VLAN issue with 23.05

andrep2208 · November 16, 2023, 8:28pm

Hi everyone,

I have got a weird issue since I installed 23.05 and it was working fine in 22.03. This is my current setup:

This is my main router and I tagged eth0 and eth1. These 2 ports connect to other 2 dumb APs which work fine. The problem is eth2 and eth3, even though I have untagged to the same VLANID, but they are not able to ping each other and also other devices that is on the same VLAN. Though other devices (connected through those 2 dumb APs can see these devices.

cat /etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd5c:9b09:e4de::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option device 'br-lan1.99'
	option ipaddr '192.168.25.1'
	option delegate '0'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-lan1'
	option ipv6 '0'
	list ports 'eth0'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'

config bridge-vlan
	option device 'br-lan1'
	option vlan '99'
	list ports 'eth0:t'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan1'
	option vlan '5'
	list ports 'eth0:t'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan1'
	option vlan '4'
	list ports 'eth0:t'
	list ports 'eth1:t'

config interface 'GUEST'
	option proto 'static'
	option device 'br-lan1.4'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'
	option auto '0'

config interface 'IOT'
	option proto 'static'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	option device 'br-lan1.6'
	option auto '0'

config interface 'PARENTAL_ZONE'
	option proto 'static'
	option device 'br-lan1.5'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option proto 'dhcp'
	option device 'wan.10'
	option hostname '*'
	option peerdns '0'
	list dns '1.1.1.1'

config device
	option type 'bridge'
	option name 'wan'
	list ports 'eth4'
	option ipv6 '0'

config bridge-vlan
	option device 'wan'
	option vlan '10'
	list ports 'eth4:t'

config bridge-vlan
	option device 'br-lan1'
	option vlan '6'
	list ports 'eth0:t'
	list ports 'eth1:t'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

config device
	option type 'bridge'
	option name 'docker0'

config route
	option target '172.20.0.0/16'
	option gateway '192.168.31.8'
	option interface 'IOT'
	option disabled '1'

config bridge-vlan
	option device 'br-lan1'
	option vlan '3'
	list ports 'eth0:t'
	list ports 'eth1:t'
	list ports 'eth2:u*'
	list ports 'eth3:u*'

config interface 'iot'
	option proto 'static'
	option device 'br-lan1.3'
	option ipaddr '192.168.31.1'
	option netmask '255.255.255.0'

and

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'
	option drop_invalid '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'WAN'
	list network 'wan'

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config rule
	option name 'Block PS4 connection'
	list src_ip '192.168.31.10'
	option dest 'wan'
	option target 'REJECT'
	option src 'iot'
	list proto 'all'

config rule
	option name 'Block IoT devices'
	list proto 'all'
	option src 'lan'
	list src_ip '192.168.31.105'
	list src_ip '192.168.31.147'
	option dest 'wan'
	option target 'REJECT'
	option enabled '0'

config zone
	option name 'GuestZone'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'GUEST'

config zone
	option name 'IOTZone'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'IOT'

config forwarding
	option src 'lan'
	option dest 'IOTZone'

config forwarding
	option src 'GuestZone'
	option dest 'wan'

config rule
	option dest_port '53 67 68'
	option target 'ACCEPT'
	option src 'GuestZone'
	option name 'Guest DHCP and DNS'

config forwarding
	option src 'IOTZone'
	option dest 'wan'

config rule
	option name 'IOT DHCP and DNS'
	option src 'iot'
	option target 'ACCEPT'
	option dest_port '53 67 68'

config zone
	option name 'ParZone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Parental_Zone'
	list network 'PARENTAL_ZONE'

config forwarding
	option src 'ParZone'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'ParZone'

config rule
	option name 'Parental Zone'
	option src 'ParZone'
	option target 'ACCEPT'
	option dest_port '53 67 68'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option proto 'udp'
	option target 'ACCEPT'
	option dest_port '59588'

config zone
	option output 'ACCEPT'
	option name 'Wireguard'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vpn'

config rule
	option src 'Wireguard'
	option target 'ACCEPT'
	option dest_port '53'
	option name 'Wireguard DNS'

config forwarding
	option src 'lan'
	option dest 'Wireguard'

config redirect 'adguardhome_dns_53_lan'
	option proto 'tcp udp'
	option src_dport '53'
	option target 'DNAT'
	option dest_port '53'
	option name 'Adguard Home Guest'
	option src 'GuestZone'
	option dest 'GuestZone'
	option dest_ip '192.168.8.1'

config redirect 'adguardhome_dns_53_iot'
	option proto 'tcp udp'
	option src_dport '53'
	option target 'DNAT'
	option dest_port '53'
	option name 'Adguard Home IOT'
	option src 'iot'
	option dest 'IOTZone'
	option dest_ip '192.168.31.1'

config redirect 'adguardhome_dns_53_guest'
	option proto 'tcp udp'
	option src_dport '53'
	option target 'DNAT'
	option dest_port '53'
	option name 'Adguard Home LAN'
	option src 'lan'
	option dest 'lan'
	option dest_ip '192.168.25.1'

config redirect
	option dest 'Wireguard'
	option target 'DNAT'
	option src 'Wireguard'
	option dest_ip '192.168.9.1'
	option name 'Adguard Home VPN'
	list proto 'tcp'
	list proto 'udp'
	option src_dport '53'
	option dest_port '53'

config zone
	option name 'Cloudflare'
	option input 'REJECT'
	option masq '1'
	option output 'REJECT'
	option forward 'REJECT'
	list network 'Cloudflare'

config forwarding
	option src 'Wireguard'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'Cloudflare'

config forwarding
	option src 'GuestZone'
	option dest 'Cloudflare'

config forwarding
	option src 'IOTZone'
	option dest 'Cloudflare'

config forwarding
	option src 'ParZone'
	option dest 'Cloudflare'

config forwarding
	option src 'Wireguard'
	option dest 'Cloudflare'

config redirect
	option dest 'ParZone'
	option target 'DNAT'
	option name 'Adguard Home Parental'
	option src 'ParZone'
	option dest_ip '192.168.20.1'
	list proto 'tcp'
	list proto 'udp'
	option src_dport '53'
	option dest_port '53'

config forwarding
	option src 'Wireguard'
	option dest 'GuestZone'

config forwarding
	option src 'Wireguard'
	option dest 'IOTZone'

config forwarding
	option src 'Wireguard'
	option dest 'ParZone'

config forwarding
	option src 'Wireguard'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'GuestZone'

config forwarding
	option src 'Wireguard'
	option dest 'docker'

config forwarding
	option src 'lan'
	option dest 'docker'

config forwarding
	option src 'docker'
	option dest 'wan'

config forwarding
	option src 'docker'
	option dest 'IOTZone'

config forwarding
	option src 'docker'
	option dest 'Cloudflare'

config forwarding
	option src 'IOTZone'
	option dest 'docker'

config rule
	option name 'Allow-IOT-mDNS'
	option family 'ipv4'
	option src 'iot'
	option src_port '5353'
	list dest_ip '224.0.0.251'
	option dest_port '5353'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Allow-IOT-mDNS6'
	option family 'ipv6'
	option src 'iot'
	option src_port '5353'
	list dest_ip 'ff02::fb'
	option dest_port '5353'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'For Google Cast'
	option src 'iot'
	option dest 'lan'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list dest_ip '192.168.25.106'
	list src_ip '192.168.31.8'
	option enabled '0'

config rule
	option src 'iot'
	list src_ip '192.168.31.8'
	option target 'ACCEPT'
	option dest_port '443'
	option name 'Allow Wifi Proxy '
	option dest 'lan'
	list dest_ip '192.168.25.6'
	list dest_ip '192.168.25.3'
	list dest_ip '192.168.25.1'
	option enabled '0'

config nat
	option name 'HA To IOT'
	option family 'ipv4'
	option target 'SNAT'
	option device 'br-lan1.6'
	list proto 'all'
	option src '*'
	option enabled '0'

config zone 'docker'
	option output 'ACCEPT'
	option name 'docker'
	list network 'docker'
	option input 'REJECT'
	option forward 'REJECT'

config rule
	option name 'Allow Docker Host'
	option src 'iot'
	list src_ip '192.168.31.8'
	option dest 'lan'
	option target 'ACCEPT'
	option enabled '0'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'

config zone
	option name 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'iot'
	option dest 'docker'

config forwarding
	option src 'iot'
	option dest 'wan'

config forwarding
	option src 'docker'
	option dest 'iot'

TIA

Pico · November 16, 2023, 9:01pm

I see a br-lan and a br-lan1 device in your config. also that eth0 is in both bridge configs.

So far, my DSA-device experience with bridge configs + VLAN was, to avoid multiple devices configs of type "bridge" referencing ports of the same physical switch. As whenever I had tried that, I got weird effects, as if VLAN is partly broken with random outcome, the result was somehow non-deterministic and not properly working.
But one I had just a single "bridge", even with plenty of VLANs, everything was smooth.

I do not know, if my DSA experience is generalizable on other config or other device, or if it fixes anything on your end. But my suggestion would be, to first try with only a single device config of type "bridge", if that improves anything. Looks like you might simply be able, to remove the br-lan device config, as it looks unreferenced?

andrep2208 · November 16, 2023, 9:09pm

Thanks for the suggestion. Yes, I dont use br-lan at all. However, after "unconfigure" and reboot, it still doesnt work

andrep2208 · November 16, 2023, 9:14pm

Update: If I change Forward to Accept, it will work. However, is this safe to leave this as accept ?

psherman · November 16, 2023, 9:33pm

What is the device in use here?

ubus call system board

andrep2208 · November 16, 2023, 9:54pm

root@Router:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "Router",
        "system": "Intel(R) Core(TM) i5-8400T CPU @ 1.70GHz",
        "model": "LENOVO 10T8S53400",
        "board_name": "lenovo-10t8s53400",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "x86/64",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

Here is the result

psherman · November 16, 2023, 9:55pm

You don't need to use bridge VLAN syntax for your VLANs -- since your ports are individually routed, you can use standard dotted notation and bridges of those, if you want.

bridge-VLAN is valid, though... just depends on how you prefer it.

andrep2208 · November 16, 2023, 10:06pm

could you please give me some example ? does it mean I have to individually route eth2 and eth3 so it can connect to vlan 3?

psherman · November 16, 2023, 10:17pm

As an example, you have VLAN3 tagged on eth0, eth1, and untagged on eth2 and eth3. You could create a bridge like this:

config device
	option type 'bridge'
	option name 'br-vlan3'
	list ports 'eth0.3'
	list ports 'eth1.3'
	list ports 'eth2'
	list ports 'eth3'

And then for VLAN 5, you could do a similar thing except that you only need it tagged on two ports:

config device
	option type 'bridge'
	option name 'br-vlan5'
	list ports 'eth0.5'
	list ports 'eth1.5'

andrep2208 · November 17, 2023, 12:27am

Thanks for the example. Would I need to do the same thing to my APs. There is only 1 cable from my router to each AP

Though I am still not able to resolve the main issue without allowing "Forward" to accept

psherman · November 17, 2023, 3:01am

This shouldn't be the case... I wonder if there is a red herring here. First, since the iot network is assigned to a zone, the zone specific rules apply, not the general rules (those rules apply to any network that is not assigned to a firewall zone). Second, if the two devices are indeed in the same network (i.e. the iot network on subnet 192.168.31.0/24), they should not be subject to any firewall rules. The firewall is only invovled for L3 (routed) connections. The two devices on the same network should be exchanging traffic at L2 (switching).

The APs need to match the 802.1q status of the upstream port, but the specific method of configuring the VLANs on your APs will depend on if your APs have a switch (or not) and if there is a switch, if it is swconfig or DSA. I'd be happy to take a look.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless

mk24 · November 17, 2023, 2:00pm

You need to delete br-lan as you are now using LAN1 as the overall bridge. In DSA an Ethernet port can only be in one bridge though it can be used in multiple bridge-vlans within that bridge.

I usually name the overall bridge which covers all DSA switched Ethernet ports something like br-eth to avoid any confusion with the port names. Using only lowercase for network and bridge names is highly recommended.

andrep2208 · November 17, 2023, 10:28pm

thanks for the suggesting, I have removed the br-lan bridge but it doesnt work. I have reverted back to 22.03 and everything is working again.

psherman · November 17, 2023, 10:43pm

I'm actually finding myself a bit confused here...
In the OP, you talked about your main router (which as eth0-3) and the problem that devices on eth2 and eth3 (both untagged+PVID for VLAN 3) were unable to see each other.

In the subsequent posts, we adjusted the main router and then an AP.

Can you specifically explain what is and is not working at this point since we've probably moved on quite a bit since the start of this thread.