VLAN hopping changing IP?

Hey everyone,

I just changed my router to Xiaomi AX3600 with OpenWrt 23.05.3.

Got everything working, but I'm having an issue with vlans.

My router has 4 Ports, 1 WAN, and 3 LAN, called wan, lan1, lan2 and lan3.

I configured all 3 lan ports, to be one vlan in each. Lets say:

  • VLAN10 in port LAN1
  • VLAN20 in port LAN2
  • VLAN30 in port LAN3

Everything is okay, all vlans working on each port. All 3 ports are untagged, and all 3 has a DHCP server, so, lets say for example:

  • VLAN10 in port LAN1 untagged 192.168.1.0/24
  • VLAN20 in port LAN2 untagged 192.168.2.0/24
  • VLAN30 in port LAN3 untagged 192.168.3.0/24

Everything works and is isolated, but I'm having one issue. If im plugged into any port, for example, LAN2, and I get my IP with DHCP it's fine, but what if I manually change my IP to other VLAN IP? Yes, I get in other VLAN without being physically attached to that port. I think if I attach one WiFi to one of the VLANS I can make the vlan hopping aswell, but honestly didn't tested.

How can I solve this? I've typical firewall rules to avoid inter-VLAN interactions, and it works, but changing the IP changes the VLAN, so no firewall is applied.

Can I filter this somehow? for example, on each port, filtering IP addresses, and if the one manually configured isn't from that port VLAN not route it?

Is this how it is supossed to work without tagging? Any ideas or advices?

I think config is not needed, but if someone wants it I can share.

Vlan hopping should not be possible unless something is misconfigured.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

I cant't run ubus call system board right now, since im traveling for some days, but I can say it's on last version 23.05.3 ipq807x/generic.

I've a backup of the running config, here it is:

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdaf:7109:xxxx::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	option bridge_empty '1'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan.21'
	option proto 'static'
	option ipaddr '192.168.128.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username 'adslppp@telefonicanetpa'
	option password 'adslppp'
	option disable '0'
	option ipv6 'auto'
	option mtu '1492'
	option mru '1492'

config bridge-vlan
	option device 'br-lan'
	option vlan '21'
	list ports 'lan1:u*'

config device
	option type 'bridge'
	option name 'br-lan2'
	list ports 'lan2'
	option bridge_empty '1'
	option mtu '1500'
	option txqueuelen '1000'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan2'
	option vlan '31'
	list ports 'lan2:u*'

config interface 'Camaras'
	option proto 'static'
	option device 'br-lan2.31'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-lan3'
	list ports 'lan3'
	option bridge_empty '1'
	option mtu '1500'
	option txqueuelen '1000'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan3'
	option vlan '41'
	list ports 'lan3:u*'

config interface 'Guest'
	option proto 'static'
	option device 'br-lan3.41'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config device
	option name 'wan'
	option ipv6 '0'
/etc/config/wireless
config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/20000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt_IoT'
	option encryption 'none'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/c000000.wifi'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option cell_density '2'
	option country 'ES'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'Guest'
	option mode 'ap'
	option ssid 'MOVISTAR_PLUS_xxxx'
	option encryption 'psk2'
	option key 'xxxxxxxxxxxxxxxxxxx'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/c000000.wifi+1'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option cell_density '2'
	option country 'ES'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'Guest'
	option mode 'ap'
	option ssid 'MOVISTAR_xxxx'
	option encryption 'psk2'
	option key 'xxxxxxxxxxxxxxxxxxx'

config wifi-iface 'wifinet3'
	option device 'radio2'
	option mode 'ap'
	option ssid 'xxxxxxxLocal'
	option encryption 'psk2'
	option key 'xxxxxxxxxxxxxxxxxxx'
	option network 'lan'
/etc/config/dhcp
config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'Camaras'
	option interface 'Camaras'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'Guest'
	option interface 'Guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

config host
	option name 'xxxpc'
	option ip '192.168.128.105'
	option leasetime 'infinite'
	list mac 'xx:xx:xx:xx:xx:xx'

config host
	option name 'Camaras-static'
	list mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.2.100'
	option leasetime 'infinite'
/etc/config/firewall
config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'Camaras'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Camaras'

config zone
	option name 'Guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Guest'

config forwarding
	option src 'Camaras'
	option dest 'wan'

config forwarding
	option src 'Guest'
	option dest 'wan'

config rule
	option name 'Guest DHCP and DNS'
	option src 'Guest'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'Camaras DHCP and DNS'
	option src 'Camaras'
	option dest_port '53 67 68'
	option target 'ACCEPT'

I just want to have one vlan on each lan port, all 3 vlans isolated, which is actually working but the vlan hopping is there. Thanks for your response, I learnt a lot by reading you on the forum.

Use one bridge.

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config bridge-vlan
	option device 'br-lan'
	option vlan '21'
	list ports 'lan1:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '31'
	list ports 'lan2:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '41'
	list ports 'lan3:u*'

Then edit your interfaces to use br-lan.x where x is the VLAN ID.

Delete all the other bridges and bridge-vlans that you created.

As an aside, it is often recommended (but not required) to use subnets that are related to your VLAN ID. This is simply for human readability and keeping track of things. So for example:

Since your guest network uses VLAN 41, use 192.168.41.1 as its address:

config interface 'Guest'
	option proto 'static'
	option device 'br-lan.41'
	option ipaddr '192.168.41.1'
	option netmask '255.255.255.0'

Thanks for your response.

I'll try the changes as soon I arrive home. Can you please explain why with separate bridges it's allowing to change IP to other VLAN? What's different when you only use one bridge?
I want to understand it, so next time I can be aware of it.

Thanks again!

DSA currently offers two "modes" of operation. DSA doesn't support multiple bridges... so:

  1. If bridges are not required (i.e. a network connects to exactly one ethernet port and no radios), you can pull that port out of the bridge and assign it directly to the network interface.

  2. You can use bridge-vlans with the ports in a single main bridge. This is necessary if you need a total of 2 or more [ etherenet + radio ] devices, but optionally can apply even if you're using just one ethernet port (as in condition 1).

So I can have only one bridge device, understood.

I'll post when I try the changes. Thank you for your patience.

1 Like

Working as expected. Thank you very much!.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.