Try cmd:
# uci show network
Thanks you, but this basically the same information I have settled in "/etc/config/network":
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='lan0 lan1 lan2 lan3 lan4.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
Are you sure your firewall config is correct?
iptables -S
iptables -t nat -S
iptables -t mangle -S
iptables -t raw -S
sysctl -a
ifconfig
Post the output of the commands above.
I think iptables do not work inside of a bridge. Inside of a bridge work ebtables and I don't have installed it. But here is the output of the commands.
iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N forwarding_dmz_rule
-N forwarding_dn42_rule
-N forwarding_lan_rule
-N forwarding_rule
-N forwarding_wan_rule
-N input_dmz_rule
-N input_dn42_rule
-N input_lan_rule
-N input_rule
-N input_wan_rule
-N output_dmz_rule
-N output_dn42_rule
-N output_lan_rule
-N output_rule
-N output_wan_rule
-N reject
-N syn_flood
-N zone_dmz_dest_ACCEPT
-N zone_dmz_forward
-N zone_dmz_input
-N zone_dmz_output
-N zone_dmz_src_REJECT
-N zone_dn42_dest_ACCEPT
-N zone_dn42_forward
-N zone_dn42_input
-N zone_dn42_output
-N zone_dn42_src_REJECT
-N zone_lan_dest_ACCEPT
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_ACCEPT
-N zone_wan_dest_ACCEPT
-N zone_wan_dest_REJECT
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_REJECT
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i br-dmz -m comment --comment "!fw3" -j zone_dmz_input
-A INPUT -i eth2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun1 -m comment --comment "!fw3" -j zone_dn42_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i br-dmz -m comment --comment "!fw3" -j zone_dmz_forward
-A FORWARD -i eth2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun1 -m comment --comment "!fw3" -j zone_dn42_forward
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o br-dmz -m comment --comment "!fw3" -j zone_dmz_output
-A OUTPUT -o eth2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun1 -m comment --comment "!fw3" -j zone_dn42_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_dmz_dest_ACCEPT -o br-dmz -m comment --comment "!fw3" -j ACCEPT
-A zone_dmz_forward -m comment --comment "!fw3: Custom dmz forwarding rule chain" -j forwarding_dmz_rule
-A zone_dmz_forward -m comment --comment "!fw3: Zone dmz to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_dmz_forward -m comment --comment "!fw3: Zone dmz to dn42 forwarding policy" -j zone_dn42_dest_ACCEPT
-A zone_dmz_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_dmz_forward -m comment --comment "!fw3" -j zone_dmz_dest_ACCEPT
-A zone_dmz_input -m comment --comment "!fw3: Custom dmz input rule chain" -j input_dmz_rule
-A zone_dmz_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: dmz-input-icmp" -j ACCEPT
-A zone_dmz_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_dmz_input -m comment --comment "!fw3" -j zone_dmz_src_REJECT
-A zone_dmz_output -m comment --comment "!fw3: Custom dmz output rule chain" -j output_dmz_rule
-A zone_dmz_output -m comment --comment "!fw3" -j zone_dmz_dest_ACCEPT
-A zone_dmz_src_REJECT -i br-dmz -m comment --comment "!fw3" -j reject
-A zone_dn42_dest_ACCEPT -o tun1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_dn42_dest_ACCEPT -o tun1 -m comment --comment "!fw3" -j ACCEPT
-A zone_dn42_forward -m comment --comment "!fw3: Custom dn42 forwarding rule chain" -j forwarding_dn42_rule
-A zone_dn42_forward -m comment --comment "!fw3: Zone dn42 to dmz forwarding policy" -j zone_dmz_dest_ACCEPT
-A zone_dn42_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_dn42_forward -m comment --comment "!fw3" -j zone_dn42_dest_ACCEPT
-A zone_dn42_input -m comment --comment "!fw3: Custom dn42 input rule chain" -j input_dn42_rule
-A zone_dn42_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: dn42-input-icmp" -j ACCEPT
-A zone_dn42_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_dn42_input -m comment --comment "!fw3" -j zone_dn42_src_REJECT
-A zone_dn42_output -m comment --comment "!fw3: Custom dn42 output rule chain" -j output_dn42_rule
-A zone_dn42_output -m comment --comment "!fw3" -j zone_dn42_dest_ACCEPT
-A zone_dn42_src_REJECT -i tun1 -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to dmz forwarding policy" -j zone_dmz_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to dn42 forwarding policy" -j zone_dn42_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o 6in4-wan6 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o 6in4-wan6 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth2 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o 6in4-wan6 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: wan-input-bootpc" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: wan-input-icmp" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: wan-input-openvpn" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth2 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i 6in4-wan6 -m comment --comment "!fw3" -j reject
iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N postrouting_dmz_rule
-N postrouting_dn42_rule
-N postrouting_lan_rule
-N postrouting_rule
-N postrouting_wan_rule
-N prerouting_dmz_rule
-N prerouting_dn42_rule
-N prerouting_lan_rule
-N prerouting_rule
-N prerouting_wan_rule
-N zone_dmz_postrouting
-N zone_dmz_prerouting
-N zone_dn42_postrouting
-N zone_dn42_prerouting
-N zone_lan_postrouting
-N zone_lan_prerouting
-N zone_wan_postrouting
-N zone_wan_prerouting
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i br-dmz -m comment --comment "!fw3" -j zone_dmz_prerouting
-A PREROUTING -i eth2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun1 -m comment --comment "!fw3" -j zone_dn42_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o br-dmz -m comment --comment "!fw3" -j zone_dmz_postrouting
-A POSTROUTING -o eth2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun1 -m comment --comment "!fw3" -j zone_dn42_postrouting
-A zone_dmz_postrouting -m comment --comment "!fw3: Custom dmz postrouting rule chain" -j postrouting_dmz_rule
-A zone_dmz_prerouting -m comment --comment "!fw3: Custom dmz prerouting rule chain" -j prerouting_dmz_rule
-A zone_dn42_postrouting -m comment --comment "!fw3: Custom dn42 postrouting rule chain" -j postrouting_dn42_rule
-A zone_dn42_postrouting -s 192.168.1.0/23 -m comment --comment "!fw3" -j MASQUERADE
-A zone_dn42_prerouting -m comment --comment "!fw3: Custom dn42 prerouting rule chain" -j prerouting_dn42_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
iptables -t mangle -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A FORWARD -o eth2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o 6in4-wan6 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t raw -S
iptables v1.6.2: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
ifconfig
6in4-wan6 Link encap:IPv6-in-IPv4
inet6 addr: x:x:x:x::x/64 Scope:Global
inet6 addr: fe80::51ac:2294/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:5548 errors:0 dropped:0 overruns:0 frame:0
TX packets:4224 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2405483 (2.2 MiB) TX bytes:867794 (847.4 KiB)
br-dmz Link encap:Ethernet HWaddr D8:58:D7:00:60:C0
inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
inet6 addr: x:x:x:x::x/64 Scope:Global
inet6 addr: x:x:x:x::x/64 Scope:Global
inet6 addr: fe80::da58:d7ff:fe00:60c0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:32 errors:0 dropped:0 overruns:0 frame:0
TX packets:707 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6048 (5.9 KiB) TX bytes:61154 (59.7 KiB)
br-lan Link encap:Ethernet HWaddr D8:58:D7:00:60:C0
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: x:x:x:x::x/64 Scope:Global
inet6 addr: x:x:x:x::x/64 Scope:Global
inet6 addr: fe80::da58:d7ff:fe00:60c0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10523 errors:0 dropped:0 overruns:0 frame:0
TX packets:18288 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1432006 (1.3 MiB) TX bytes:16708127 (15.9 MiB)
eth1 Link encap:Ethernet HWaddr D8:58:D7:00:60:C0
inet6 addr: fe80::da58:d7ff:fe00:60c0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:43858 errors:0 dropped:0 overruns:0 frame:0
TX packets:56218 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:3818452 (3.6 MiB) TX bytes:19157727 (18.2 MiB)
Interrupt:38
eth2 Link encap:Ethernet HWaddr D8:58:D7:00:60:C1
inet addr:x.x.x.x Bcast:x.x.x.x Mask:255.255.248.0
inet6 addr: fe80::da58:d7ff:fe00:60c1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:171420 errors:0 dropped:0 overruns:0 frame:0
TX packets:14182 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:26881653 (25.6 MiB) TX bytes:2126770 (2.0 MiB)
Interrupt:39
ifb4eth2 Link encap:Ethernet HWaddr EA:15:67:2B:C1:1D
inet6 addr: fe80::e815:67ff:fe2b:c11d/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:171278 errors:0 dropped:0 overruns:0 frame:0
TX packets:171278 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:26850790 (25.6 MiB) TX bytes:26850790 (25.6 MiB)
lan0 Link encap:Ethernet HWaddr D8:58:D7:00:60:C0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8286 errors:0 dropped:0 overruns:0 frame:0
TX packets:19137 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1103681 (1.0 MiB) TX bytes:16295538 (15.5 MiB)
lan1 Link encap:Ethernet HWaddr D8:58:D7:00:60:C0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lan2 Link encap:Ethernet HWaddr D8:58:D7:00:60:C0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lan3 Link encap:Ethernet HWaddr D8:58:D7:00:60:C0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:35056 errors:0 dropped:1 overruns:0 frame:0
TX packets:704 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1612576 (1.5 MiB) TX bytes:149341 (145.8 KiB)
lan4 Link encap:Ethernet HWaddr D8:58:D7:00:60:C0
inet6 addr: fe80::da58:d7ff:fe00:60c0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:516 errors:0 dropped:0 overruns:0 frame:0
TX packets:36377 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:137319 (134.1 KiB) TX bytes:2408612 (2.2 MiB)
lan4.1 Link encap:Ethernet HWaddr D8:58:D7:00:60:C0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:483 errors:0 dropped:0 overruns:0 frame:0
TX packets:35670 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:129075 (126.0 KiB) TX bytes:2201950 (2.0 MiB)
lan4.2 Link encap:Ethernet HWaddr D8:58:D7:00:60:C0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:32 errors:0 dropped:0 overruns:0 frame:0
TX packets:707 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6048 (5.9 KiB) TX bytes:61154 (59.7 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:409 errors:0 dropped:0 overruns:0 frame:0
TX packets:409 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:43802 (42.7 KiB) TX bytes:43802 (42.7 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.2.1 P-t-P:192.168.2.1 Mask:255.255.255.0
inet6 addr: x:x:x:x::x/64 Scope:Global
inet6 addr: fe80::25d1:a928:8b96:7e01/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:152 (152.0 B)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.23.12.1 P-t-P:172.23.67.1 Mask:255.255.255.255
inet6 addr: fe80::5226:eaea:a1bf:b28a/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:3026 errors:0 dropped:0 overruns:0 frame:0
TX packets:3027 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:464277 (453.3 KiB) TX bytes:161044 (157.2 KiB)
wlan0 Link encap:Ethernet HWaddr 04:F0:21:24:21:29
inet6 addr: fe80::6f0:21ff:fe24:2129/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:703 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:161817 (158.0 KiB)
wlan1 Link encap:Ethernet HWaddr 04:F0:21:23:16:A8
inet6 addr: fe80::6f0:21ff:fe23:16a8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1753 errors:0 dropped:0 overruns:0 frame:0
TX packets:2202 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:223786 (218.5 KiB) TX bytes:720114 (703.2 KiB)
The output of sysctl -a
is too long for my console buffer. If you want a specific part I can filter with sysctl -a | grep xxx
.
I have replaced all my public ipv4 with x.x.x.x
and my global ipv6 with x:x:x:x::x
.
Solved in part (for "br-lan", "br-dmz" continue pending).
First is required compile the kernel with the option "CONFIG_BRIDGE_VLAN_FILTERING" an install the package "ip-bridge". Then is needed change UCI configuration to use "lan4", with "lan4.1" it do not work:
config interface 'lan'
option type 'bridge'
option ifname 'lan0 lan1 lan2 lan3 lan4'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
To continue enabling vlan filtering in the "br-lan" bridge:
# echo "1" > /sys/class/net/br-lan/bridge/vlan_filtering
And finally, configure the vlan as tagged in the switch port:
# bridge vlan add vid 1 dev lan4 master
Getting:
# bridge vlan
port vlan ids
lan0 1 PVID Egress Untagged
lan1 1 PVID Egress Untagged
lan2 1 PVID Egress Untagged
lan3 1 PVID Egress Untagged
lan4 1
br-lan 1 PVID Egress Untagged
veth0 1 PVID Egress Untagged
wlan1 1 PVID Egress Untagged
wlan0 1 PVID Egress Untagged
But now, How can I configure the second bridge "br-dmz" if I can't add the same interface "lan4" to two bridges and I can't use "lan4.1" and "lan4.2"?
PS: Opened bug.
Try @lan4.1
notation, such as
config interface 'vlan1000'
option type 'bridge'
option stp '1'
option ifname 'eth0.1000 @gt95.1000 @gt96.1000 @gt97.1000 @gt98.1000'
option proto 'none'
option auto '1'
option delegate '0'
Thanks you, but it do not do the trick.
Are the generated interface names too long? There is a 15-character limit. For example
gre4t-gt95.1000
is right at the limit, as OpenWRT adds the gre4t-
prefix.
I used @lan4.1 and @lan4.2 and It is fully ignored. No interface is created *lan4.1 or *lan4.2 (gre4t-lan4.1 or similar).
I don't understand anything!!! It must be an bug somewhere.
If I boot with this config:
config interface 'lan'
option type 'bridge'
option ifname 'lan0 lan1 lan2 lan3 lan4.1'
option proto 'static'
[...]
config interface 'dmz'
option type 'bridge'
option ifname 'lan4.2'
option proto 'static'
[...]
Do not work, but if change the config, for example, to:
config interface 'lan'
option type 'bridge'
option ifname 'lan0 lan1 lan3 lan4'
option proto 'static'
[...]
config interface 'dmz'
option type 'bridge'
option ifname 'lan2'
option proto 'static'
[...]
Now I reload the network:
/etc/init.d/network reload
And I change the network configuration to the first configuration:
config interface 'lan'
option type 'bridge'
option ifname 'lan0 lan1 lan2 lan3 lan4.1'
option proto 'static'
[...]
config interface 'dmz'
option type 'bridge'
option ifname 'lan4.2'
option proto 'static'
[...]
Now I reload the network again:
/etc/init.d/network reload
All work ok (ping from Linux PC connected to lan0):
$ ping -c3 192.168.1.5
PING 192.168.1.5 (192.168.1.5) 56(84) bytes of data.
64 bytes from 192.168.1.5: icmp_seq=1 ttl=64 time=0.598 ms
64 bytes from 192.168.1.5: icmp_seq=2 ttl=64 time=0.576 ms
64 bytes from 192.168.1.5: icmp_seq=3 ttl=64 time=0.574 ms
--- 192.168.1.5 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2039ms
rtt min/avg/max/mdev = 0.574/0.582/0.598/0.029 ms
$ ping -c3 192.168.3.5
PING 192.168.3.5 (192.168.3.5) 56(84) bytes of data.
64 bytes from 192.168.3.5: icmp_seq=1 ttl=64 time=0.598 ms
64 bytes from 192.168.3.5: icmp_seq=2 ttl=64 time=0.576 ms
64 bytes from 192.168.3.5: icmp_seq=3 ttl=64 time=0.574 ms
--- 192.168.3.5 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2039ms
rtt min/avg/max/mdev = 0.574/0.582/0.598/0.029 ms
PS: To this workaround to work is required a kernel with CONFIG_BRIDGE_VLAN_FILTERING
I absolutely need vlan on my omnia. Any news on this?
I enabled CONFIG_BRIDGE_VLAN_FILTERING in my build of current master and I cannot even do this
echo "1" > /sys/class/net/br-lan/bridge/vlan_filtering
/bin/ash: can't create /sys/class/net/br-lan/bridge/vlan_filtering: Permission denied
nor
bridge vlan add vid 2 dev lan4
RTNETLINK answers: Not supported
or
bridge vlan add vid 2 dev br-lan
RTNETLINK answers: Not supported
Where you enabled CONFIG_BRIDGE_VLAN_FILTERING?
My build is based in OpenWRT git tag v18.06.1 and I enabled CONFIG_BRIDGE_VLAN_FILTERING in openwrt/target/linux/generic/config-4.14
cat openwrt/target/linux/generic/config-4.14 | grep -i CONFIG_BRIDGE_VLAN_FILTERING
CONFIG_BRIDGE_VLAN_FILTERING=y
After enable it I need to do the workaround (DSA switch port vlan tagging - untagging) after each reboot.
PS: I have open a bug, but it haven't activity...
If you want to try it, I have uploaded my build to dropbox:
This are the changes respect to the official build:
CONFIG_TARGET_mvebu=y
CONFIG_TARGET_mvebu_cortexa9=y
CONFIG_TARGET_mvebu_cortexa9_DEVICE_turris-omnia=y
CONFIG_PACKAGE_kmod-fs-btrfs=y
CONFIG_PACKAGE_kmod-usb-hid=y
CONFIG_PACKAGE_6in4=y
CONFIG_PACKAGE_apcupsd=y
CONFIG_PACKAGE_birdc4=y
CONFIG_PACKAGE_birdc6=y
CONFIG_PACKAGE_block-mount=y
CONFIG_PACKAGE_btrfs-progs=y
CONFIG_PACKAGE_ca-certificates=y
CONFIG_PACKAGE_cfdisk=y
CONFIG_PACKAGE_dnsmasq=n
CONFIG_PACKAGE_gnupg=y
CONFIG_PACKAGE_gnupg-utils=y
CONFIG_PACKAGE_lxc-auto=y
CONFIG_PACKAGE_msmtp=y
CONFIG_PACKAGE_odhcpd=y
CONFIG_PACKAGE_odhcpd-ipv6only=n
CONFIG_PACKAGE_openvpn-openssl=y
CONFIG_PACKAGE_swap-utils=y
CONFIG_PACKAGE_unbound-control=y
CONFIG_PACKAGE_luci-app-ddns=y
CONFIG_PACKAGE_luci-app-lxc=y
CONFIG_PACKAGE_luci-app-openvpn=y
CONFIG_PACKAGE_luci-app-sqm=y
CONFIG_PACKAGE_luci-app-unbound=y
CONFIG_PACKAGE_luci-ssl-openssl=y
CONFIG_LXC_BUSYBOX_OPTIONS=y
CONFIG_LXC_KERNEL_OPTIONS=y
CONFIG_LXC_NETWORKING=y
CONFIG_LXC_SECCOMP=y
And of course, enable the kernel option CONFIG_BRIDGE_VLAN_FILTERING.
I am not using dnsmasq, so dhcp do not work out of the box. You will need configure /etc/config/dhcp and /etc/config/unbound: documentation
And you don't forget the workaround: DSA switch port vlan tagging - untagging
PS: If you will found a better method to work with VLANs in Turris Omnia please say me it.
I see that this hasn't got many replies. I have the same issue, but it is on the 4.19 kernel, on the 4.14 I had no issues. One thing I noted was that as soon as I disabled the symbol CONFIG_BRIDGE_VLAN_FILTERING=y
the issue wasn't there anymore so I believe that this is a OpenWRT script issue that doesn't use the VLAN filtering stuff making tagged traffic not work.
Switch's upstream ports (CPU facing) 5 & 6 are not exposed by DSA and thus are not configurable since this not being necessary with DSA.
As far I can tell from the initial post you want a trunk port (expecting VLAN ID tagged from client on ingress and tagging VLAN ID on egress) on lan4 with VLAN ID 1. For that purpose just substitute lan4
with lan4.1
as you stated earlier
config interface 'lan'
option type 'bridge'
option ifname 'lan0 lan1 lan2 lan3 lan4.1'
In this case any client connecting on lan4 is now expected to provide VLAN ID 1 on ingress to that port, failing so the packets will be dropped.
That is expected since it would require:
- client on lan0 to send a packet tagged with VLAN ID 1
- lan0 to be a trunk (or hybrid) port that does not drop the VLAN ID on egress
If that is not fulfilled ingress packets at lan4(.1) will be dropped.
Now for the DMZ it would seem that you want clients also connecting on lan4. Is that port connected to a switch or do you change clients on that port (lan4) frequently? Else it would not seem to make sense.
Then, the first fault was assuming that VLAN 1 is the "native" or "untagged" VLAN as in Cisco devices.
I have two devices:
- Turris Omnia (Actuating as WAN router with DSA)
- Netgear wndr3700v2 (Actuating as switch with swconfig) pending to migrate to DSA
Turris wifi and ethernet ports 0 - 3 in LAN and port 4 is connected to Netgear with LAN and DMZ. So, the idea is that wifi of the netgear is the guest wifi in the DMZ while the ethernet ports of Netgear keep in LAN.
I do not know if I'm explaining myself well, I will try to find some online app to draw a network diagram.
TO lan4 = TOLp4
Netgear wndr3700v2 = NG
NG port to TOLp4 = NGpT
NG lan ports = NGpL
NG Wlan ports = NGpW
TOLp4 <--- cat cable / VLAN trunk ----> NGpT
On the TO configure trunk ports
config interface 'lan'
option type 'bridge'
option ifname 'lan0 lan1 lan2 lan3 lan4.1'
config interface 'dmz'
option type 'bridge'
option ifname 'lan4.2'
On the NG (pardon I cannot assist with the exact config for it)
- configure NGpT as trunk port (tagged) with VLAN ID 1 and 2
- configure NGpL as access ports (untagged) with VLAN ID 1
- configure NGpW as access ports (untagged) with VLAN ID 2
Maybe also have a look at this thread (towards the bootom or what is marked as solution) [Solved] Internet redudancy with two routers and two connections
Excuse me the late response, I have few time...
Then, this seems to work:
Turris Omnia.
config interface 'lan'
option type 'bridge'
option ifname 'lan0 lan1 lan2 lan3 lan4'
config interface 'dmz'
option type 'bridge'
option ifname 'lan4.1'
Netgear wndr3700v2 (This is a switch, don't have direct internet acces, it gets internet access through Turris Omnia)
config interface 'lan'
option type 'bridge'
option ifname 'eth0 eth1'
config device 'lan_eth0_dev'
option name 'eth0'
config device 'lan_eth1_dev'
option name 'eth1'
config interface 'dmz'
option type 'bridge'
option ifname 'eth1.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
I can't find documentation about config device 'lan_ethX_dev'
, only this.
I will need to test that networks are isolated really. And It looks to be some trouble with DNS resolution on devices connected to LAN on Netgear (I will need verify this).
I would like to meet your opinion about this config. Thanks.
see [1]
does not achieve anything, can be removed.
Which is somewhat odd since it seems that you wanted VID 1 for LAN and VID 2 for DMZ but now you set VID 1 for DMZ instead?
Do you have any port schematics/layout for the wndr3700v2? If I look this up it shows as Dualband-Gigabit-WLAN-Router instead but not a pure switch device, apparently with a build in switch (4 lan ports?). What are the eth0 (WAN?) and eth1 (CPU port facing the switch?) ports?
Never mind, just found[2]
- switch port 5 <---> CPU port eth0
- CPU port eth1 <---> WAN