DSA: Bridge untagged frames across switch ports

Installing and Using OpenWrt Network and Wireless Configuration
1

We at freifunk berlin are using EA8450 at our network and are facing Roaming issues due to stale mac entries in the fdb. Currently we reproduce that sporadically on openwrt snapshot, assuming this is simply not a reliable way to archieve that.

Another option we are investigating is to bridge the VLANS individually using vlan-unaware bridges.

Relevant Config:

config device 'vlan_40'
	option name 'br-dhcp' 
	option type 'bridge'
	option ports 'wan.40 lan1.40 lan2.40 lan3.40 lan4.40'
                    
config device 'vlan_untagged'
	option name 'br-prdhcp' 
	option type 'bridge'
	option ports 'wan lan1 lan2 lan3 lan4'

In both bridges there are wifi ifaces hooked onto.

While br-dhcp forwards fine in all directions (lan-lan, lan-wifi, wifi-lan), the br-prdhcp which shall be transported untagged on the wire doesnt work that well. lan-wifi, wifi-lan work fine, but lan-lan is broken. In fact only BUM frames are forwarded from one switchport to another.

I'm really lost here, as we are carrying that issue for too long time and it prevents us from refactoring our network config automation at freifunk berlin.

1 Like
2

This looks quite wrong... let's see the complete information to understand the full context before recommending any changes.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
3

Given the intrinsic of wireless meshing involved, you're more likely to get help from other freifunk resources. As there's a whole lot of functionality on top of normal OpenWrt.

1 Like
4

The intended design of that sample config is to have a dumb AP, which announces different VLANs as seperate SSIDs.

Logical Networks / VLANs, which shall be bridged across all Ports in order to allow people connect via Ethernet into the private network and also allowing to chain more Access Points:

  • Untagged: Private
  • 40: Public
  • 42: Management

There are few of VLANs, which are only bridged, but i have the ommitted those to avoid confusion.

root@wilgu10-int:~# ubus call system board
{
	"kernel": "6.6.74",
	"hostname": "wilgu10-int",
	"system": "ARMv8 Processor rev 4",
	"model": "Linksys E8450 (UBI)",
	"board_name": "linksys,e8450-ubi",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r28714-d981f28f76",
		"target": "mediatek/mt7622",
		"description": "OpenWrt SNAPSHOT r28714-d981f28f76",
		"builddate": "1737984763"

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
                    
config device 'vlan_42'
	option name 'br-mgmt' 
	option type 'bridge'
	option ports 'wan.42 lan1.42 lan2.42 lan3.42 lan4.42'
                    
config device 'vlan_40'
	option name 'br-dhcp' 
	option type 'bridge'
	option ports 'wan.40 lan1.40 lan2.40 lan3.40 lan4.40'
                    
config device 'vlan_untagged'
	option name 'br-prdhcp' 
	option type 'bridge'
	option ports 'wan lan1 lan2 lan3 lan4'

config interface 'mgmt'
	option device 'br-mgmt'
	option proto 'static'
	option ipaddr '10.36.190.178/28'
	option dns '10.36.190.177'
	option gateway '10.36.190.177'

config interface 'dhcp'
	option device 'br-dhcp'
	option proto 'none'

config interface 'prdhcp'
	option device 'br-prdhcp'
	option proto 'none'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option band '2g'
	option path 'platform/18000000.wmac'
	option htmode 'HT20'
	option channel '1'
	option txpower '3'
	option country 'DE'
	option legacy_rates '0'
	option bss_transition '1'
	option wnm_sleep_mode '1'
	option time_advertisement '2'
	option time_zone 'GMT0'
	option ieee80211k '1'
	option rrm_neighbor_report '1'
	option rrm_beacon_report '1'

config wifi-iface 'radio0_if0'
	option device 'radio0'
	option network 'dhcp'
	option ifname 'wlan2-ff'
	option mode 'ap'
	option encryption 'none'
	option ssid 'berlin.freifunk.net'
	option owe_transition_ifname 'wlan2-ffowe'
	option isolate '1'

config wifi-iface 'radio0_if1'
	option device 'radio0'
	option network 'dhcp'
	option ifname 'wlan2-ffowe'
	option mode 'ap'
	option encryption 'owe'
	option ssid 'berlin.freifunk.net OWE'
	option hidden '1'
	option ieee80211w '1'
	option owe_transition_ifname 'wlan2-ff'
	option isolate '1'

config wifi-iface 'radio0_if2'
	option device 'radio0'
	option network 'prdhcp'
	option ifname 'wlan2-pr'
	option mode 'ap'
	option encryption 'sae-mixed'
	option key 'myprivatepsk'
	option ssid 'MyPrivateSSID'

config wifi-device 'radio1'
	option type 'mac80211'
	option band '5g'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'HE20'
	option channel '52'
	option country 'DE'
	option legacy_rates '0'
	option bss_transition '1'
	option wnm_sleep_mode '1'
	option time_advertisement '2'
	option time_zone 'GMT0'
	option ieee80211k '1'
	option rrm_neighbor_report '1'
	option rrm_beacon_report '1'

config wifi-iface 'radio1_if0'
	option device 'radio1'
	option network 'dhcp'
	option ifname 'wlan5-ff'
	option mode 'ap'
	option encryption 'none'
	option ssid 'berlin.freifunk.net'
	option owe_transition_ifname 'wlan5-ffowe'
	option isolate '1'

config wifi-iface 'radio1_if1'
	option device 'radio1'
	option network 'dhcp'
	option ifname 'wlan5-ffowe'
	option mode 'ap'
	option encryption 'owe'
	option ssid 'berlin.freifunk.net OWE'
	option hidden '1'
	option ieee80211w '1'
	option owe_transition_ifname 'wlan5-ff'
	option isolate '1'

config wifi-iface 'radio1_if2'
	option device 'radio1'
	option network 'prdhcp'
	option ifname 'wlan5-pr'
	option mode 'ap'
	option encryption 'sae'
	option key 'myprivatepsk'
	option ssid 'MyPrivateSSID'

Thats basically a pretty simply config for a dumb AP. The problem i'm facing is that the untagged Frames are not properly forwarded between the switchports. Wifi to Ethernet is no problem, but Ethernet to Ethernet doesnt work, as only BUM frames are forwarded.

.. Some command outputs below:

root@wilgu10-int:~# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1504 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d3 brd ff:ff:ff:ff:ff:ff
3: lan1@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-prdhcp state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d3 brd ff:ff:ff:ff:ff:ff
4: lan2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-prdhcp state UP mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d3 brd ff:ff:ff:ff:ff:ff
5: lan3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-prdhcp state UP mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d3 brd ff:ff:ff:ff:ff:ff
6: lan4@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-prdhcp state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d3 brd ff:ff:ff:ff:ff:ff
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-prdhcp state UP mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d2 brd ff:ff:ff:ff:ff:ff
8: br-dhcp: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d2 brd ff:ff:ff:ff:ff:ff
9: wan.40@wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-dhcp state UP mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d2 brd ff:ff:ff:ff:ff:ff
10: lan1.40@lan1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-dhcp state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d3 brd ff:ff:ff:ff:ff:ff
11: lan2.40@lan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-dhcp state UP mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d3 brd ff:ff:ff:ff:ff:ff
12: lan3.40@lan3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-dhcp state UP mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d3 brd ff:ff:ff:ff:ff:ff
13: lan4.40@lan4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-dhcp state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d3 brd ff:ff:ff:ff:ff:ff
32: br-mgmt: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d2 brd ff:ff:ff:ff:ff:ff
33: wan.42@wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-mgmt state UP mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d2 brd ff:ff:ff:ff:ff:ff
34: lan1.42@lan1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-mgmt state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d3 brd ff:ff:ff:ff:ff:ff
35: lan2.42@lan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-mgmt state UP mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d3 brd ff:ff:ff:ff:ff:ff
36: lan3.42@lan3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-mgmt state UP mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d3 brd ff:ff:ff:ff:ff:ff
37: lan4.42@lan4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-mgmt state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d3 brd ff:ff:ff:ff:ff:ff
38: br-prdhcp: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d2 brd ff:ff:ff:ff:ff:ff
[..]
45: wlan2-ff: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-dhcp state UP mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d4 brd ff:ff:ff:ff:ff:ff
46: wlan2-ffowe: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-dhcp state UP mode DEFAULT group default qlen 1000
    link/ether c6:41:1e:f8:9d:d4 brd ff:ff:ff:ff:ff:ff permaddr c4:41:1e:f8:9d:d4
47: wlan2-pr: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-prdhcp state UP mode DEFAULT group default qlen 1000
    link/ether c2:41:1e:f8:9d:d4 brd ff:ff:ff:ff:ff:ff permaddr c4:41:1e:f8:9d:d4
48: wlan5-ff: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-dhcp state UP mode DEFAULT group default qlen 1000
    link/ether c4:41:1e:f8:9d:d5 brd ff:ff:ff:ff:ff:ff
49: wlan5-ffowe: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-dhcp state UP mode DEFAULT group default qlen 1000
    link/ether c6:41:1e:f8:9d:d5 brd ff:ff:ff:ff:ff:ff permaddr c4:41:1e:f8:9d:d5
50: wlan5-pr: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-prdhcp state UP mode DEFAULT group default qlen 1000
    link/ether c2:41:1e:f8:9d:d5 brd ff:ff:ff:ff:ff:ff permaddr c4:41:1e:f8:9d:d5

root@wilgu10-int:~# bridge link
3: lan1@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 master br-prdhcp state disabled priority 32 cost 19 
4: lan2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-prdhcp state forwarding priority 32 cost 19 
5: lan3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-prdhcp state forwarding priority 32 cost 5 
6: lan4@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 master br-prdhcp state disabled priority 32 cost 5 
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-prdhcp state forwarding priority 32 cost 5 
9: wan.40@wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-dhcp state forwarding priority 32 cost 5 
10: lan1.40@lan1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 master br-dhcp state disabled priority 32 cost 19 
11: lan2.40@lan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-dhcp state forwarding priority 32 cost 19 
12: lan3.40@lan3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-dhcp state forwarding priority 32 cost 5 
13: lan4.40@lan4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 master br-dhcp state disabled priority 32 cost 5 
33: wan.42@wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-mgmt state forwarding priority 32 cost 5 
34: lan1.42@lan1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 master br-mgmt state disabled priority 32 cost 19 
35: lan2.42@lan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-mgmt state forwarding priority 32 cost 19 
36: lan3.42@lan3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-mgmt state forwarding priority 32 cost 5 
37: lan4.42@lan4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 master br-mgmt state disabled priority 32 cost 5 
[..]
45: wlan2-ff: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-dhcp state forwarding priority 32 cost 100 
46: wlan2-ffowe: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-dhcp state forwarding priority 32 cost 100 
47: wlan2-pr: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-prdhcp state forwarding priority 32 cost 100 
48: wlan5-ff: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-dhcp state forwarding priority 32 cost 100 
49: wlan5-ffowe: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-dhcp state forwarding priority 32 cost 100 
50: wlan5-pr: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-prdhcp state forwarding priority 32 cost 100 

root@wilgu10-int:~# bridge fdb show | grep br-prdhcp
c4:41:1e:f8:9d:d3 dev lan1 vlan 1 master br-prdhcp permanent
c4:41:1e:f8:9d:d3 dev lan1 master br-prdhcp permanent
00:1a:22:14:41:f3 dev lan2 master br-prdhcp 
00:06:78:f5:59:a7 dev wan master br-prdhcp 
8c:a9:6f:1b:1d:d2 dev wan master br-prdhcp 
8c:a9:6f:1a:cc:30 dev wan master br-prdhcp 
b0:4a:39:c3:f8:d1 dev wan master br-prdhcp 
e8:9f:80:5d:38:5e dev wan master br-prdhcp 
c4:41:1e:f8:9d:d2 dev wan vlan 1 master br-prdhcp permanent
c4:41:1e:f8:9d:d2 dev wan master br-prdhcp permanent
33:33:00:00:00:01 dev br-prdhcp self permanent
33:33:00:00:00:02 dev br-prdhcp self permanent
01:00:5e:00:00:01 dev br-prdhcp self permanent
33:33:ff:f8:9d:d2 dev br-prdhcp self permanent
33:33:ff:00:00:00 dev br-prdhcp self permanent
c8:3a:35:19:6c:fc dev wlan2-pr offload master br-prdhcp 
50:ec:50:7a:ac:6f dev wlan2-pr offload master br-prdhcp 
c2:41:1e:f8:9d:d4 dev wlan2-pr vlan 1 master br-prdhcp permanent
c2:41:1e:f8:9d:d4 dev wlan2-pr master br-prdhcp permanent
c0:a5:e8:60:e8:11 dev wlan5-pr offload master br-prdhcp 
c2:41:1e:f8:9d:d5 dev wlan5-pr vlan 1 master br-prdhcp permanent
c2:41:1e:f8:9d:d5 dev wlan5-pr master br-prdhcp permanent
In If Src Mac Out If Dst Mac Connectivity?
wlan5-pr c0:a5:e8:60:e8:11 wan e8:9f:80:5d:38:5e Yes
wan e8:9f:80:5d:38:5e wlan5-pr c0:a5:e8:60:e8:11 Yes
lan1 (untagged) 00:1a:22:14:41:f3 wan e8:9f:80:5d:38:5e No
lan1 (untagged) 00:1a:22:14:41:f3 wan ff:ff:ff:ff:ff:ff Yes
lan1 (untagged) 00:1a:22:14:41:f3 wan 33:33:00:00:00:02 Yes
wan.42 lan3.42 Yes, just to highlight that it works for tagged frames
5

EDIT: Everything below applies to the official/vanilla OpenWrt. Given the fact that this is not standard OpenWrt (it is instead freifunk), it's possible that this advice will be counterproductive.

The syntax of your bridge configurations is entirely wrong. You need to erase them and re-create the entire structure.

Delete all of this:

Create a main bridge:

config device
	option name 'br-lan' 
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

Now, create bridge-vlans.
What I'm doing here is:

  • assuming that the wan is used as the uplink (i.e. to the main router)
  • assuming that the downlinks do not need to have all of the VLANs on all ports (this is only useful/desirable if the downstream devices are also VLAN aware).
  • Instead, we'll setup the lan ports to be able to use to test that things are working properly -- they'll be access ports so you can plug a computer into each of these ports and verify that the machine joins the correct network. This can all be changed, but let's do this for now:
    • Ports 1 and 2 will be the "Private" network
    • Port 3 will be the "public" network
    • Port 4 will be the "management" networks

With all that said, add the following:

config bridge-vlan
	option device 'br-lan' 
	option vlan '1' 
	list ports 'wan:u*'
	list ports 'lan1:u*'
	list ports 'lan2:u*'

config bridge-vlan
	option device 'br-lan' 
	option vlan '40' 
	list ports 'wan:t'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan' 
	option vlan '42' 
	list ports 'wan:t'
	list ports 'lan4:u*'

Finally, edit the network interfaces as follows:

config interface 'mgmt'
	option device 'br-lan.42'
	option proto 'static'
	option ipaddr '10.36.190.178/28'
	option dns '10.36.190.177'
	option gateway '10.36.190.177'

config interface 'dhcp'
	option device 'br-lan.40'
	option proto 'none'

config interface 'prdhcp'
	option device 'br-lan.1'
	option proto 'none'

Side note -- I'd recommend renaming the dhcp and prdhcp network interfaces as public and private respectively... that would look like this:

config interface 'public'
	option device 'br-lan.40'
	option proto 'none'

config interface 'private'
	option device 'br-lan.1'
	option proto 'none'

If you do rename as I'm suggesting, be sure to update the wireless configs accordingly...

which also brings me to the wireless file... there's a lot of stuff going on there that you should probably reconsider... but get your main network file setup properly first.

6

Thank you for the reply. It seems your approach is finally working. Even roaming seems to be working fine, no more stale fdb entries. To give you a bit of a context, we were previously running a pretty similar setup, but instead of attaching the wifi ifaces to the main vlan-aware bridge, we instead have created yet another bridge which connected switch0.40/41 to wlan ifaces.

The syntax of your bridge configurations is entirely wrong. You need to erase them and re-create the entire structure.

Can you please elaborate, why? I mean it should be still working?

which also brings me to the wireless file... there's a lot of stuff going on there that you should probably reconsider.

We would be thankful for feedback, what i can tell is that this config has evolved over time and turned out to work quite well so far.

Best Simon