Vlan problems over multiple openwrt

leopucci · February 21, 2025, 5:11pm

Hello folks,
I have a problem between comunication in VLAN of two openwrt routers.

For some reason there is no communication only from one side.

So i have in a X86 openwrt doing VLAN over eth0.

21: eth0.100@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether bc:24:11:81:41:76 brd ff:ff:ff:ff:ff:ff

with proper routing

192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0.100

On the other router is not ETH0, it is a bridge over several ports.

18: br-lan.100@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 80:af:ca:07:74:d4 brd ff:ff:ff:ff:ff:ff

with the proper routing.

192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 br-lan.100

So basically what i want?
I want that X86 vlan 100 gets dhcp from a internet provider that is attached to LAN4 in the second router. (The cable between the two is in LAN1 port)

How is vlan configured in bridge:

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'lan1:t' (this is the port linking the two)
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:u*' (here is the dhcp server)

config interface 'lan4'
        option proto 'static'
        option device 'br-lan.100'
        option ipaddr '192.168.100.2'
        option netmask '255.255.255.0'

I was using unmanaged, but to be easy to detect where is the problem is, i have configured 192.168.100.1 on X86 and 192.168.100.2 on router 2 to be able to ping to see problems.

Here is the confusing part.
ROUTER2 can ping X86
X86 CAN'T ping ROUTER2.

Any hints?
Thanks in advance

psherman · February 21, 2025, 5:15pm

With x86, usually you'd be talking about eth0 - ethx where x is the number of physical ethernet ports - 1.

So it seems odd that you have lanx ports there.

Let's see the complete network config of the first x86 device, as well as a quick diagram of the network topology so we can better understand how things are connected.

leopucci · February 21, 2025, 5:17pm

Lan is in the swtich router, in x86 is eth0, sorry for the confusion
Is there any easy site that you recommend to do the diagram?

X86 config:

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '100'
        option name 'eth0.100'

config interface 'wan2'
        option proto 'static'
        option device 'eth0.100'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'

+-----------+ETH0.100       LAN1+-----------+LAN4               +-----------+
|           |------------------>|           |------------------>|           |
|   X86     |                   |  ROUTER2  |        DHCP       |    ISP    |
|  (Router) |     VLAN 100      | (Router)  |                   | (Device)  |
+-----------+                   +-----------+                   +-----------+

psherman · February 21, 2025, 5:24pm

Is this the complete x86 network config file? It looks like it is missing the vast majority of the details.

leopucci · February 21, 2025, 5:27pm

Here it is.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2f:fdee:190e::/48'
        option packet_steering '1'

config interface 'lan'
        option device 'eth0'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'
        list dns '8.8.8.8'
        list dns '1.1.1.1'

config interface 'wan'
        option device 'eth1'
        option proto 'pppoe'
        option username 'algar'
        option password 'algar@algar'
        option ipv6 '0'

config interface 'wan2'
        option proto 'static' (this was dhcp i changed to try to debug)
        option device 'eth0.100'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '100'
        option name 'eth0.100'

psherman · February 21, 2025, 5:35pm

This is not necessary and can be deleted:

The specific address you've chosen here may not be the best -- it's likely that the DHCP server upstream (i.e. the ISP device) is using this address:

leopucci:

config interface 'wan2'
        option proto 'static' (this was dhcp i changed to try to debug)
        option device 'eth0.100'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'

Are there two physical connections in play here?

Where does eth1 go? That is the wan/pppoe connection for the x86 device -- is that one working as expected?

leopucci · February 21, 2025, 5:38pm

The isp dhcp server it is using 192.168.0.1 in the 192.168.0.X network.

wan eth1 is connected to primary ISP over PPPOE and it is working perfectly.
also eth0 is working ok i have communication between the two routers, i can access the ROUTER2 over eth0, it is only eth0.100 that i can´t ping
also with tcpdump, X86 is generating dhcp requests, but those requests does not get on br-lan.100 in the second router

14:00:23.945753 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from bc:24:11:4b:07:ef, length 300, xid 0x2a14fd4e, secs 174, Flags [none] (0x0000)
          Client-Ethernet-Address bc:24:11:4b:07:ef
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: Discover
            MSZ (57), length 2: 576
            Parameter-Request (55), length 8:
              Subnet-Mask (1), Default-Gateway (3), Domain-Name-Server (6), Hostname (12)
              Domain-Name (15), BR (28), NTP (42), Classless-Static-Route (121)
            Hostname (12), length 7: "X86OWRT"
            Vendor-Class (60), length 12: "udhcp 1.36.1"




14:00:25.979835 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from bc:24:11:81:41:76, length 300, xid 0x4a4aae34, secs 28607, Flags [none] (0x0000)
          Client-Ethernet-Address bc:24:11:81:41:76
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: Discover
            MSZ (57), length 2: 576
            Parameter-Request (55), length 8:
              Subnet-Mask (1), Default-Gateway (3), Domain-Name-Server (6), Hostname (12)
              Domain-Name (15), BR (28), NTP (42), Classless-Static-Route (121)
            Hostname (12), length 7: "X86OWRT"
            Vendor-Class (60), length 12: "udhcp 1.36.1"
14:00:27.015726 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from bc:24:11:4b:07:ef, length 300, xid 0x2a14fd4e, secs 177, Flags [none] (0x0000)
          Client-Ethernet-Address bc:24:11:4b:07:ef
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: Discover
            MSZ (57), length 2: 576
            Parameter-Request (55), length 8:
              Subnet-Mask (1), Default-Gateway (3), Domain-Name-Server (6), Hostname (12)
              Domain-Name (15), BR (28), NTP (42), Classless-Static-Route (121)
            Hostname (12), length 7: "X86OWRT"
            Vendor-Class (60), length 12: "udhcp 1.36.1"

psherman · February 21, 2025, 5:40pm

Does that mean it connects to the ISP device shown in your diagram, or is it another ISP entirely (i.e. not shown)?

Let's also look at the complete network config of router2.

leopucci · February 21, 2025, 5:46pm

I tryed to keep things simple it not shown in the diagram, i'm adding a secundary isp over dhcp, my primary is over pppoe

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd64:822e:df2d::/48'
        option packet_steering '1'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.251'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:u*'

config interface 'LAN4'
        option proto 'static' (this was unmanaged but i changed to static to debug)
        option device 'br-lan.100'
        option ipaddr '192.168.100.2'
        option netmask '255.255.255.0'

psherman · February 21, 2025, 6:05pm

From the x86 machine itself (via an ssh session), can you ping 192.168.100.2?

leopucci · February 21, 2025, 6:31pm

No

PING 192.168.100.2 (192.168.100.2): 56 data bytes
^C
--- 192.168.100.2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

but from ROUTER2 i can ping 192.168.100.1

root@ROUTER2:~# ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
64 bytes from 192.168.100.1: seq=0 ttl=64 time=2.875 ms
64 bytes from 192.168.100.1: seq=1 ttl=64 time=2.179 ms

psherman · February 21, 2025, 6:42pm

Ok... this indicates likely a firewall issue.

Let's start by looking at the firewall file on router 2.

leopucci · February 21, 2025, 7:25pm

ROUTER2

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vlan100'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'claro_lan4'

psherman · February 21, 2025, 7:28pm

looks like network LAN4 is not associated with a firewall zone.

Add it to the lan firewall zone and it should accept pings.

leopucci · February 21, 2025, 8:13pm

No it did not worked

psherman · February 21, 2025, 11:08pm

let's take a look at the current situation on router2:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

leopucci · February 22, 2025, 9:55am

Cable on lan1 is the network, cable in lan4 is the second ISP dhcp

{
        "kernel": "6.6.73",
        "hostname": "ROUTER2",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Cudy WR1300 v3",
        "board_name": "cudy,wr1300-v3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "ramips/mt7621",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd64:822e:df2d::/48'
        option packet_steering '1'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.251'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:u*'

config interface 'Lan4'
        option proto 'static'
        option device 'br-lan.100'
        option ipaddr '192.168.100.2'
        option netmask '255.255.255.0'

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'Lan4'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vlan100'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

leopucci · February 24, 2025, 3:23pm

no clue what is wrong i just deleted everything and created again and nothing works out.

leopucci · February 26, 2025, 6:43pm

@psherman, using tcpdump, I can see that lan4:u* is receiving broadcast packages from ISP2.
but those packages are not broadcasted to the entire LAN.
for some reason the ROUTER2 is keeping the broadcast to itself instead of propagating them to lan1:t port

 tcpdump -i br-lan.100 -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-lan.100, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:33:53.567427 IP6 fe80::4e12:65ff:fee0:dd5 > ff02::1: ICMP6, router advertisement, length 96
15:33:54.049200 4c:12:65:e7:71:bf > ff:ff:ff:ff:ff:ff, RLDP
15:33:56.049183 4c:12:65:e7:71:bf > ff:ff:ff:ff:ff:ff, RLDP
15:33:56.566630 IP6 fe80::4e12:65ff:fee0:dd5 > ff02::1: ICMP6, router advertisement, length 96
15:33:58.049171 4c:12:65:e7:71:bf > ff:ff:ff:ff:ff:ff, RLDP
15:33:59.566735 IP6 fe80::4e12:65ff:fee0:dd5 > ff02::1: ICMP6, router advertisement, length 96
15:34:00.049142 4c:12:65:e7:71:bf > ff:ff:ff:ff:ff:ff, RLDP
15:34:02.049168 4c:12:65:e7:71:bf > ff:ff:ff:ff:ff:ff, RLDP
15:34:02.566708 IP6 fe80::4e12:65ff:fee0:dd5 > ff02::1: ICMP6, router advertisement, length 96
15:34:04.049148 4c:12:65:e7:71:bf > ff:ff:ff:ff:ff:ff, RLDP
15:34:05.566677 IP6 fe80::4e12:65ff:fee0:dd5 > ff02::1: ICMP6, router advertisement, length 96
15:34:06.049148 4c:12:65:e7:71:bf > ff:ff:ff:ff:ff:ff, RLDP
15:34:08.049100 4c:12:65:e7:71:bf > ff:ff:ff:ff:ff:ff, RLDP
15:34:08.566642 IP6 fe80::4e12:65ff:fee0:dd5 > ff02::1: ICMP6, router advertisement, length 96
15:34:10.049018 4c:12:65:e7:71:bf > ff:ff:ff:ff:ff:ff, RLDP
15:34:11.571713 IP6 fe80::4e12:65ff:fee0:dd5 > ff02::1: ICMP6, router advertisement, length 96
15:34:12.049089 4c:12:65:e7:71:bf > ff:ff:ff:ff:ff:ff, RLDP
15:34:14.049078 4c:12:65:e7:71:bf > ff:ff:ff:ff:ff:ff, RLDP
15:34:14.567606 IP6 fe80::4e12:65ff:fee0:dd5 > ff02::1: ICMP6, router advertisement, length 96
15:34:16.049070 4c:12:65:e7:71:bf > ff:ff:ff:ff:ff:ff, RLDP
15:34:17.566679 IP6 fe80::4e12:65ff:fee0:dd5 > ff02::1: ICMP6, router advertisement, length 96
15:34:18.049037 4c:12:65:e7:71:bf > ff:ff:ff:ff:ff:ff, RLDP
15:34:20.049005 4c:12:65:e7:71:bf > ff:ff:ff:ff:ff:ff, RLDP
15:34:20.566631 IP6 fe80::4e12:65ff:fee0:dd5 > ff02::1: ICMP6, router advertisement, length 96
15:34:22.049036 4c:12:65:e7:71:bf > ff:ff:ff:ff:ff:ff, RLDP
15:34:23.567121 IP6 fe80::4e12:65ff:fee0:dd5 > ff02::1: ICMP6, router advertisement, length 96

psherman · February 26, 2025, 6:53pm

Based on your config, we should discuss what is connected to ports lan1-lan3 (sorry if it's already above -- please point me to that comment if so):

leopucci:

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:u*'

Ports lan1-lan3 have VLAN 100 tagged. So what is connected to each of those ports? Are they VLAN aware and are they properly configured?

One thing we could do is remove one of those ports from VLAN 1, and then use that port as untagged + PVID for VLAN 100. This way any computer would be able to connect to that port without needing to be VLAN aware and we can test that the frames are being properly forwarded through the swtich chip without worrying about the downstream device configuration.