Openwrt is unreachable after turning on STP

Hello,
I'm running OpenWrt 24.10.0 r28427-6df0e3d02a on a Turris Omnia. The Network configuration runs fine without STP turned on. As soon as I turn it on the switch is not reachable any more. I have to set up a serial connection to disable STP. After that it is reachable. In the current network setup STP on the router is not necessary, however it shall be part of a redundancy loop later. As Anyone an idea where the mistake is?
Here is the result of uci show network:

network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdc8:451:c16::/48'
network.globals.packet_steering='1'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan0' 'lan1' 'lan2' 'lan3' 'lan4'
network.@device[0].bridge_empty='1'
network.@device[0].stp='0'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.3.2'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.device='br-wan.10'
network.wan.proto='dhcp'
network.wan.peerdns='1'
network.wan6=interface
network.wan6.device='br-wan.10'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.wan6.norelease='1'
network.@device[1]=device
network.@device[1].type='bridge'
network.@device[1].name='br-wan'
network.@device[1].bridge_empty='1'
network.@device[1].ports='eth2'
network.@bridge-vlan[0]=bridge-vlan
network.@bridge-vlan[0].device='br-wan'
network.@bridge-vlan[0].vlan='10'
network.@bridge-vlan[0].ports='eth2:t'
network.@bridge-vlan[1]=bridge-vlan
network.@bridge-vlan[1].device='br-lan'
network.@bridge-vlan[1].vlan='1'
network.@bridge-vlan[1].ports='lan0:t' 'lan2'
network.NMS=interface
network.NMS.proto='dhcp'
network.NMS.device='br-lan.1'

Thanks a lot in advance.

Perhaps enabling STP when you have no loop?

How is the switch connected to the Turris (you never told us)?

How/from where are you attempting to reach the switch - and how is the SRC testing device connected?

Have you set the priority on various devices so you get the topology you want?
See: WDS network - setting STP right - #5 by _bernd for some help.

No record of system unreachable.
stp takes some grace time to up a newport.

The new router (Omnia) is connected as follows:

The WAN port is connected to the DMZ. I tried the reach the switch from all ports. The serial connection is not shown.

I just left the default values. These were fine with me.

The strange thing is, it works with STP if i do not use vlans. I gave the whole setup more than 120s to configure.

You keep omitting details needed to understand:

• Are you saying that you tried to reach DMZ_switch from a device connected to any port of the Turris - or from somewhere else?
• If so, what test did you perform?
• I'm trying to understand how STP is involved here - DMZ_switch only appears to be connected via the WAN port (assuming you haven't altered WAN or LAN)

From your drawing, I'm starting to guess you're testing from Computer_B (assuming you're referencing DMZ_switch).

1. When STP is turned on I can't reach the "new router" Turris on any port. neither wan/DMZ nor lan.
2. I've tried ping, SSH, HTTPS. I don't get any response. Via the serial-console I can see it looking for a DHCP server on "br-lan.1". On the lan ports it sends out constantly STP requests. It seems not to receive any STP message. As soon as I switch off the STP uci set network.@device[0].stp='0', uci commit, /etc/init.d/network restart, I can access the Turris from the wan and the lan side again.
3. STP is involved on the br-lan. Yes the wan-port is connected to the DMZ-switch and receives an IP-address from the internet route via DHCP.

Thank you very much for your help.

Still need more clarity:

• So you're saying (e.g. while connected to LAN) that you enable STP, and Save/Apply - then instantly loose connection to the Turris, correct?
• What are you using to perform those tests?
• In particular, how are you performing those tests on WAN?
• I assume you altered the WAN firewall to perform this test, correct?
• DMZ?

You see what looking for a DHCP server on br-lan.1?

(It seems you're implying your testing client looses connection and IP - hence you can't reach anything.)

You have 2 devices using the LAN bridge - one is a VLAN (BTW - no VLANs seem to be configured correctly) , are you aware of this?

Also, what is eth2, and is there an eth0 and eth1?

1. Yes, while I'm on Computer A or B I loose all connections to Turris. However both computers are still connected to the internet vie the old router (standard gateway).
2. Ubuntu Linux on both computers.
3. I use the wan IP of the Turris https://x.x.x.x with firefox, ping or ssh.
4. Yes, as these protocols are working without STP.
5. In the final set up there will be no DMZ any more. It's only for testing purpose. It makes me more comfortable to open ports on the wan side of the Turris.
6. Turris is broadcasting on the DHCP ports with its own MAC-adress.
7. If "testing client" refers to the Turris yes. If testing client refers to one of the computers no. They receive the IP configuration from the old router via DHCP.

This was configured via luci, by enabling vlan on the last register page. Then I added a device. the configuration works without STP. How should it look like from your point of view?

The eth ports are explained here.

It works without STP because while disabled, it doesn't care the MAC addresses are located on "different" networks. Since they're both are clearly br-lan, it shuts it off. This matters in your case because it's the same bridge.

I actually noted this in another thread recently:

I believe your problem would be fixed if your "flat" br-lan was also converted to a numbered VLAN br-lan.x - where x is a unsued VLAN number.

It's not clear why you have switches that connect LAN to WAN of your Turris - but that's (hopefully) a discussion for a different thread.

You topology is extremely unusual.

Before we even worry about STP, it might be worth understanding the desired behavior.

You have three routers:

• the "internet router" is presumably the connection to the internet, which would mean its purpose is pretty obvious. But is it routing, or in bridge mode?
• What is the purpose of the old router in your network?
• What firmware is the "old router" using?
• What is the purpose of the new router in your network?
• What firmware is on the "new router"?
• Are the 3 lan switches managed switches? Or are they basic unmanaged ones?
• Are computer A and computer B supposed to be on the same network?

1. The internet router is routing & firewalling, not bridging.
2. As soon as the new router is up and running and working as intended, it will be connected to the internet and the internet router and the old router will be dismantled.
3. The old router runs OpenWrt 23.05.5 r24106-10cc5fcd00
4. The new router shall take over the role of the internet router. see 2.
5. The new router runs OpenWrt 24.10.0 r28427-6df0e3d02a
6. Yes they are managed switches and have STP enabled. As soon as the STP together with vlan 1 is running I intend to add further vlan for priv-lan, IOT, Guest, etc. on the new router. These are already configured in the old router and the switches.
7. The computers are both on the priv-lan. Computer B has a second network card with a fixed IP in the nms lan connected to the new router.

Thank you very much for your support.

Thank you for being patient with me. I am not sure if I understood your input.
Luci presents the vlan configuration on the new router as follows:

Does this meet your expectations?
Then I compared it with the configuration of the old router and discoverd that I added eth0.

So I added eth0 also to br-lan on the new router and applied the configuration. This resulted in loosing the links to the switches and the new router was only accessible via the wan interface.

After turning on the STP on br-lan also the wan interface did not react any more. The automatic rollback did not initiate. After disabling the STP again on br-lan via the console the wan interface responded again.

What you showed isn't where the configuration issue occurred. It occurs here:

• You need to edit this config to show br-lan.x

Was the filter box checked?

I don't it usually is. It usually isn't.

Edit: spelling and grammar

Since your topology will be changing significantly relative to what you have drawn in your existing diagram, it doesn’t make a lot of sense to base your configurations on the current setup. Instead, draw your desired topology so we can see where you want to go with the entire system. Please be sure to label the devices with their brand+model, addresses, and also functions (i.e router vs bridged ap).

The idea is to have a L2-ring with managed switches (Zyxel GS1900 with latest Zyxel firmware) and STP on. The access points (AP) are Ubiquiti UniFi AC Lite running OpenWrt 23.05.5 r24106-10cc5fcd00. The router shall be a Turris Omnia with OpenWrt 24.10.0 r28427-6df0e3d02a.
There shall be several vlans

• green, nms, ID 100, 192.168.100.0/24
• blue, lan, ID 110, 192.168.110.0/24
• yellow, IOT, ID 120, 192.168.120.0/24
• transparent, Guest, ID 130, 192.168.130.0/24

The vlans lan, IOT and Guest shall also be propagated via wlan.

lan shall have access to

• internet for http, https, smtp, imap
• nms for http, https, ssh
• IOT for http, https, ssh

Guest shall have access to the internet for http, https, NTP
IOT and nms shall have no access out side the respective vlan.

The router shall provide DHCP, DNS, NTP for all vlans

These are my ideas and they are actually already up an running with different ID and IP as given above, but the concept is the same. The old/existing router is a Fritz.box 7530 running OpenWRT 23.05. For some reason I don't get the Turris router to take over.

Plans for the future:

• All OpenWRT devices shall be upgraded to the same firmware release.
• The router shall allow for incoming VPN connections to the different vlans.
• The shall be another vlan/wlan for an external VPN connection to a distant separated (friendly) lan.

Thank you very much for your help.