Why ARP doesn't work for devices connected with wired VLAN?

mk24 · October 12, 2021, 3:54pm

Yes first set up an "admin" network so you can always log into the AP directly by wifi even if Ethernet is misconfigured. This network should have a static IP address of something .1 which is a different subnet range than anything else you're using. It should have a DHCP server, and of course a wifi AP. It doesn't need a firewall zone or any firewall rules as long as the default rule is to accept input and output. Or you can place it in the lan zone.

In DSA, in order to tag packets on a port and also have the switch properly add and remove tags and hardware switch to other ports, you must use bridge-vlans. The notation 'lan1.X' is not valid in any bridging situation which will also involve hardware switching.

hgl · October 13, 2021, 12:14pm

@trendy @mk24 Thanks for the hand holding.

I followed your advice, connecting my management pc to the AP’s port with a wire, now I can save the config where u u u t|* VLAN filtering is set to lan1-4 for the br-lan device, and the LAN interface uses br-lan.1.

However, my WiFi client can not access the AP as previously. The client's ARP requests looking for the the AP never showed up in the AP's br-lan or br-lan.1 interface. Only my wired pc is able to access the AP.

Any idea what might have caused this?

trendy · October 13, 2021, 12:44pm

Post once again the uci export network; uci export wireless from the AP to check how it is now.

hgl · October 13, 2021, 12:59pm

uci export network

package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fda2:7a50:9f3e::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4:t*'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.2'
	list dns '192.168.1.1'
	option gateway '192.168.1.1'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

I didn't change wireless config, but here it is:

uci export wireless

package wireless

config wifi-device 'radio0'
	option hwmode '11g'
	option htmode 'HT20'
	option channel '11'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'

config wifi-device 'radio1'
	option hwmode '11a'
	option htmode 'VHT80'
	option channel '36'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'

config wifi-iface '2g'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'wifi'
	option encryption 'sae-mixed'
	option key 'wifi'
	option ieee80211w '1'

config wifi-iface '5g'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'wifi'
	option encryption 'sae-mixed'
	option key 'wifi'
	option ieee80211w '1'

trendy · October 13, 2021, 1:13pm

Seems good to me, what is the output of brctl show ?

hgl · October 14, 2021, 6:12am

brctl show

bridge name     bridge id               STP enabled     interfaces
br-lan          <id>                    no              lan4
                                                        lan2
                                                        wlan0
                                                        lan3
                                                        wlan1
                                                        lan1

I also tried this command:

bridge v

port              vlan-id
lan1              1 PVID Egress Untagged
lan2              1 PVID Egress Untagged
lan3              1 PVID Egress Untagged
lan4              1 PVID
br-lan            1

hgl · October 14, 2021, 6:44am

I found the cause.

I had a ghost wifi-iface created that I thought should be irrelevant so I removed it when pasting the config here, it had isolate enabled. Turns out that option on an supposedly irrelevant WiFi can somehow make the AP ignore ARP requests from any SSIDs. Sorry for being presumptuous.

trendy · October 14, 2021, 7:00am

I'm glad you sorted it out, cause I was running out of ideas.

hgl · October 14, 2021, 7:09am

Thanks for helping me along the way, I don't think I'd have the perseverance without your (and others') troubleshooting.

A tangential question: if the isolation option should not be used, how can I prevent WiFi clients from talking to each other without affecting other things?

trendy · October 14, 2021, 7:14am

You could try to enable the isolate on the existing interface and verify if it works or not.
If not, it might be a bug and better report it.

hgl · October 15, 2021, 2:59am

After changing the AP to use DSA, ARP finally works!

Thanks a lot to everyone in this thread.

tmomas · October 25, 2021, 2:59am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.