vlan
	option device 'switch0'
	option vlan '10'
	list ports 'lan4:*'
	list ports 'lan3:*'
	option alias 'lan'

config interface 'lan'
	option ifname 'switch0.lan'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config bridge-vlan
	option device 'switch0'
	option vlan '20'
	list ports 'lan2:t'
	list ports 'lan1:t'
	option alias 'ap'

config interface 'ap'
	option ifname 'switch0.ap'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config bridge-vlan
	option device 'switch0'
	option vlan '30'
	list ports 'lan2:t'
	list ports 'lan1:*'
	option alias 'iot'

config interface 'iot'
	option ifname 'switch0.iot'
	option proto 'static'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config bridge-vlan
	option device 'switch0'
	option vlan '4094'
	list ports 'lan2:t*'
	option alias 'sink'

config interface 'windscribevpn'
	option ifname 'tun0'
	option proto 'none'

root@mamba:/etc/config# bridge vlan
port              vlan-id  
lan4              10 PVID Egress Untagged
lan3              10 PVID Egress Untagged
lan2              20
                  30
                  4094 PVID
lan1              20
                  30 PVID Egress Untagged
switch0           10
                  20
                  30
                  4094
root@mamba:/etc/config# brctl show
bridge name	bridge id		STP enabled	interfaces
switch0		7fff.94103e85b525	yes		lan4
							            lan2
							            lan3
							            lan1

just example from me testing things here, so... Also, this is from a very recent master, I'm not sure if the version you are on has the requisite netifd changes for some of that syntax; there has been a lot of changes coming down the pipe as of late.

lyzxyzzy · May 28, 2021, 6:52pm

Thanks for the info. I'm going to pull/build a more recent master and read up on netifd. The reason for the pull of a recent master is because the hardware has only been working for a short time https://openwrt.org/toh/hwdata/belkin/belkin_rt3200 .

To make absolutely sure it was a vlan issue, this was tested:

 brctl show
bridge name	bridge id		STP enabled	interfaces
br-dmz		7fff.c4411ef3b880	no		lan4
br-lan		7fff.c4411ef3b880	no		wlan0
							lan2
							wlan1
							lan3
							lan1

Without the VLAN in place, things work correctly. Only one network runs on the port, of course, but all other hosts are able to ping a host on that network.

anomeome · May 28, 2021, 7:22pm

Just an FYI. If, like me, you simply edit your config files, setting things aside by commenting bits out / in, there is code the is rewriting the /etc/config/network file upon a flash; apparently attempting to remove / update deprecated bits. Set aside a config if you do not want to lose same.