Why ARP doesn't work for devices connected with wired VLAN?

LGA1150 · October 12, 2021, 8:34am

For your AP that is using DSA, bridging VLAN interfaces (lan4.1) won't work. You should use VLAN filtering instead.

hgl · October 12, 2021, 9:31am

This sounds very much like the cause.

However, I have trouble making DSA work with wireless: if I create VLAN filtering on br-lan, make the LAN interface use br-lan.1 and make the wireless use the LAN interface, my WiFi client stops being able to ping the AP.

I use this VLAN filtering config

VLAN ID	lan1	lan2	lan3	lan4
1	u	u	u	t

Any idea why WiFi clients couldn't reach the AP?

hgl · October 12, 2021, 10:05am

On second thought, bridging lan4.1 won't work doesn't feel right.

Since I use eth3.1 on the router, any packet leaves that port has VLAN 1. My router is able to ping WiFi clients, that means the packets must have gone through that port and reach the AP's port, and finally reach WiFi clients via WiFi. In that case should it demonstrate that VLAN 1 works between the router and the AP?

I tried sniffing packets on br-lan though, and I couldn't find Ethernet frames with VLAN 1, not sure if tcpdump is unable to sniff VLAN in bridges or I have faulty configs?

trendy · October 12, 2021, 10:52am

I don't see why you have enabled vlans, it only complicates the configuration.
This one for the router

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth3'

		
config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.1'
	option defaultroute '0'

This one for the AP

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.2'
	list dns '192.168.1.1'
	option gateway '192.168.1.1'

hgl · October 12, 2021, 12:38pm

Thanks for the suggestion.

I intend to add other LANs for office and stuff, so I start with the most basic VLAN setup to make sure everything works.

trendy · October 12, 2021, 12:41pm

Then you need to follow the example for vlan tagged traffic.

hgl · October 12, 2021, 12:46pm

I read that tutorial a couple times (great one btw), but it didn't mention how to make wireless work with DSA.

As I mentioned in a previous reply, if I create VLAN filtering on br-lan, make the LAN interface use br-lan.1 and make the wireless use the LAN interface, my WiFi client stops being able to ping the AP.

trendy · October 12, 2021, 1:02pm

Wireless is not connected to DSA.

There is no wireless configuration in your previous post. We could have a look at it too.

hgl · October 12, 2021, 1:18pm

/etc/config/wireless

config wifi-device 'radio0'
	option hwmode '11g'
	option htmode 'HT20'
	option channel '11'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'

config wifi-device 'radio1'
	option hwmode '11a'
	option htmode 'VHT80'
	option channel '36'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'

config wifi-iface '2g'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'wifi'
	option encryption 'sae-mixed'
	option key 'wifi'
	option ieee80211w '1'

config wifi-iface '5g'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'wifi'
	option encryption 'sae-mixed'
	option key 'wifi'
	option ieee80211w '1'

trendy · October 12, 2021, 1:29pm

Wireless interfaces are correctly assigned to the lan interface. If you add vlans, make sure that you use the correct PVID as well.

hgl · October 12, 2021, 2:12pm

If I add VLAN 1 in the VLAN filtering, and make it u u u t|* for lan1-4, and make the LAN interface use br-lan.1, after clicking save & apply in LuCI, my WiFi clients can no longer open LuCI, have to wait for it to timeout to revert the settings.

trendy · October 12, 2021, 2:26pm

How does the management pc connect to the device? Over wifi?

hgl · October 12, 2021, 2:31pm

Yes, over the AP's wifi.

hgl · October 12, 2021, 2:33pm

My pc can visit the AP via wifi with the current lan1-3 + lan4.1 bridge.

trendy · October 12, 2021, 2:34pm

Either connect from the lan ports 1-3 or add a new SSID which will not be affected from the changes you are applying on the lan.

mk24 · October 12, 2021, 3:54pm

Yes first set up an "admin" network so you can always log into the AP directly by wifi even if Ethernet is misconfigured. This network should have a static IP address of something .1 which is a different subnet range than anything else you're using. It should have a DHCP server, and of course a wifi AP. It doesn't need a firewall zone or any firewall rules as long as the default rule is to accept input and output. Or you can place it in the lan zone.

In DSA, in order to tag packets on a port and also have the switch properly add and remove tags and hardware switch to other ports, you must use bridge-vlans. The notation 'lan1.X' is not valid in any bridging situation which will also involve hardware switching.

hgl · October 13, 2021, 12:14pm

@trendy @mk24 Thanks for the hand holding.

I followed your advice, connecting my management pc to the AP’s port with a wire, now I can save the config where u u u t|* VLAN filtering is set to lan1-4 for the br-lan device, and the LAN interface uses br-lan.1.

However, my WiFi client can not access the AP as previously. The client's ARP requests looking for the the AP never showed up in the AP's br-lan or br-lan.1 interface. Only my wired pc is able to access the AP.

Any idea what might have caused this?

trendy · October 13, 2021, 12:44pm

Post once again the uci export network; uci export wireless from the AP to check how it is now.

hgl · October 13, 2021, 12:59pm

uci export network

package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fda2:7a50:9f3e::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4:t*'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.2'
	list dns '192.168.1.1'
	option gateway '192.168.1.1'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

I didn't change wireless config, but here it is:

uci export wireless

package wireless

config wifi-device 'radio0'
	option hwmode '11g'
	option htmode 'HT20'
	option channel '11'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'

config wifi-device 'radio1'
	option hwmode '11a'
	option htmode 'VHT80'
	option channel '36'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'

config wifi-iface '2g'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'wifi'
	option encryption 'sae-mixed'
	option key 'wifi'
	option ieee80211w '1'

config wifi-iface '5g'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'wifi'
	option encryption 'sae-mixed'
	option key 'wifi'
	option ieee80211w '1'

trendy · October 13, 2021, 1:13pm

Seems good to me, what is the output of brctl show ?