hgl
October 11, 2021, 3:36am
1
My router (x86) and my AP (X5000R) are connected with a wire and VLAN (eth3.1 <-> lan4.1). On the router the LAN bridge (192.168.1.1/24) contains eth3.1, and on the AP the LAN bridge (192.168.1.2/24) contains lan1, lan2, lan3, lan4.1 and WiFi. DHCP is enabled in router's bridge but not AP's. A NAS is connected to AP's lan1.
The issue is that pinging the NAS on the router doesn't return replies, but the router can get ping replies from WiFi clients, which proves the VLAN should be set up correctly.
And the reason for no replies is because the router doesn't get any response from ARP request looking for the NAS, and NAS also couldn't get any response from ARP request looking for the router. DHCP also doesn't work for NAS, I have to assign it a static IP for WiFi clients to be able to access it.
I wonder what might cause this? I haven't added any rules to block ARP packets. It's pretty strange that WiFi clients don't have the ARP issue but LAN clients do.
Both the router and the AP have OpenWRT 21.02 installed.
Please, post here the relevant config files for both the router and the access point.
hgl
October 11, 2021, 8:25am
3
Here you go:
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc8:f6e6:114b::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth3.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.1'
option defaultroute '0'
config interface 'wan'
option device 'eth1'
option proto 'pppoe'
option username 'name'
option password 'pw'
option ipv6 'auto'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option auto '0'
option reqaddress 'try'
option reqprefix 'auto'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option nohosts '1'
option localise_queries '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
With /etc/firewall.user being empty.
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fda2:7a50:9f3e::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.2'
list dns '192.168.1.1'
option gateway '192.168.1.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
With /etc/firewall.user being empty.
hgl
October 12, 2021, 7:43am
4
I did some more sniffing on the AP.
I compared the difference between a WiFi client's ARP broadcast (who got the router's ARP response) and the wired NAS' ARP broadcast (who didn't), both requesting the MAC of the router. The only difference is that NAS' ethernet packet contained an all-zero padding, where the WiFi client's didn't.
Not sure if this signifies anything.
hgl
October 12, 2021, 8:10am
5
Russell from the IRC channel suggested that 1 might be a special value for VLAN, so I changed it to 10, doesn't seem to fix the issue.
For your AP that is using DSA, bridging VLAN interfaces (lan4.1) won't work. You should use VLAN filtering instead.
3 Likes
hgl
October 12, 2021, 9:31am
7
This sounds very much like the cause.
However, I have trouble making DSA work with wireless: if I create VLAN filtering on br-lan, make the LAN interface use br-lan.1 and make the wireless use the LAN interface, my WiFi client stops being able to ping the AP.
I use this VLAN filtering config
VLAN ID
lan1
lan2
lan3
lan4
1
u
u
u
t
Any idea why WiFi clients couldn't reach the AP?
hgl
October 12, 2021, 10:05am
8
On second thought, bridging lan4.1 won't work doesn't feel right.
Since I use eth3.1 on the router, any packet leaves that port has VLAN 1. My router is able to ping WiFi clients, that means the packets must have gone through that port and reach the AP's port, and finally reach WiFi clients via WiFi. In that case should it demonstrate that VLAN 1 works between the router and the AP?
I tried sniffing packets on br-lan though, and I couldn't find Ethernet frames with VLAN 1, not sure if tcpdump is unable to sniff VLAN in bridges or I have faulty configs?
trendy
October 12, 2021, 10:52am
9
I don't see why you have enabled vlans, it only complicates the configuration.
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.1'
option defaultroute '0'
This one for the AP
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.2'
list dns '192.168.1.1'
option gateway '192.168.1.1'
2 Likes
hgl
October 12, 2021, 12:38pm
10
Thanks for the suggestion.
I intend to add other LANs for office and stuff, so I start with the most basic VLAN setup to make sure everything works.
trendy
October 12, 2021, 12:41pm
11
hgl
October 12, 2021, 12:46pm
12
I read that tutorial a couple times (great one btw), but it didn't mention how to make wireless work with DSA.
As I mentioned in a previous reply, if I create VLAN filtering on br-lan, make the LAN interface use br-lan.1 and make the wireless use the LAN interface, my WiFi client stops being able to ping the AP.
trendy
October 12, 2021, 1:02pm
13
Wireless is not connected to DSA.
There is no wireless configuration in your previous post. We could have a look at it too.
hgl
October 12, 2021, 1:18pm
14
/etc/config/wireless
config wifi-device 'radio0'
option hwmode '11g'
option htmode 'HT20'
option channel '11'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
config wifi-device 'radio1'
option hwmode '11a'
option htmode 'VHT80'
option channel '36'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
config wifi-iface '2g'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'wifi'
option encryption 'sae-mixed'
option key 'wifi'
option ieee80211w '1'
config wifi-iface '5g'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'wifi'
option encryption 'sae-mixed'
option key 'wifi'
option ieee80211w '1'
trendy
October 12, 2021, 1:29pm
15
Wireless interfaces are correctly assigned to the lan interface. If you add vlans, make sure that you use the correct PVID as well.
hgl
October 12, 2021, 2:12pm
16
If I add VLAN 1 in the VLAN filtering, and make it u u u t|* for lan1-4, and make the LAN interface use br-lan.1, after clicking save & apply in LuCI, my WiFi clients can no longer open LuCI, have to wait for it to timeout to revert the settings.
trendy
October 12, 2021, 2:26pm
17
How does the management pc connect to the device? Over wifi?
hgl
October 12, 2021, 2:33pm
19
My pc can visit the AP via wifi with the current lan1-3 + lan4.1 bridge.
trendy
October 12, 2021, 2:34pm
20
Either connect from the lan ports 1-3 or add a new SSID which will not be affected from the changes you are applying on the lan.
1 Like