Hello everyone! I'm having some problems with a bit of a weird setup I'm working on, and maybe one of you folk can point me on the right direction. Thanks in advance!
My setup is the next:
I'm connecting several 18.06 OpenWRT devices, with each port pair separated on a different VLAN. Each eth0.X interface is assigned a IP address on the corresponding 192.168.X.0/24 range, so each pair of ports can see each other. I have full connection between each pair of devices, it seems like no problem there.
Then, for each pair of VLAN connected ports, I create a GRETAP tunnel, and I merge the endpoint of those tunnels to the same bridge, configured on a independent subnet to the VLAN ones, so I don't have routing problems, and with STP enabled. The GRE tunnel is established without problems, and sets a 1280 MTU, with the bridge itself going down to 1200. STP negotiates properly, and I have ping between all the different devices.
However:
When I try to open any TCP connection, nothing happens. Going down the old tcpdump tree, the TCP initial package seems to go through the bridge, into the GRE tunnel, into the eth0.X interface, and out the eth0 interface. The MSS shown in the package is 1160, correct VLAN ID IP-MAC pairs both inside and outside the tunnel and all. But on the other device, no trace of the package. I get the ARP and STP traffic, but no TCP, even when snooping on eth0 itself. I tested fragmentation sending huge ICMP packages, and it seems to be working properly, so the problem seems to be on TCP itself.
In the final solution there are other devices between them but, for testing purposes, right now they are directly connected.
Any ideas on how to debug this? Thanks for your help!
Configuration files for reference:
Network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'mgmt'
option ifname 'eth1'
option proto 'static'
option ipaddr '192.168.80.225'
option netmask '255.255.255.0'
option gateway '192.168.80.1'
option dns '192.168.30.50'
config interface 'master'
option type 'bridge'
option stp '1'
option ifname 'gre4t-tun239 gre4t-tun138 '
option proto 'static'
option ipaddr '192.168.55.121'
option netmask '255.255.255.0'
config interface 'tun239'
option proto 'gretap'
option ipaddr '192.168.239.243'
option peeraddr '192.168.239.239'
config interface 'vlan239'
option ifname 'eth0.239'
option proto 'static'
option ipaddr '192.168.239.243'
option netmask '255.255.255.0'
config interface 'tun138'
option proto 'gretap'
option ipaddr '192.168.138.242'
option peeraddr '192.168.138.138'
config interface 'vlan138'
option ifname 'eth0.138'
option proto 'static'
option ipaddr '192.168.138.242'
option netmask '255.255.255.0'
config interface 'basic'
option ifname 'eth0.14 wlan1 '
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t'
config switch_vlan
option device 'switch0'
option vlan '22'
option vid '239'
option ports '0t 2'
config switch_vlan
option device 'switch0'
option vlan '21'
option vid '138'
option ports '0t 1'
config switch_vlan
option device 'switch0'
option vlan '14'
option vid '14'
option ports '0t 4'
Firewall:
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name basic
list network 'basic'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name master
list network 'master'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
option masq 1
option mtu_fix 1
config forwarding
option src basic
option dest master
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src master
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src master
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src master
option proto igmp
option family ipv4
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
# allow IPsec/ESP and ISAKMP passthrough
config rule
option src master
option dest basic
option proto esp
option target ACCEPT
config rule
option src master
option dest basic
option dest_port 500
option proto udp
option target ACCEPT