Multicast relayed to windows client switch despite VLAN isolation

Hi,

my OpenWrt Router is a Netgear WAC104 using MT7621ST switch for Ethernet.
I'm trying to configure VLAN to isolate a GUEST zone (VLAN10)
from the home nework (VLAN1).

I have setup the VLAN1 to hold the link from DSL box as untagged on LAN1 port (and VLAN10 tagged).
LAN2 and LAN3 are also setup with VLAN1 untagged (and VLAN10 tagged)
LAN4 is setup with VLAN10 untagged (and VLAN1 tagged)

so finally there are two devices
br-lan.1 and br-lan.10

I had problem with IpV6 RA messages and found with tcpdump that a multicast from my DSL box LAN1 is relayed straight to the LAN4 port

EDIT: after improving tcpdump trace, it seems the VLAN ID is correct... I'm perplex...

I used that command line

 tcpdump -i any -evn 'icmp6 && ip6[40]==134'

EDIT: but I've noticed there was no VLAN id, so I used manu SSH with each tcpdump on the distinct interfaces

tcpdump -i any -en 'icmp6 && ip6[40]==134'
tcpdump -i lan1 -env 'icmp6 && ip6[40]==134'
tcpdump -i lan4 -env 'icmp6 && ip6[40]==134'
tcpdump -i br-lan -env 'icmp6 && ip6[40]==134'
tcpdump -i br-lan.10 -env 'icmp6 && ip6[40]==134'
tcpdump -i br-lan.1 -env 'icmp6 && ip6[40]==134'

I've tried to disable IGMP snooping, changed "Is Primary Vlan", but nothing changes.
I imagine it is the hardware switch MT7621ST that does that, but is there a way to avoid that automatic multicast that breaks VLAN isolation.
EDIT: not so evident now

the trace show the packed is received on lan1, immediately relayed out to lan4, then relayed in on br-lan and on br-lan.1
EDIT: but the VLAN ID is good (1), so why does my windows client catch it.

10:35:50.015852 lan1  M   ifindex 6 f4:ca:e5:50:0c:13 
10:35:50.015916 lan4  Out ifindex 3 f4:ca:e5:50:0c:13 
10:35:50.015943 br-lan M   ifindex 21 f4:ca:e5:50:0c:13 
10:35:50.015950 br-lan.1 M   ifindex 23 f4:ca:e5:50:0c:13

and the windows client receive it as untagged

Ethernet II, Src: Netgear_fb:8b:0c (9c:c9:eb:fb:8b:0c), Dst: IPv6mcast_01 (33:33:00:00:00:01)
    Destination: IPv6mcast_01 (33:33:00:00:00:01)
    Source: Netgear_fb:8b:0c (9c:c9:eb:fb:8b:0c)

Here is my network config file:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd51:e8f4:ef7b::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option stp '1'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'dhcp'
	option delegate '0'

config interface 'lan6'
	option device 'br-lan.1'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option reqaddress 'try'
	option defaultroute '0'
	option delegate '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'lan4'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	list ip6addr 'fd51:e8f4:ef7b::1/64'
	option ip6gw 'fe80::f6ca:e5ff:fe50:8b0c'
	option ip6prefix 'fd51:e8f4:ef7b::/48'

config route6
	option interface 'lan6'
	option target '::/0'
	option gateway 'fe80::f6ca:e5ff:fe50:c13'
	option metric '512'

here is a trace of my Dsl box sending a RA packet that is relayed from LAN1 to LAN4 then sent to br-lan and br-lan.10 es expected
EDIT: now reading the VLAN ID ia appears the VLAN ID is good (1) on the LAN4 output...

I'm perplex. it is clear my Windows receive the packet that isn traced as VLAN ID.
Maybe finally it's not openWRT, but Windows.
I cannot see the VLAN ID in wireshark (I'm a bit noob)


tcpdump -i any -en 'icmp6 && ip6[40]==134'


13:30:58.977246 lan1  M   ifindex 6 f4:ca:e5:50:0c:13 ethertype IPv6 (0x86dd), length 148: fe80::f6ca:e5ff:fe50:c13 > ff02::1: ICMP6, router advertisement, length 88
13:30:58.977339 wguest0 Out ifindex 13 f4:ca:e5:50:0c:13 ethertype IPv6 (0x86dd), length 148: fe80::f6ca:e5ff:fe50:c13 > ff02::1: ICMP6, router advertisement, length 88
13:30:58.977366 wlan0 Out ifindex 12 f4:ca:e5:50:0c:13 ethertype IPv6 (0x86dd), length 148: fe80::f6ca:e5ff:fe50:c13 > ff02::1: ICMP6, router advertisement, length 88
13:30:58.977379 wguest1 Out ifindex 25 f4:ca:e5:50:0c:13 ethertype IPv6 (0x86dd), length 148: fe80::f6ca:e5ff:fe50:c13 > ff02::1: ICMP6, router advertisement, length 88
13:30:58.977394 wlan1 Out ifindex 24 f4:ca:e5:50:0c:13 ethertype IPv6 (0x86dd), length 148: fe80::f6ca:e5ff:fe50:c13 > ff02::1: ICMP6, router advertisement, length 88
13:30:58.977430 lan4  Out ifindex 3 f4:ca:e5:50:0c:13 ethertype IPv6 (0x86dd), length 148: fe80::f6ca:e5ff:fe50:c13 > ff02::1: ICMP6, router advertisement, length 88
13:30:58.977246 br-lan M   ifindex 21 f4:ca:e5:50:0c:13 ethertype IPv6 (0x86dd), length 148: fe80::f6ca:e5ff:fe50:c13 > ff02::1: ICMP6, router advertisement, length 88
13:30:58.977246 br-lan.1 M   ifindex 23 f4:ca:e5:50:0c:13 ethertype IPv6 (0x86dd), length 148: fe80::f6ca:e5ff:fe50:c13 > ff02::1: ICMP6, router advertisement, length 88


tcpdump -i lan1 -env 'icmp6 && ip6[40]==134'

13:30:58.977246 f4:ca:e5:50:0c:13 > 33:33:00:00:00:01, ethertype 802.1Q (0x8100), length 146: vlan 1, p 0, ethertype IPv6 (0x86dd), (flowlabel 0x66bd0, hlim 255, next-header ICMPv6 (58) payload length: 88) fe80::f6ca:e5ff:fe50:c13 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 88
        hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
          prefix info option (3), length 32 (4): 2a01:xxx:yyy:zzzz::/64, Flags [onlink, auto], valid time 86400s, pref. time 86400s
          rdnss option (25), length 24 (3):  lifetime 86400s, addr: fd0f:ee:b0::1
          mtu option (5), length 8 (1):  1500
          source link-address option (1), length 8 (1): f4:ca:e5:50:0c:13


 tcpdump -i lan4 -env 'icmp6 && ip6[40]==134'
 
 13:30:58.977430 f4:ca:e5:50:0c:13 > 33:33:00:00:00:01, ethertype 802.1Q (0x8100), length 146: vlan 1, p 0, ethertype IPv6 (0x86dd), (flowlabel 0x66bd0, hlim 255, next-header ICMPv6 (58) payload length: 88) fe80::f6ca:e5ff:fe50:c13 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 88
        hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
          prefix info option (3), length 32 (4): 2a01:xxx:yyy:zzzz::/64, Flags [onlink, auto], valid time 86400s, pref. time 86400s
          rdnss option (25), length 24 (3):  lifetime 86400s, addr: fd0f:ee:b0::1
          mtu option (5), length 8 (1):  1500
          source link-address option (1), length 8 (1): f4:ca:e5:50:0c:13


tcpdump -i br-lan -env 'icmp6 && ip6[40]==134'

13:30:58.977246 f4:ca:e5:50:0c:13 > 33:33:00:00:00:01, ethertype 802.1Q (0x8100), length 146: vlan 1, p 0, ethertype IPv6 (0x86dd), (flowlabel 0x66bd0, hlim 255, next-header ICMPv6 (58) payload length: 88) fe80::f6ca:e5ff:fe50:c13 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 88
        hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
          prefix info option (3), length 32 (4): 2a01:xxx:yyy:zzzz::/64, Flags [onlink, auto], valid time 86400s, pref. time 86400s
          rdnss option (25), length 24 (3):  lifetime 86400s, addr: fd0f:ee:b0::1
          mtu option (5), length 8 (1):  1500
          source link-address option (1), length 8 (1): f4:ca:e5:50:0c:13


tcpdump -i br-lan.10 -env 'icmp6 && ip6[40]==134'

nothing

tcpdump -i br-lan.1 -env 'icmp6 && ip6[40]==134'

13:30:58.977246 f4:ca:e5:50:0c:13 > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 142: (flowlabel 0x66bd0, hlim 255, next-header ICMPv6 (58) payload length: 88) fe80::f6ca:e5ff:fe50:c13 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 88
        hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
          prefix info option (3), length 32 (4): 2a01:xxx:yyy:zzzz::/64, Flags [onlink, auto], valid time 86400s, pref. time 86400s
          rdnss option (25), length 24 (3):  lifetime 86400s, addr: fd0f:ee:b0::1
          mtu option (5), length 8 (1):  1500
          source link-address option (1), length 8 (1): f4:ca:e5:50:0c:13

wireshark on the windows client
 icmpv6.type==134

Frame 1046300: 142 bytes on wire (1136 bits), 142 bytes captured (1136 bits) on interface \Device\NPF_{31F8FB5E-72E7-401D-96A4-714659E1718A}, id 0
    Section number: 1
    Interface id: 0 (\Device\NPF_{31F8FB5E-72E7-401D-96A4-714659E1718A})
        Interface name: \Device\NPF_{31F8FB5E-72E7-401D-96A4-714659E1718A}
        Interface description: Ethernet 2
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr  7, 2024 13:30:49.395144000 Paris, Madrid (heure d’été)
    UTC Arrival Time: Apr  7, 2024 11:30:49.395144000 UTC
    Epoch Arrival Time: 1712489449.395144000
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 0.056986000 seconds]
    [Time delta from previous displayed frame: 382.621575000 seconds]
    [Time since reference or first frame: 10907.856724000 seconds]
    Frame Number: 1046300
    Frame Length: 142 bytes (1136 bits)
    Capture Length: 142 bytes (1136 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ipv6:icmpv6]
    [Coloring Rule Name: ICMP]
    [Coloring Rule String: icmp || icmpv6]
Ethernet II, Src: FreeboxSas_50:0c:13 (f4:ca:e5:50:0c:13), Dst: IPv6mcast_01 (33:33:00:00:00:01)
    Destination: IPv6mcast_01 (33:33:00:00:00:01)
        Address: IPv6mcast_01 (33:33:00:00:00:01)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: FreeboxSas_50:0c:13 (f4:ca:e5:50:0c:13)
        Address: FreeboxSas_50:0c:13 (f4:ca:e5:50:0c:13)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: fe80::f6ca:e5ff:fe50:c13, Dst: ff02::1
    0110 .... = Version: 6
    .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
        .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)
        .... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    .... 0110 0110 1011 1101 0000 = Flow Label: 0x66bd0
    Payload Length: 88
    Next Header: ICMPv6 (58)
    Hop Limit: 255
    Source Address: fe80::f6ca:e5ff:fe50:c13
    Destination Address: ff02::1
    [Source SLAAC MAC: FreeboxSas_50:0c:13 (f4:ca:e5:50:0c:13)]
Internet Control Message Protocol v6
    Type: Router Advertisement (134)
    Code: 0
    Checksum: 0x56b9 [correct]
    [Checksum Status: Good]
    Cur hop limit: 64
    Flags: 0x00, Prf (Default Router Preference): Medium
        0... .... = Managed address configuration: Not set
        .0.. .... = Other configuration: Not set
        ..0. .... = Home Agent: Not set
        ...0 0... = Prf (Default Router Preference): Medium (0)
        .... .0.. = ND Proxy: Not set
        .... ..00 = Reserved: 0
    Router lifetime (s): 1800
    Reachable time (ms): 0
    Retrans timer (ms): 0
    ICMPv6 Option (Prefix information : 2a01:e0a:5c5:7720::/64)
        Type: Prefix information (3)
        Length: 4 (32 bytes)
        Prefix Length: 64
        Flag: 0xc0, On-link flag(L), Autonomous address-configuration flag(A)
            1... .... = On-link flag(L): Set
            .1.. .... = Autonomous address-configuration flag(A): Set
            ..0. .... = Router address flag(R): Not set
            ...0 0000 = Reserved: 0
        Valid Lifetime: 86400 (1 day)
        Preferred Lifetime: 86400 (1 day)
        Reserved
        Prefix: 2a01:e0a:5c5:7720::
    ICMPv6 Option (Recursive DNS Server fd0f:ee:b0::1)
        Type: Recursive DNS Server (25)
        Length: 3 (24 bytes)
        Reserved
        Lifetime: 86400 (1 day)
        Recursive DNS Servers: fd0f:ee:b0::1
    ICMPv6 Option (MTU : 1500)
        Type: MTU (5)
        Length: 1 (8 bytes)
        Reserved
        MTU: 1500
    ICMPv6 Option (Source link-layer address : f4:ca:e5:50:0c:13)
        Type: Source link-layer address (1)
        Length: 1 (8 bytes)
        Link-layer address: FreeboxSas_50:0c:13 (f4:ca:e5:50:0c:13)

Is there a known way to get around that problem

Finally, I solved it myself, but I keep the message for the noob like me who would struggle to understand.

OpenWRT was doing all fine, but I've configured the switch so that tagged VLAN were sent beside the untagged VLAN.
It appears that on Windows VLANs are not so native, and I had to set an option in my ASIX Ethernet driver:

  • Priority and VLAN: Priority Enabled and VLAN Enabled
  • VLAN ID = 0
    Without that, all packets whatever the VLAN ID were considered by Windows.

as my family is not so geek (LOL) I decided to remove the tagged VLAN of every Ethernet port not connected to a router or my managed hub...

After correcting some now clear IPV6 problems, it works like a charm.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd51:e8f4:ef7b::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option stp '1'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'dhcp'
	option delegate '0'

config interface 'lan6'
	option device 'br-lan.1'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option reqaddress 'try'
	option defaultroute '0'
	option delegate '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan4'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	list ip6addr 'fd51:e8f4:ef7b::1/64'
	option ip6gw 'fe80::f6ca:e5ff:fe50:8b0c'
	option ip6prefix 'fd51:e8f4:ef7b::/48'

config route6
	option interface 'lan6'
	option target '::/0'
	option gateway 'fe80::f6ca:e5ff:fe50:c13'
	option metric '512'

VLAN are fun, but it's tricky.

Not sure my default ipv6 route and static ipv6 are best, but it works.

Sorry for the noise, and I hope this will help noobs like me.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.