VLAN management on AX3000T

ABLomas · May 18, 2025, 2:31pm

Trying to make AP-only (no NAT, no firewall functions) on AX3000T device.
Only one port direct connectivity to firewall box, two AP's (2.4G iot, 5.8G guest), all tagged, untagged traffic dropped on FW box.
Wireless networks done simple way - vlan interfaces, bridge - AP's work, i see tagged traffic coming in and NAT them outside.
Management is different story. No matter how i configure (plain VLAN interface, bridged VLAN...) it does not work. If i remove tagging and allow management to go out untagged - then all fine, but tagged traffic (incoming) gets dropped, just going out does not work.
Using serial for configuration, no luci.
So, now:

config device
        option type '8021q'
        option ifname 'lan2'
        option vid '6'
        option name 'mgmt'

config device
        option type 'bridge'
        option name 'br-mgmt'
        list ports 'mgmt'

config interface 'mgmt'
        option device 'br-mgmt'
        option proto 'static'
        option ipaddr '10.10.7.2'
        option netmask '255.255.255.0'
        option gateway '10.10.7.1'
        option ipv6 '0'
        list dns '8.8.8.8'


config device
        option type '8021q'
        option ifname 'lan2'
        option vid '12'
        option name 'lan2.12'

config device
        option type 'bridge'
        option name 'iot'
        list ports 'lan2.12'
        list ports 'phy0-ap0'

'mgmt' interface is tagged:

root@Wifi:/etc/config# ip -d link show dev mgmt
19: mgmt@lan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-mgmt state UP mode DEFAULT group default qlen 1000
    link/ether 44:f7:70:23:54:f4 brd ff:ff:ff:ff:ff:ff promiscuity 1 allmulti 1 minmtu 0 maxmtu 65535
    vlan protocol 802.1Q id 6 <REORDER_HDR>
    bridge_slave state forwarding priority 32 cost 5 hairpin off guard off root_block off fastleave off learning on flood on port_id 0x8001 port_no 0x1 designated_port 32769 designated_cost 0 designated_bridge 7fff.44:F7:70:23:54:F4 designated_root 7fff.44:F7:70:23:54:F4 hold_timer    0.00 message_age_timer    0.00 forward_delay_timer    0.00 topology_change_ack 0 config_pending 0 proxy_arp off proxy_arp_wifi off mcast_router 1 mcast_fast_leave off mcast_flood on bcast_flood on mcast_to_unicast off neigh_suppress off neigh_vlan_suppress off group_fwd_mask 0 group_fwd_mask_str 0x0 vlan_tunnel off isolated off locked off mab off numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 tso_max_size 65536 tso_max_segs 65535 gro_max_size 65536 gso_ipv4_max_size 65536 gro_ipv4_max_size 65536

(like i said, i tried to configure IP directly on VLAN interface - the same issue)
So now i have interesting combo:
i can "go out" and everything is working:

root@KS-Wifi:/etc/config# curl --head www.google.com
HTTP/1.1 200 OK
<...>

I can reach firewall host, too:

root@Wifi:/etc/config# ping 10.10.7.1
PING 10.10.7.1 (10.10.7.1): 56 data bytes
64 bytes from 10.10.7.1: seq=0 ttl=64 time=1.159 ms
<...>

But from firewall i can't get back:

root@Wifi:/etc/config# tcpdump -ni br-mgmt
[ 4099.396060] br-mgmt: entered promiscuous mode
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-mgmt, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:18:55.893212 IP 10.10.7.1 > 10.10.7.2: ICMP echo request, id 64612, seq 0, length 64
17:18:55.893318 IP 10.10.7.2 > 10.10.7.1: ICMP 10.10.7.2 protocol 1 port 3727 unreachable, length 92

(on firewall box i get "Destination port unreachable")
Sure, no processes work, even if i bind them directly to VLAN or bridge interface (not 0.0.0.0), for example dropbear:

17:20:39.080263 IP 10.10.7.1.16434 > 10.10.7.2.22: Flags [S], seq 2197701363, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 3477511527 ecr 0], length 0
17:20:39.080354 IP 10.10.7.2.22 > 10.10.7.1.16434: Flags [R.], seq 0, ack 2197701364, win 0, length 0

I'm getting RST from OpenWRT box and application does not even get event (checked with strace, response comes from kernel and does not reach userland apps)

If i make untagged interface - it works. If i tag - something happens on OpenWRT side.
Similar topic, i guess, but not exactly the same issue: LAN port doesn't work with DSA and VLAN on dumb AP - #5 by paraskevas
Things to try:

change VLAN (maybe 6 is hardcoded somehow somewhere)
try older release (migrating configs over serial is still meh)
forget tagged VLAN for management and just bypass everything (would like to avoid that as this breaks whole "isolated untrusted AP" idea)

Any ideas what could be wrong, or this is DSA+VLAN limitation?

psherman · May 18, 2025, 2:48pm

Your device used dsa, so you need to use bridge VLANs to achieve the goal.

ABLomas · May 18, 2025, 3:51pm

I read this link before but still don't clearly get idea.
So, even if i'm using only one physical port:

bridge all (wan+lan2+lan3+lan4) ports together
put vlan interfaces on top of bridge
then bridge wireless interfaces again with vlan interfaces

Right?
(can try this one but IMO this would allow all interfaces to see other VLAN's so no internal separation)

psherman · May 18, 2025, 8:41pm

Yes.

Yes, this is done via bridge-VLANs.

No, this is a common misconception. The bridge-VLAN is already a bridge. This can be used directly as the device in a network config (i.e. br-lan.3). Nesting bridges will not work.

ABLomas · May 19, 2025, 7:42pm

Thanks for reply, but before i read this i already did what i said - bridged all, then wifi on top (VLAN devices) and it's working:

root@Wifi:/etc/config# brctl show
bridge name     bridge id               STP enabled     interfaces
br-lan          7fff.44f7702354f4       no              lan4
                                                        lan2
                                                        wan
                                                        lan3
iot             7fff.44f7702354f4       no              br-lan.12
                                                        phy0-ap0
guest           7fff.44f7702354f4       no              br-lan.10
                                                        phy1-ap0

I'm not exactly bridging "bridge" but VLAN interfaces on top of it, it works. Tagged networks on one physical port (lan2), can see both wifi and management interface.

Only one issue i found with that setup is that dropbear can't properly bind to it's address. If i bind it to all interfaces - it works.
But if i add

list DirectInterface        'br-lan.6'

to it's config file - it says "daemon.crit dropbear: Network interface 'br-lan.6' is not available!" (maybe parsing dot as regex element?) - while such interface exists for sure:

root@Wifi:/etc/config# ifconfig br-lan.6
br-lan.6  Link encap:Ethernet  HWaddr 44:F7:70:23:54:F4
          inet addr:10.10.7.2  Bcast:10.10.7.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2603 (2.5 KiB)  TX bytes:2072 (2.0 KiB)

if i use

list Interface          '10.10.7.2'

...then i get "dropbear: Network interface '10.10.7.2' has no suitable IP address(es)!" (same if i change to br-lan.6 or 10.10.7.2:22).
So far minor issue, but without VLAN's it was working.
Btw uhttpd binds to the same IP just fine, so problem is with dropbear.