Have I messed up my VLAN config?

albertofustinoni · January 9, 2023, 2:27pm

I have a Linksys E8450 (UBI) that I use as a bridged access point with multiple VLANs and SSIDs: I have the WAN port configured as a trunk that goes into my router.

The configuration works, but long lasting connections to the device itself - for example SSH or uploading a new firmware image for sysupgrade - get interrupted after a few seconds, preventing it from working. The only way I can actually run a sysupgrade is by resetting settings to default, upgrading and then restoring the previous config.

Here are screenshots of the relevant sections in the config: have I done something wrong?

Cheddoleum · January 9, 2023, 3:22pm

Does it matter to this behavior how you're connecting to it? Does it behave the same whether you're connecting via the router-trunk path vs via its own wifi or via one of its other switch ports?

(I do something very similar, but haven't upgraded from 21.x so it's using the old switch config rather than DSA. Works fine, though I did take the "WAN" port out of the bridge because for some obscure reason I didn't bother to chase down, mDNS broadcasts wouldn't cross between the "LAN" and "WAN" ports. But that's an aside. IPQ4018-based device, known for some switch weirdness.)

albertofustinoni · January 10, 2023, 5:55am

I usually connect via the trunk even for directly connected devices: I have my devices on the main VLAN (tag 10) and the WebUI listening on the Mgmt one (tag 5), so the traffic needs to go through the trunk to the main router and back.

I tried having the WebUI listening on an IP in the main VLAN and connecting directly to it via WiFi, so traffic does not go through the trunk and sysupgrade worked.

Double checked the firewall rules on the main router and don't see anything wrong there either.

trendy · January 10, 2023, 9:13am

Make Main interface unmanaged without IP address. Keep only MGMT for accessing the device and configuring it.

albertofustinoni · January 10, 2023, 1:27pm

I tried what your recommended and I immediately lost connectivity to the device.

Pinging the MGMT IP address kept failing until the configuration reverted due to the failsafe.

It's really weird since if I do a tracert to the MGMT IP address (when connectivity works and MAIN also has an IP) I can see the main router as the first hop, as I would expect.

trendy · January 10, 2023, 1:42pm

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

fonix232 · January 10, 2023, 1:42pm

I don't think you've set your wan as trunk properly. You're tagging every output that goes there, so your router will need to properly resolve it.

My configuration is as follows, and I do not have any issues like yours (but then I also don't need port-specific tagged-untagged flagging):

The specific configuration is this:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device 'switch'
	option name 'switch'
	option type 'bridge'

config bridge-vlan 'lan_vlan'
	option device 'switch'
	option vlan '1'
	option ports 'lan1 lan2 lan3 lan4 wan'

config bridge-vlan 'guest_vlan'
	option device 'switch'
	option vlan '2'
	option ports 'lan1:t lan2:t lan3:t lan4:t wan:t'

config bridge-vlan 'iot_vlan'
	option device 'switch'
	option vlan '3'
	option ports 'lan1:t lan2:t lan3:t lan4:t wan:t'

config bridge-vlan 'vpn_vlan'
	option device 'switch'
	option vlan '4'
	option ports 'lan1:t lan2:t lan3:t lan4:t wan:t'

config bridge-vlan 'mgmt_vlan'
	option device 'switch'
	option vlan '100'
	option ports 'lan1:t lan2:t lan3:t lan4:t wan:t'

config interface 'lan'
	option device 'switch.1'
	option proto 'dhcp'

config interface 'guest'
	option device 'switch.2'
	option proto 'dhcp'

config interface 'iot'
	option device 'switch.3'
	option proto 'dhcp'

config interface 'vpn'
	option device 'switch.4'
	option proto 'dhcp'

config interface 'mgmt'
	option device 'switch.100'
	option proto 'static'
	option ipaddr '10.0.100.5'
	option netmask '255.255.255.0'
	option gateway '10.0.100.1'

My basic approach is, if you plug any downlink device into any ethernet port on the network, you get access to the main network, without any extra configuration - as long as your device can auto configure DHCP (which should be the default for most ethernet-enabled devices), you're good to go.

The rest of the network is tagged, and I break them out on every AP, so that I can attach them to appropriate WLANs.

I've just tested a larger (1GB) scp transfer to my router (to an attached USB dongle), and I saw no interruptions whatsoever.

albertofustinoni · January 10, 2023, 1:50pm

Here is the output of the command you sent:

{
        "kernel": "5.10.161",
        "hostname": "my-host-name",
        "system": "ARMv8 Processor rev 4",
        "model": "Linksys E8450 (UBI)",
        "board_name": "linksys,e8450-ubi",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.3",
                "revision": "r20028-43d71ad93e",
                "target": "mediatek/mt7622",
                "description": "OpenWrt 22.03.3 r20028-43d71ad93e"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdef:14f4:6eab::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'

config bridge-vlan
        option device 'br-lan'
        option vlan '5'
        list ports 'lan1:u*'
        list ports 'wan:t*'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan3:u*'
        list ports 'lan4:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan2:u*'
        list ports 'wan:t'

config interface 'mgmt'
        option proto 'static'
        option device 'br-lan.5'
        option ipaddr '10.0.0.6'
        option netmask '255.255.255.0'
        option gateway '10.0.0.1'
        list dns '10.0.0.1'
        option delegate '0'

config interface 'main'
        option proto 'static'
        option device 'br-lan.10'
        option ipaddr '10.0.1.6'
        option netmask '255.255.255.0'
        option gateway '10.0.1.1'
        list dns '10.0.1.1'
        option delegate '0'

config interface 'guest'
        option device 'br-lan.20'
        option proto 'none'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

head: /etc/firewall.user: No such file or directory
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
12: br-lan.5@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.0.0.6/24 brd 10.0.0.255 scope global br-lan.5
       valid_lft forever preferred_lft forever
22: br-lan.10@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.0.1.6/24 brd 10.0.1.255 scope global br-lan.10
       valid_lft forever preferred_lft forever
default via 10.0.1.1 dev br-lan.10
10.0.0.0/24 dev br-lan.5 scope link  src 10.0.0.6
10.0.1.0/24 dev br-lan.10 scope link  src 10.0.1.6
broadcast 10.0.0.0 dev br-lan.5 table local scope link  src 10.0.0.6
local 10.0.0.6 dev br-lan.5 table local scope host  src 10.0.0.6
broadcast 10.0.0.255 dev br-lan.5 table local scope link  src 10.0.0.6
broadcast 10.0.1.0 dev br-lan.10 table local scope link  src 10.0.1.6
local 10.0.1.6 dev br-lan.10 table local scope host  src 10.0.1.6
broadcast 10.0.1.255 dev br-lan.10 table local scope link  src 10.0.1.6
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

trendy · January 10, 2023, 1:58pm

Are you accessing the device from a host in the mgmt or main network?
The device has a default gateway from main network, so the change in the configuration can be affecting the packets and experience the interruption when saving.

albertofustinoni · January 10, 2023, 1:58pm

Isn't the point of a trunk to have everything tagged? I don't understand the purpose of having untagged traffic on trunk ports: yes, the router is meant to resolve VLAN tags.

I have some ports on different VLANs than the main as a way to sanity check the config by just plugging stuff in. And I'd like the access point to only have an IP on the MGMT VLAN and be completely transparent everywhere else.

albertofustinoni · January 10, 2023, 2:04pm

Ooh, good catch.

I went into interfaces and set MGMT's IP config to have the gateway as metric value 1 and after that setting the MAIN interface as unmanaged didn't break connectivity.

albertofustinoni · January 10, 2023, 2:10pm

Tested a bit and now can upload firmware images and my SSH connections do not seem to break anymore.

Solution was to have gateway to the one in MGMT vlan and then set MAIN interface as unmanaged.

Thank you very much!

fonix232 · January 10, 2023, 2:11pm

Isn't the point of a trunk to have everything tagged? I don't understand the purpose of having untagged traffic on trunk ports: yes, the router is meant to resolve VLAN tags.

You're right, I misread your config.

In my setup, there's no dedicated "trunk" port. Every port can be trunk, and I rely on STP to avoid loops (not that my setup is complex enough for loops unless I plug the same cable on both ends into the same device). And since I have flatmates, I found it best to leave VLAN 1 untagged throughout the network, so any LAN client can plug-and-play access it, while the other networks are resolved via the tags, where needed (gateway and APs that act as ethernet-wlan bridge).

I have some ports on different VLANs than the main as a way to sanity check the config by just plugging stuff in.

Ah okay, I see.

And I'd like the access point to only have an IP on the MGMT VLAN and be completely transparent everywhere else.

My setup could be transparent on the non-mgmt networks as well - just need to set those networks as Unmanaged and donezo.

system · January 20, 2023, 2:12pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.