Why does tagged traffic enter the untagged VLAN?

fengchen-lede · October 20, 2024, 8:15am

192.168.50.252:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix ''
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'
        option bridge_empty '1'

config interface 'lan'
        option device 'br-lan.11'
        option proto 'static'
        option ipaddr '192.168.50.252'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.50.1'
        list dns '192.168.50.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '11'
        list ports 'lan1:u*'
        list ports 'lan2'
        list ports 'lan3:t'
        list ports 'lan4:t*'

config bridge-vlan
        option device 'br-lan'
        option vlan '12'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'wan'

config bridge-vlan
        option device 'br-lan'
        option vlan '13'
        list ports 'lan3'

192.168.50.251:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix ''
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config interface 'lan'
        option device 'br-lan.11'
        option proto 'static'
        option ipaddr '192.168.50.251'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.50.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '11'
        list ports 'lan:t*'

The following is the data packet captured on 192.168.50.252 lan2
333

Shouldn't this data packet be discarded?

brada4 · October 20, 2024, 8:35am

Vlan 11 is untagged on that port in rectangle you draw.

fengchen-lede · October 20, 2024, 9:01am

Traffic from 192.168.50.251 is tagged with vlan11

_bernd · October 20, 2024, 9:06am

Why? Vlan 11 is configured on both ports as far as I see...

fengchen-lede · October 20, 2024, 9:14am

Untagged: Frames will leave the bridge through the specified interface as untagged. Untagged ingress will be assigned to the specified VLAN ID unless PVID is set to a different VLAN ID on the interface. Tagged ingress is discarded.

https://openwrt.org/docs/guide-user/network/dsa/converting-to-dsa

Did I understand it wrong?

wilsonyan · October 20, 2024, 10:51am

Assuming tagged packets actually are coming in and being processed on that port I guess it may be a driver issue with that specific hardware.

brada4 · October 20, 2024, 11:20am

vlan11 is tagged in one end and untagged in other end, packets are dropped even seen in tcpdumb

_bernd · October 20, 2024, 11:24am

@fengchen-lede this. As @brada4 said.
The frame is sent and hits the other interface. And it needs to processed at least a little bit so it can be decided if further processing is required or if it should be dropped.

fengchen-lede · October 20, 2024, 12:23pm

Not only did the port capture the packet, they were able to communicate normally.

mk24 · October 20, 2024, 1:26pm

I suspect the document is wrong. If a port is in any way a member of VLAN 11 and a packet tagged with 11 arrives, it is going to be accepted and put through the switch matrix with a tag of 11. The tagged and untagged setting affects departing packets only. The PVID (star) designation means that untagged packets arriving will be assigned to that VLAN and given that internal tag for the switch matrix. (This should of course be set on only one VLAN.)

Inside the switch there is no such thing as an "untagged VLAN." All packets even if they arrived and will depart on untagged ports, have to carry a tag inside so that they can be switched to the proper destination.

I'm not sure what you're trying to do here. In general, avoid mixing tagged and untagged packets on the same port and cable. Do that only if it is necessary to connect to someone else's network which works that way and you can't change it. If you're designing both ends of the network, use either "trunk" connections (all relevant VLANs are tagged, for interconnects between VLAN-aware switches and routers) or "access" connections (no tagged packets, untagged only in one VLAN for a non VLAN-aware device).

fengchen-lede · October 20, 2024, 2:36pm

I tested almost all cases and found that tagged traffic can enter the matching VLAN and untagged VLAN. In addition, during the test, traffic cannot enter the unmatched tagged VLAN with pvid, so there is no untagged traffic. The conclusion is that there may be a bug in the software or driver.

Hostname	OpenWrt
Model	YouHua WR1200JS
Architecture	MediaTek MT7621 ver:1 eco:3
Target Platform	ramips/mt7621
Firmware Version	OpenWrt 23.05.5 r24106-10cc5fcd00 / LuCI openwrt-23.05 branch git-24.264.56413-c7a3562
Kernel Version	5.15.167

brada4 · October 20, 2024, 3:32pm

Just an idea - if you make lan1.11 and bridge that separately - do you get mixup too?
ievwhether it is dsa+bridge.vlan or dsa netdev alone.

brada4 · October 20, 2024, 4:57pm

BS, vlans do not disrupt normal no-vlan ethernet.

wilsonyan · October 20, 2024, 10:53pm

Not an expert on this, the x-wrt tree has some stuff not in the main tree. Hail mary but maybe applying some of those selectively would do something.

It's probably like mk24 says though:

If a port is in any way a member of VLAN 11 and a packet tagged with 11 arrives, it is going to be accepted and put through the switch matrix with a tag of 11.

Though maybe only with that hardware/driver.

fengchen-lede · October 21, 2024, 11:41am

PC without VLAN can communicate with tagged VLAN with pvid.
Is it similar to the title? ::::
Maybe openwrt has enabled some kind of hybrid mode

brada4 · October 21, 2024, 12:32pm

Try with lanX.11 , it changes code pathsm

fengchen-lede · October 21, 2024, 1:49pm

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix ''
        option packet_steering '1'

config interface 'lan'
        option device 'wan'
        option proto 'static'
        option ipaddr '192.168.50.252'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.50.1'
        list dns '192.168.50.1'

config device
        option type 'bridge'
        option name 'lan8'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option bridge_empty '1'

config bridge-vlan
        option device 'lan8'
        option vlan '201'
        option local '0'
        list ports 'lan1'
        list ports 'lan2:t'
        list ports 'lan3'

config bridge-vlan
        option device 'lan8'
        option vlan '202'
        option local '0'
        list ports 'lan1:t'
        list ports 'lan2'
        list ports 'lan4'

I created a new bridge lan8, but it doesn't work, the network port shows no link, and the PC network port light is not on

brada4 · October 21, 2024, 1:50pm

You have to remove port from original bridge.

fengchen-lede · October 21, 2024, 1:53pm

br-lan removed, the lan network uses wan port

brada4 · October 21, 2024, 2:11pm

I meant removing lan1 from br-lan bridge and creating new bridges with lan1.11 and lan1.12 ports.