Cannot reach servers behind Cisco smart switch

Hi all,

I recently just flashed OpenWrt onto a Linksys E8450, however after doing so my desktop (lan1 on eth0) can no longer communicate with my servers connected to my Cisco SF220-48P PoE Smart Switch (lan4 on eth0).

I can reach the smart switch's management page from my desktop without issue.
I can see each server in the IPv4 neighbours section on OpenWrt.
I can communicate with other clients not behind the smart switch (i.e. desktop (lan1 on eth0) <-> laptop (lan2 on eth0) works fine).
Everything was working as expected prior to OpenWrt installation.

After having spent the better parts of yesterday and today trying to resolve this issue from both OpenWrt and the smart switch management page, I have determined this issue is currently beyond my level of knowledge and am now seeking assistance with the matter.

Sounds like either a mismatch of vlan configurations (in general or port specific), or incorrect firewall or network configs.

It is not possible to guess beyond that without more information.

We need to know what VLANs are present on each of the ports in question on your switch, as well as the subnets for each of those VLANs. Then, we need to see your openwrt configuration.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

The smart switch has all settings default (all changes I made in blind attempts to resolve this I've reverted) so all ports on it are currently set to the default vlan 1.

OpenWrt config should also be mostly what it was out of the box as I also reverted most changes I made in attempts to resolve this.

And all firewall rules I've set on the hypervisor & vm/container levels on each server were working fine prior to OpenWrt.

ubus call system board:

{
        "kernel": "5.10.161",
        "hostname": "",
        "system": "ARMv8 Processor rev 4",
        "model": "Linksys E8450 (UBI)",
        "board_name": "linksys,e8450-ubi",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.3",
                "revision": "r20028-43d71ad93e",
                "target": "mediatek/mt7622",
                "description": "OpenWrt 22.03.3 r20028-43d71ad93e"
        }
}

/etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb9:1562:d1cc::/48'

config interface 'lan'
        option proto 'static'
        option ip6assign '60'
        option netmask '255.255.255.0'
        option ipaddr '10.*.*.*'
        option device 'br-lan'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'br-lan'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option mtu '1500'
        option macaddr ''

/etc/config/wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/18000000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'
        option country 'US'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid ''
        option encryption 'sae'
        option key ''
        option wpa_disable_eapol_key_retries '1'
        option isolate '1'
        option network 'lan'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'
        option country 'US'
        option he_su_beamformee '1'
        option he_bss_color '8'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid ''
        option encryption 'sae'
        option key ''
        option wpa_disable_eapol_key_retries '1'
        option isolate '1'
        option network 'lan'

/etc/config/dhcp:

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '10.*.*.*'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

/etc/config/firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Well, given that you are only running a single subnet on your Openwrt router, the router itself is never involved in connections between devices on your local network. Since all of the traffic is switched (L2), not routed (L3), your problem must be with the hosts or the switch. I’d start by checking that the hosts have the expected ip addresses, and then I’d look at their local firewalls (disable them entirely as an experiment). If that doesn’t work, then look at your switch.

1 Like

Yes in the default configuration, untagged packets will be switched by hardware between the four LAN ports. That happens entirely outside the CPU, so any configuration of networks and firewalls does not affect it. If you want to switch tagged packets, you'll need to set up a switch-vlan for each VLAN of interest. Unlike Cisco, all VLANs are not automatically included.

Remove macaddr and mtu from the br-lan definition. I'm not sure if it is valid to put those options there. In any case, they aren't needed.

For best interoperability with non-Cisco equipment, configure each switchport on the Cisco switch to either access or trunk. The default mode (of neither access or trunk specified) attempts to do things automatically, which really only works when connected to another Cisco device.

In the management page for the cisco switch it lists the ports as being in trunk mode and the documentation provided by cisco for this lineup says the default mode should be trunk. [https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbss/sf220_sg220/administration/guide/Sx220_AG_en.pdf] (not sure if it's actually in trunk mode or in an automatic mode like you are saying but just listing it as trunk, my networking knowledge is limited and I've never messed around with vlans until yesterday when I tried to set the ports on the openwrt device to be on vlan 1 (by using the Bridge VLAN filtering tab on the br-lan device) to match cisco's default vlan 1 which didn't seem to help so I reverted)

In the IPv4 neighbour section it shows all the correct IP's that I had statically assigned on each host, but I will do a sanity check to ensure that they actually have the IP they are requesting and temporarily drop a couple of the firewalls for testing purposes in a moment.

I feel really stupid now, when I was testing connectivity I just used 4 points of reference because I have quite a few nodes, each of which having a number of vms/containers, I wasn't really thinking about the 4 points of reference I used, I chose 1 node (all my nodes run proxmox and are in the same "datacenter" group so I didn't think about checking another since I can manage them all from each other) and 3 vms/containers, apparently my dumb ass picked 3 vms/containers that were on the same node I chose to test, which happens to be the only node having issues right now, I can confirm network is currently working fine after pulling up another node, I didn't notice a handful of IPs missing from the IPv4 neighbours list because I was just quickly skimming through due to the amount of IPs listed and having only one node down didn't shrink the IP list enough for me to notice them missing, sorry for having wasted both of your time.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.