Help with Transit Network to L3 switch

crazyjp · February 25, 2026, 5:19am

I'm probably a bit in over my head with this one, but hopefully someone can set me straight. I'm not used to routers having such a clean slate.

So I'm connecting the wireless router to a layer-3 Brocade 6450 switch with a transit network (vlan 99) over a pair of ports bonded w/LACP (lan 4 & 5) and a tagged port to another AP (lan3).

I've got the LACP handshaking after a bit of struggle. The internet appears to come up on the PC I'm testing with, and then nothing. Either hangs or internet loses connection.

After endless attempts at it, I am just about ready to give up. Everything feels like it should work, but when I connect everything up, I have no internet access. It just won't connect through somehow. I'm really hoping someone out there has some experience doing this that can tell me what I might be doing wrong.

Config file:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde0:58f6:e33d::/48'
        option packet_steering '1'

config device 'bond0'
        option name 'bond0'
        option type 'bonding'
        list ports 'lan4'
        list ports 'lan5'
        option miimon '100'
        option lacp_rate 'fast'
        option xmit_hash_policy 'layer2+3'
        option policy '802.3ad'

config device 'br_lan'
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'bond0'
        option vlan_filtering '1'
        option pvid '1'

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'bond0:t'
        list ports 'br-lan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'lan1:u*'
        list ports 'lan3:t'
        list ports 'bond0:t'
        list ports 'br-lan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '111'
        list ports 'lan2:u*'
        list ports 'lan3:t'
        list ports 'bond0:t'
        list ports 'br-lan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '122'
        list ports 'lan3:t'
        list ports 'bond0:t'
        list ports 'br-lan:t'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'lan'
        option device 'br-lan.100'
        option proto 'static'
        option ipaddr '192.168.100.2'
        option netmask '255.255.255.0'

config interface 'transit'
        option device 'br-lan.99'
        option proto 'static'
        option ipaddr '10.0.0.2'
        option netmask '255.255.255.252'

config interface 'trust'
        option device 'br-lan.111'
        option proto 'static'
        option ipaddr '192.168.111.2'
        option netmask '255.255.255.0'

config interface 'untrust'
        option device 'br-lan.122'
        option proto 'static'
        option ipaddr '192.168.122.2'
        option netmask '255.255.255.0'

config route
        option interface 'transit'
        option target '192.168.0.0'
        option netmask '255.255.0.0'
        option gateway '10.0.0.1'

egc · February 25, 2026, 7:09am

What kind of router en version do you have , please share:

ubus call system board

crazyjp · February 25, 2026, 3:23pm

Ah sorry, It's a Flint-2, running vanilla openwrt. version 24.10 I think.

psherman · February 25, 2026, 3:24pm

Le s see the output requested by @egc, please.

_bernd · February 25, 2026, 4:06pm

As a start I would remove cleanup the bridge and vlan definitions.

Your brlan device enslaves all other interface.
A vlan config has only the vpan id and refers to your vlan bridge that's all

I would also only configure lacp options when you are sure they are actually used by the other side. If noty use as much auto as possible.

If your transport vlan has actually layer 3 addresses then it acts as a router. Doesn't matter how many switch ports the device has.

crazyjp · March 1, 2026, 7:00am

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.119",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.5",
                "revision": "r29087-d9c5716d1d",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
                "builddate": "1766005702"
        }
}

crazyjp · March 1, 2026, 7:08am

If it helps, here's some of the setup files:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde0:58f6:e33d::/48'
        option packet_steering '1'

config device 'bond0'
        option name 'bond0'
        option type 'bonding'
        list ports 'lan4'
        list ports 'lan5'
        option miimon '100'
        option lacp_rate 'fast'
        option xmit_hash_policy 'layer2+3'
        option policy '802.3ad'

config device 'br_lan'
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'bond0'
        option vlan_filtering '1'
        option pvid '1'

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'bond0:t'
        list ports 'br-lan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'lan1:u*'
        list ports 'lan3:t'
        list ports 'bond0:t'
        list ports 'br-lan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '111'
        list ports 'lan2:u*'
        list ports 'lan3:t'
        list ports 'bond0:t'
        list ports 'br-lan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '122'
        list ports 'lan3:t'
        list ports 'bond0:t'
        list ports 'br-lan:t'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option peerdns '1'

config interface 'lan'
        option device 'br-lan.100'
        option proto 'static'
        option ipaddr '192.168.100.2'
        option netmask '255.255.255.0'

config interface 'transit'
        option device 'br-lan.99'   #have also tried 'bond0.99'
        option proto 'static'
        option ipaddr '10.0.0.2'
        option netmask '255.255.255.252'

config route
        option interface 'transit'
        option target '192.168.0.0'
        option netmask '255.255.0.0'
        option gateway '10.0.0.1'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '0'
        option ednspacket_max '1232'
        list not_interface 'wan'
        list interface 'transit'
        list interface 'br-lan.99'
        list server '208.67.222.123'
        list server '208.67.220.123'
        list rebind_domain 'msftncsi.com'
        list rebind_domain 'microsoft.com'
        option nonwildcard '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '100'
        option leasetime '12h'
        list dhcp_option '3,192.168.100.1'
        list dhcp_option '6,10.0.0.2'

config dhcp 'trust'
        option interface 'transit'
        option start '100'
        option limit '100'
        option leasetime '12h'
        option networkid 'tag:vlan111'
        list dhcp_option 'net:vlan111,3,192.168.111.1'
        list dhcp_option 'net:vlan111,6,10.0.0.2'
        option force '1'

config dhcp 'untrust'
        option interface 'transit'
        option start '100'
        option limit '100'
        option leasetime '12h'
        option networkid 'tag:vlan122'
        list dhcp_option 'net:vlan122,3,192.168.122.1'
        list dhcp_option 'net:vlan122,6,10.0.0.2'
        option force '1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'transit'
        option network 'transit'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option masq '0'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'transit'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Relay'
        option src 'transit'
        option proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'Allow-DNS-Transit'
        option src 'transit'
        option proto 'udp'
        option dest_port '53'
        option target 'ACCEPT'

crazyjp · March 1, 2026, 7:10am

And I should mention that I have internet working on vlan100 now. connecting into any of the untagged ports on the switch has no effect. They don't pull an IP from the DHCP server.