Question: why can't I reach devices connected with bridge?

Merry Christmas to all.

I have a setup where I have a few devices on separate VLANs which I want to be connected with a bridge on the router. At the moment, I don't get access to the devices on the other VLAN but I see those devices getting dhcp info, so connection at all works. Also all devices can be pinged from the router itself.

This is what I have:

root@fresh2102:~# brctl show
bridge name	bridge id		STP enabled	interfaces
br-lan		7fff.24f5a22d7cc0	no		lan4

omv0 is in VLAN 41 on port 4, u-nas0 is in untagged connection on port lan4.

I have my notebook on port lan3 untagged and I can connect to u-nas0, but not to omv0.

Why is that?

VLANs can be "separated" or "bridged"... but not both at the same time.

thank you
If think I want them bridged (be able to access a device on another vlan connected to the same bridge).

So, where am I wrong with my configuration and how do I get it running?

I still try to get the setup I had on 19.07 working with 21.02. I believed that DSA just changes the handling of the internal switch by exposing the ports as interfaces.But I do not get it running.

In 19.07 I had all three setups working:

  1. One interface for iot devices, where the devices are connected via separate vlans. The devices should not talk to each other. So this is achieved by using kmod-br-netfilter, briding the vlans on the interface and setting forward on the firewall zone to reject.

  2. One interface for mgmt and lan where I have two vlans that should be able to talk to each other. In 19.07 I achieved that (with kmod-br-netfilter installed) by bridging the two vlans on the interface and setting forward on the firewall zone to accept.

  3. One interface for dmz devices where the devices should not talk to each other exept for defined ports by traffic rules. I achieved that (with kmod-br-netfilter installed) by bridging the vlans on the interface, setting forward on the firewall zone to reject and by defining traffic rules that open dedicated ports to the devices.

In all three setups the traffic between the different vlans was handled via the router. I understand that this is what br-netfilter is for.

But I haven't been able to bridge different vlans in 21.02 whatsoever . I tried a few setups (like the one above) and I always get the case that devices are not able to talk to devices on the other vlans, not even if I define traffic rules. And this is with br-netfilter not installed.

For me all three setups are valid and increase security, especially for the insecure and not updated iot devices and also for the devices in the dmz. Setting a single network for each device would be overkill and intransparent.

DSA does not support your configuration (either bridging VLAN interfaces or offload br-netfilter rules to hardware) on kernel 5.10.
To workaround, do not use VLAN interfaces, use bridge VLAN filtering instead.

Thank you for the answer.

I believe that my configuration is valid and also a good practice (separating devices from each other on network level). Besides this, it must be possible somehow, otherwise I feel this is a big step downwards compared to 19.07.

As far as I understood, DSA is used for showing the switch ports as ownstanding interfaces (lan1 .. lan4). And that 21.02 still supports 'normal' bridges created as new devices.
If lan1 .. lan4 are separated interfaces, it should be possible to do one of the following:

a) create a vlan aware bridge with members lan1 .. lan4 as ports, add vlans to the bridge and assign them to ports lan1..lan4 on the bridge untagged or tagged.

This seems to be nearly what we had in 19.07, where I then created another bridge by assigning the vlans as eth0.xx, eth0.xy on the interface ui.

This worked.

b) created vlan interfaces on the lan1..lan4 interfaces and bridge them together.

In both setups the bridges are 'normal' bridges and br-netfilter should work. I can't believe that OpenWrt lost br-netfilter capabilities with 21.02 (and package br-netfilter is available for 21.02).

Also: it seems that in both options the bridging works ... all devices get the correct dhcp info for ipv4 and ipv6. But it seems to be impossible that the devices within a bridge connect to each other ... only devices on the same original vlan can speak to each other. It is like the vlan tag is not removed/set on the vlan interface or as if all bridges are still vlan aware.

So with bridge vlan filtering, the problem still exists. I tried it with this configuration:

I described my original setup in 19.07 here Client isolation with VLAN in 21.02 - How?.

So still: any help welcome.

Looking at this thread (and I found a few others with similar problems) OpenWrt 21.02.0 rc3 VLAN in bridge problem - #28 by SteMax97 it seems as if my requirement is not possible with kernel 5 or 21.02 until we have at least kernel 5.15? Is this correct?

Will we have support for 19.07 until then?

I'm a little confused about the intent of your network configuration -- I'm wondering if you can elaborate a bit. It is absolutely true that separating devices using different networks/VLANs is a good practice. However, why would you want to then bridge them? Most of the time, VLANs are used to create separate networks, and then the firewall is configured to allow and/or restrict network traffic between the networks and the routing layer handles the actual routing of traffic between VLANs. It is unusual to place the VLANs together in a bridge. But maybe I'm not totally understanding your network architecture and intent.

1 Like

The main intention and reason is to try to separate the devices on a network as much as possible. This is mainly for two setups:

First I have a number (three at the moment) devices in a network named IoT. Those devices are insecure as the operating system, patch level, etc is unknown. These device should not have the ability to talk to any other devices and only need access to internet.
They are placed each in a single vlan, the vlans are connected in a bridge and with kmod-br-netfilter in 19.07 they are completely separated. But they also are served dhcp and ip network from the same interface (as in 19.07) and are in the same firewall zone.

Second I have four devices in a dmz. Those are also located in a network, each separated with a vlan. With kmod-br-netfilter and a few traffic rules they are separated from each other, except for the ports for the services that need to be opened. This is done on the OpenWrt router, not by firewalls on the devices themself.
As those devices are exposed to internet (by their services) they are considered to be possible targets for attacks (remember log4j) and thus I want to have them also secured as much as possible.

Keeping them in dedicated zones / interface eases configuration. I don't want to create 7 network/interfaces for the devices, this seems to be overkill.

It would all be easier if the switch would have more ports or the second/slave switch would be DSA capable ... in that case I believe I could define each port on the second switch as an interface as the lan1..lan4 on the original device.

I also have a nas I use as host for virtual machines .. (two of the dmz devives plus a few more). I use openvswitch to connect the VMs. And ovs is not DSA capable as well. But I think I could solve this by changing ovs to something else.

So if I understand this properly, you are using this in conjunction with VLANs to then isolate each individual device.

I still think the bridge method is a bit unusual, but it does make a bit more sense in the context you describe.

My approach would be a bit different, though. I would actually use wifi client isolation to handle the isolation of wireless clients, and I would use a managed switch with port isolation to separate the wired devices. Or I would just create unique VLANs for each device if it was that critical to keep them isolated. But I would imagine that your approach worked well previously. I can't help you with resolving the issue on 21.02 as I don't currently use any DSA devices and I just do things with individual networks rather than the bridge firewall you describe.

1 Like

Basically I created kind of port isolation. But not on the second switch (XGS1210-12) but on the bridge on the Openwrt 19.07 router.
Separated all wired devices by using single vlan for each (as the XGS1210-12 does not support port isolation) and connected the vlans to a bridge on the router. Using br-netfilter i got the ports/vlans on the bridge all isolated and allowed traffic only by traffic rules via firewall. But all are served from the same interface.
Sad that this is not working anymore in 21.02. I now need to reorganinze my network in more subnets if I want the devices isolated.
It seems as if there is work to make Openwrt available for the XGS1210-12 ... that would be great and solve the problems as I then could go the whole way down with DSA.