LEDE is replicating ICMP replys and ARP replys across VLANs

Hi there,

i am struggling around with an issue where i get duplicate ping responses when i ping from a host in a VLAN which is not 1 to a host in VLAN 1.

I have checked the pings with tcpdump and noticed that the host in VLAN B just sends one response, but this response seems to get replicated in LEDE, so that i get one duplicate per configured VLAN. I have double-checked it with deleting one configured VLAN in LEDE, and the number of responses decreased by 1.

Furthermore, when i ping from LEDE itself to the host, i get duplicate responses as well. But when i restrict the ping to eth0.1, i only get one response - i assume that the ping client is only listening on eth0.1 - if i don't specify the interface, it listens on eth0, which is already after the duplication error.

This is the same when i use tcpdump on LEDE in parallel to the ping. Explicitly dumping eth0.1 returns only one response. But when i listen on eth0 in general, i get the duplicates.

Has anyone an idea why this happens? The hardware is a TP-Link WDR3600. I will be happy if someone comes up with a firewall rule to restrict a ping to exactly one response.

Perhaps you could post your network config file here.

Sure.

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'admin'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option _orig_ifname 'eth0.1 radio0.network1 radio1.network1'
        option _orig_bridge 'true'
        option ifname 'eth0.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'
        option dns '208.67.222.222 208.67.220.220'

config interface 'dn42_tharan'
        option ifname 'tun0'
        option proto 'none'

config interface 'home'
        option proto 'static'
        option ifname 'eth0.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config interface 'guest'
        option proto 'static'
        option ifname 'eth0.11'
        option ipaddr '192.168.11.1'
        option netmask '255.255.255.0'

config interface 'iot'
        option proto 'static'
        option ifname 'eth0.12'
        option ipaddr '192.168.12.1'
        option netmask '255.255.255.0'

config switch 'eth0'
        option reset '1'
        option enable_vlan '1'
        option name 'switch0'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0t 1'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '10'
        option ports '0t 2t'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '11'
        option ports '0t 2t'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '12'
        option ports '0t 2t'

config switch_port
        option port '2'
        option pvid '1'

May I ask why have you enabled PVID on port 2? Perhaps there is something else I am missing, but I cannot see why you need it.

It was because of debugging this issue. You're right, i don't need it.

Another interesting fact i just discovered: As you can see, port 2 is my general uplink port to a switch which is connected there (and which was the first device i discovered the duplicate answers with). I changed the vlan with VID 12 to not include port 2 tagged, but port 3 tagged. Port 3 is physically disconnected. The result was: I have one less duplicate.

I also noted that the duplicates only appear when i ping this particular uplink switch. I connected a second switch to this switch, and configured a trunked connection as well between the first switch and the second switch. Both switches return exactly one response per ICMP request, but only the first switch's response is duplicated.

As you may have noted, i mentioned replicated ARP replies but forgot to mention them in my opening post. This was a phenomenon i discovered when tcpdumping the ping issue. Whenever the LEDE router spawned an ARP request for the switch's management IP, and got a response from the switch, it replicated the response, also as much as it has VLANs configured and sent the ARP reply from the switch into other VLANs. This response is not showing up in the ARP caches of the computers in the other VLANs, maybe because they didn't request it, or because each VLAN has its own /24 IPv4 subnet.

This is weird... I am confused too.

Update: There are no more duplicates when i create more VLANs. But, if i change the VLAN ID of any VLAN which causes duplicates (the duplicates decrease when i disconnect this interface), the duplicates persist.

I have enabled a firewall rule which drops all ICMP traffic from VLAN 1. However, the firewall isn't dropping anything, and each ICMP request is forwarded.

YOU ASSUME??? How could it listen on other VLANs??? Do you have this device connected to multiple ports on different VLANs??? (Perhaps you're using the term 'client' differently here).

It's very important to be sure of that. You also made a bug report here: https://bugs.lede-project.org/index.php?do=details&task_id=1224

Please confirm:

  • The client is only on a single VLAN
  • That the port the client is plugged into on the managed switch is only an access port of VLAN 1
  • Are there any other connections between the "client," the LEDE and the managed switch other than the trunk port?
  • On the switch, ensure that you did not configure the port to the LEDE to be an Access AND Trunk of VLAN 1!!!

WHAT REPLICATED THE RESPONSE??? Have you determined this yet???