Hello everyone! I'm having some problems with a bit of a weird setup I'm working on, and maybe one of you folk can point me on the right direction. Thanks in advance!
My setup is the next:
I'm connecting several 18.06 OpenWRT devices, with each port pair separated on a different VLAN. Each eth0.X interface is assigned a IP address on the corresponding 192.168.X.0/24 range, so each pair of ports can see each other. I have full connection between each pair of devices, it seems like no problem there.
Then, for each pair of VLAN connected ports, I create a GRETAP tunnel, and I merge the endpoint of those tunnels to the same bridge, configured on a independent subnet to the VLAN ones, so I don't have routing problems, and with STP enabled. The GRE tunnel is established without problems, and sets a 1280 MTU, with the bridge itself going down to 1200. STP negotiates properly, and I have ping between all the different devices.
When I try to open any TCP connection, nothing happens. Going down the old tcpdump tree, the TCP initial package seems to go through the bridge, into the GRE tunnel, into the eth0.X interface, and out the eth0 interface. The MSS shown in the package is 1160, correct VLAN ID IP-MAC pairs both inside and outside the tunnel and all. But on the other device, no trace of the package. I get the ARP and STP traffic, but no TCP, even when snooping on eth0 itself. I tested fragmentation sending huge ICMP packages, and it seems to be working properly, so the problem seems to be on TCP itself.
In the final solution there are other devices between them but, for testing purposes, right now they are directly connected.
Any ideas on how to debug this? Thanks for your help!
Configuration files for reference:
config interface 'loopback' option ifname 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config interface 'mgmt' option ifname 'eth1' option proto 'static' option ipaddr '192.168.80.225' option netmask '255.255.255.0' option gateway '192.168.80.1' option dns '192.168.30.50' config interface 'master' option type 'bridge' option stp '1' option ifname 'gre4t-tun239 gre4t-tun138 ' option proto 'static' option ipaddr '192.168.55.121' option netmask '255.255.255.0' config interface 'tun239' option proto 'gretap' option ipaddr '192.168.239.243' option peeraddr '192.168.239.239' config interface 'vlan239' option ifname 'eth0.239' option proto 'static' option ipaddr '192.168.239.243' option netmask '255.255.255.0' config interface 'tun138' option proto 'gretap' option ipaddr '192.168.138.242' option peeraddr '192.168.138.138' config interface 'vlan138' option ifname 'eth0.138' option proto 'static' option ipaddr '192.168.138.242' option netmask '255.255.255.0' config interface 'basic' option ifname 'eth0.14 wlan1 ' option type 'bridge' option proto 'static' option ipaddr '192.168.1.1' option netmask '255.255.255.0' config switch option name 'switch0' option reset '1' option enable_vlan '1' config switch_vlan option device 'switch0' option vlan '1' option vid '1' option ports '0t' config switch_vlan option device 'switch0' option vlan '22' option vid '239' option ports '0t 2' config switch_vlan option device 'switch0' option vlan '21' option vid '138' option ports '0t 1' config switch_vlan option device 'switch0' option vlan '14' option vid '14' option ports '0t 4'
config defaults option syn_flood 1 option input ACCEPT option output ACCEPT option forward REJECT # Uncomment this line to disable ipv6 rules # option disable_ipv6 1 config zone option name basic list network 'basic' option input ACCEPT option output ACCEPT option forward ACCEPT config zone option name master list network 'master' option input ACCEPT option output ACCEPT option forward ACCEPT option masq 1 option mtu_fix 1 config forwarding option src basic option dest master # We need to accept udp packets on port 68, # see https://dev.openwrt.org/ticket/4108 config rule option name Allow-DHCP-Renew option src master option proto udp option dest_port 68 option target ACCEPT option family ipv4 # Allow IPv4 ping config rule option name Allow-Ping option src master option proto icmp option icmp_type echo-request option family ipv4 option target ACCEPT config rule option name Allow-IGMP option src master option proto igmp option family ipv4 option target ACCEPT # include a file with users custom iptables rules config include option path /etc/firewall.user # allow IPsec/ESP and ISAKMP passthrough config rule option src master option dest basic option proto esp option target ACCEPT config rule option src master option dest basic option dest_port 500 option proto udp option target ACCEPT