DSA VLAN broadcasts fail

OpenWrt 23.05.2 r23630-842932a63d

Broadcast traffic is failing to cross a DSA filtered bridge device after moving the LAN interface to br-lan.1.

In default state, a bootp packet entering LAN1 is rebroadcast on LAN2. So lan1 - br-lan - lan2 works and I can tcpdump the packets at each step.

Once I add a single VLAN and move the LAN interface into it, the packet silently dies at LAN1. It is never seen on br-lan.1. All non-broadcast traffic seems to flow normally. The same firewall rules are in place. LAN1 carries VLAN 1,11,12 tagged and LAN2 is VLAN1 untagged and default.

If I move the LAN interface back to br-lan (no .number) then it all works as expected and broadcasts are seen on both LAN ports. If I repeat moving in and back out of the sub interface more than once, connectivity is lost across the interface.

What could be causing this issue? Is there anything I can do to mitigate it?

Thanks,
Mike

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network

Thanks for looking @psherman

ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "nobody",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "GL.iNet GL-B1300",
	"board_name": "glinet,gl-b1300",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

With no VLAN and broadcast working LAN1 <> LAN2

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	option promisc '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

With VLAN Configured and broadcast failing LAN1<>LAN2

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	option promisc '0'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'
	list ports 'lan2:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '11'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '12'
	list ports 'lan1:t'

I don't need to configure interfaces for the other VLANs. This is enough to cause the failure. All configuration is being done via Luci.

Is the device connected to lan1 VLAN aware and properly configured to expect VLAN1 tagged?

TP Link EAP225 configured for VLANs 1, 11, and 12.

Also, direct connection with no switch between the EAP225 and the LAN1 port.

That doesn't show us if it is expecting VLAN 1 as tagged or not.

You can make a quick change to see if this is the problem... make port lan1 untagged like this:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'

restart the router and then try.

As expected, it does propagate the broadcasts with this change:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'

When fully configured with interfaces, each VLAN and associated SSID were on the correct DHCP server. It's only the EAP225 couldn't broadcast their bootp packets across the router so they would eventually time out and fail.

I'm going to dump the traffic to see if the VLAN tag is present.

This proves that the problem is not OpenWrt or DSA -- it's the configuration on the EAP225. If you want to have VLAN 1 tagged, you need to adjust the config on the EAP225 to expect the tagged network. Otherwise, it's clearly expecting VLAN 1 untagged.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

The EAP225 is configured to tag and expect tagging. In the current configuration, no packets pass from the EAPs to the LAN except for broadcast packets. In other words, only broadcast traffic works now.

Please show us the complete vlan configuration for the AP.

@psherman, I'm currently online with TP-Link. I've determined that some Omada management packets are untagged. I can work around this by setting the primary vlan to 1 on the LAN1 connector. Once I finish up with them I'll update. We shouldn't have to accept untagged management packets. I want to post the full solution here before closing.

The solution will be on the TP-Link device. I'm sure it will be helpful for others to see what you had to change on that unit (i.e. where in the firmware those settings reside).

But we can confidently conclude that OpenWrt/DSA is not the problem here.

Please update as appropriate and then mark the solution accordingly.