VLAN issues on WRT1900AC v1 with 23.05

Although the issue with the MV88E6176 switch is reported to be fixed in version 23.05, I still have issues.
I have a WRT1900AC v1 router, which is the main router, and other routers with OpenWRT are connected to it, which operate as managed switches.
I have several VLANs, and I have no problems with version 21.02. However, when upgrading to version 23.05.3, keeping the same settings, I have the same issues reported in version 22.03.
When connecting directly to the WRT1900AC, a device receives an IPv6 address as expected. However, in the next router advertisement, this device receives IPv6 addresses from other VLANs.

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config device
	option name 'lan1'
	option macaddr '94:10:3e:8f:4b:46'

config device
	option name 'lan2'
	option macaddr '94:10:3e:8f:4b:46'

config device
	option name 'lan3'
	option macaddr '94:10:3e:8f:4b:46'

config device
	option name 'lan4'
	option macaddr '94:10:3e:8f:4b:46'

config interface 'vlan1'
	option proto 'static'
	option device 'br-lan.1'
	list dns '2001:DB8::3'
	list dns [Edited]
	list dns [Edited]
	list dns '10.10.0.3'
	list dns [Edited]
	list dns [Edited]
	list ipaddr '10.10.0.1/23'
	list ip6addr '2001:DB8::1/64'

config device
	option name 'wan'
	option macaddr '94:10:3e:8f:4b:46'

config interface 'wan'
	option proto 'static'
	list ipaddr '203.0.113.250/24'
	option gateway '203.0.113.1'
	list dns [Edited]
	list dns [Edited]
	list dns [Edited]
	list dns [Edited]
	option device 'br-lan.99'

config interface 'wan6'
	option proto '6in4'
	option peeraddr [Edited]
	option ip6addr [Edited]
	list ip6prefix '2001:DB8::/48'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'
	list ports 'lan3'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan1:t'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan1:t'
	list ports 'lan4'
	list ports 'wan:t'

config interface 'vlan2'
	option proto 'static'
	option device 'br-lan.2'
	list ipaddr '10.10.2.1/25'
	list ip6addr '2001:DB8:1::1/64'

config interface 'vlan3'
	option proto 'static'
	option device 'br-lan.3'
	list ipaddr '10.10.2.129/25'
	list ip6addr '2001:DB8:2::1/64'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'lan1:t'
	list ports 'wan:t'

config interface 'vlan4'
	option device 'br-lan.4'
	option proto 'static'
	list ipaddr '10.10.3.1/27'
	list ip6addr '2001:DB8:3::1/64'

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'lan1:t'
	list ports 'lan2'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'wan:t'

config interface 'vlan5'
	option proto 'static'
	option device 'br-lan.5'
	list ipaddr '10.10.3.65/27'


/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option domain 'contoso.com'
	option rebind_protection '0'

config dhcp 'vlan1'
	option interface 'vlan1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra 'server'
	option ignore '1'
	option ra_slaac '0'
	list ra_flags 'managed-config'
	option dns_service '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'vlan2'
	option interface 'vlan2'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'
	option ra 'server'
	list domain 'contoso.com'
	list dns '2001:DB8::3'
	list dns [Edited]
	list dns [Edited]

config dhcp 'vlan3'
	option interface 'vlan3'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'
	option ra 'server'
	list domain 'contoso.com'
	list dns '2001:DB8::3'
	list dns [Edited]
	list dns [Edited]

config dhcp 'vlan4'
	option interface 'vlan4'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'
	option ra 'server'
	option ra_slaac '0'
	list ra_flags 'managed-config'


/etc/dnsmasq.conf
dhcp-relay=10.10.2.1,10.10.0.2
dhcp-relay=10.10.2.129,10.10.0.2
dhcp-relay=10.10.3.1,10.10.0.2
dhcp-relay=10.10.3.65,10.10.0.2
dhcp-relay=2001:DB8:3::1,2001:DB8::2

You should clean things up a bit, presumably OpenWrt tosses unsupported / unknown options in the bit bucket, but who knows...

This is what you are chasing?

Bridge WAN Port3 Port2 Port1 Port0
Interface VID br-lan wan lan1 lan2 lan3 lan4
vlan1 1 10.10.0.1/23 2001:DB8::1/64 t t u
vlan2 2 10.10.2.1/25 2001:DB8:1::1/64 t t
vlan3 3 10.10.2.129/25 2001:DB8:2::1/64 t t u
vlan4 4 10.10.3.1/27 2001:DB8:3::1/64 t t
vlan5 5 10.10.3.65/27 t t u
wan 99 Static?? t
/etc/config/network example
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd5e:60a8:d46e::/48'

config device
#	option name 'free'
	option name 'lan1'
	option macaddr 'xx:9e:b1'

config device
#	option name 'DLINK'
	option name 'lan2'
	option macaddr 'xx:9e:b1'

config device
#	option name 'TPLINK'
	option name 'lan3'
	option macaddr 'xx:9e:b1'

config device
#	option name 'denNG'
	option name 'lan4'
	option macaddr 'xx9e:b1'

config device
	option name 'switch0'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option vlan_filtering '1'
	option stp '1'
#	option priority '24576'
	option priority '28672'
	option forward_delay '4'
	option max_age '8'
	option igmp_snooping '1'
	option multicast_querier '1'
#	option igmpversion '3'
#	option mldversion '2'

config bridge-vlan
	option device 'switch0'
	option vlan '40'
	list ports 'lan3:t'
	option alias 'guest'

config interface 'guest'
	option device 'switch0.guest'
	option proto 'static'
	option ipaddr '192.168.40.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

config bridge-vlan
	option device 'switch0'
	option vlan '30'
	list ports 'lan2:t'
#	option alias 'vcam'

config bridge-vlan
	option device 'switch0'
	option vlan '20'
	list ports 'lan2:t'
	option alias 'voip'

config interface 'voip'
	option device 'switch0.voip'
	option proto 'none'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

config bridge-vlan
	option device 'switch0'
	option vlan '10'
	list ports 'lan1:u*'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'lan4:u*'
	option alias 'lan'

config interface 'lan'
	option device 'switch0.lan'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
#	option ip6assign '56'

config bridge-vlan
	option device 'switch0'
	option vlan '1'
#	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
#	list ports 'lan4:u*'
	option alias 'vmgmt'

config device
	option name 'wan'
	option macaddr 'xx:9e:b0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
#	option reqprefix 'auto'
	option reqprefix '56'
	option peerdns '0'

Yes, that's exactly it.

The configuration I posted works perfectly up to version 21.02.
Looking at your example, it seems that the only relevant difference is the vlan_filtering option, that's not added when enabled through LuCI. As soon as possible, I will check if adding this line solves the problem.

EDIT: The vlan_filtering option did not change the behavior.
I tried resetting all router's settings, disconnected all other devices and configured it with just two VLANs, isolated between it and my notebook, which continues to receive addresses IPv6, now ULA, through SLAAC of both two VLANs.

Hi

I had a leaking vlan with 23.05.rc3
See post below:

I was running snapshot with kernel 6.1.89 for six weeks, and now currently 6.6.34 for a half day now.

I don't think 23.05.x was completely fixed. But the fixed was done in kernel 6.1.

Try a snapshot build, it should solve your vlan leaks.

I tried the latest snapshot, however, I didn't have much luck. The router reboots every few minutes, and the DHCP relay doesn't work.

Master snapshot is running fine on a mamba here:

OpenWrt SNAPSHOT, r26809-7c9644a7b5
 -----------------------------------------------------
root@OpenWrt:~# uname -a
Linux OpenWrt 6.6.36 #0 SMP Thu Jun 27 15:59:31 2024 armv7l GNU/Linux

Is the config dump you posted generated by way of GUI, or you editing the config. If GUI I would assume that to be canonical and the wiki dated, but I cannot reconcile what you posted against the wiki.

The posted configuration was copied from the backup file and manually edited.
Although it was announced that version 22.03.2 is problematic for mvebu, I decided to test it and it has been working fine for a few days, with no data leakage between VLANs.
As for DHCP relay, contrary to what one might imagine, you should not ignore the interface that will relay the requests.

Even with the latest snapshot (OpenWrt SNAPSHOT r26865 (Linux 6.6.36)), I still have problems with random reboots. But, as I installed a custom image, I believe it could be a problem with a package.

  • any particular package you suspect, and why
  • your image, or a community build
  • did you use factory (not sysupgrade) on your move to 23.x or master, kernel space reservation changed
  • if it aids you in your firefight, I put up 6.6.37 wrtpac images on my drop today; links off avatar or github

It's just an assumption. I don't suspect any packages, and I would have to remove them one by one to find out. It's something I should try when I have some time to spare.

Custom image created through Image Builder and Firmware Selector.

I used sysupgrade.

Cool!

It looks like I was able to resolve the VLAN leak issue by creating a new bridge for each software VLAN. Using version 23.05.3.

No changes with 23.05.4...

Normal IPv6 assignment:

Some minutes later:

Is the config the same as you provided in the first post?

What is the specific issue? You've mentioned VLAN leaks, and it seems that it is taking a while to get an IPv4 address... can you provide more context into each of these things and/or the description of the current problems?

Yes, essentially it is the same configuration posted at the beginning.

If you look at the image, there is no problem with obtaining IPv4 addresses. And initially everything looks fine also with the IPv6 address, obtained through external DHCPv6, as expected for this VLAN. However, after a few minutes, when the router sends new Router Advertisements, the client obtains IPv6 addresses from the other VLANs configured for SLAAC addresses, which indicates that the RAs are broadcast to all VLANs.
For some reason that I cannot understand, the client does not obtain IPv6 addresses from other VLANs defined for DHCPv6 statefull, only from those configured for stateless addresses.
As said initially, the same configuration works fine until version 22.03.2.

  • the 22.03.x mvebu target release had a horribly borked switch setup, build was disabled until upstream kernel fixed the issue; so working correctly would be questionable
  • ipv6 on target work fine here with an ISP provided IP6
  • maybe post a dump of /etc/config/network

I'm aware of the issue with version 22.03. However, what I have noticed is the opposite: the supposedly problematic version is working fine, and the version that would have the problem fixed is horrible.

How do I do this?

Post link output by:

cat /etc/config/network | sed -E -e 's/[0-9a-fA-F:]{17}/11:22:33:44:55:66/' | nc termbin.com 9999

Edit: probably why you interpreted things working is the way the issue manifested:

Several users have reported, that devices using mv88e6176 switch are
seriously broken, basically turning that switch into a hub. Until fixed
those devices should be disabled.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config device
	option name 'lan1'
	option macaddr '11:22:33:44:55:66'

config device
	option name 'lan2'
	option macaddr '11:22:33:44:55:66'

config device
	option name 'lan3'
	option macaddr '11:22:33:44:55:66'

config device
	option name 'lan4'
	option macaddr '11:22:33:44:55:66'

config device
	option name 'wan'
	option macaddr '11:22:33:44:55:66'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:t'
	list ports 'lan2'
	list ports 'lan4'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan1:t'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan1:t'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'lan1:t'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '50'
	list ports 'lan1:t'
	list ports 'lan3'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'wan:t'

config interface 'vlan1'
	option proto 'static'
	option device 'br-lan.1'
	list dns '2001:aaa:bbbb::3'
	list dns '10.10.0.3'
	list ip6addr '2001:aaa:bbbb::1/64'
	list ipaddr '10.10.0.1/27'

config interface 'vlan10'
	option device 'br-lan.10'
	option proto 'static'
	list ip6addr '2001:aaa:bbbb:10::1/64'
	list ipaddr '10.10.1.1/25'

config interface 'vlan20'
	option proto 'static'
	option device 'br-lan.20'
	list ipaddr '10.10.2.1/25'
	list ip6addr '2001:aaa:bbbb:20::1/64'

config interface 'vlan30'
	option proto 'static'
	option device 'br-lan.30'
	list ipaddr '10.10.2.129/25'
	list ip6addr '2001:aaa:bbbb:30::1/64'

config interface 'vlan40'
	option device 'br-lan.40'
	option proto 'static'
	list ipaddr '10.10.3.1/27'
	list ip6addr '2001:aaa:bbbb:40::1/64'

config interface 'vlan50'
	option proto 'static'
	option device 'br-lan.50'
	list ipaddr '10.10.3.65/27'

config interface 'wan'
	option proto 'static'
	list ipaddr '189.0.0.250/24'
	option gateway '189.0.0.1'
	option device 'br-lan.99'

config interface 'wan6'
	option proto '6in4'
	option peeraddr '184.0.0.10'
	option ip6addr '2001:a:b::2/64'
	list ip6prefix '2001:aaa:bbbb/48'
	option mtu '1480'

I understand that in version 22.03 the switch behaves like a hub, with the correction in version 23.05. However, what I observe is the opposite, because in version 23.05 Routers Advertisements are broadcast to all ports, regardless of which VLAN it is associated with, obtaining IPv6 addresses from other VLANs. This behavior does NOT happen in 22.03, where hosts only get the expected IPv6 addresses.

You might try explicitly setting the untagged port as such:

so lan3 is untagged -- set it explicitly as untagged + PVID:

	list ports 'lan3:u*'

Do the same with the respective ports on other VLANs (VLAN 10 has ports 2 and 4 untagged).