Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#1224 - Duplicate ICMP and ARP responses via several VLANs #7968

Closed
openwrt-bot opened this issue Dec 13, 2017 · 0 comments
Closed

FS#1224 - Duplicate ICMP and ARP responses via several VLANs #7968

openwrt-bot opened this issue Dec 13, 2017 · 0 comments
Labels

Comments

@openwrt-bot
Copy link

openwrt-bot commented Dec 13, 2017

simonszu:

My setup:
I have a TP Link WRT3600 with LEDE 17.01.4 (bug appeared in earlier versions as well, at least in 17.01.3 and 17.01.2). The router is connected to a manageable switch via VLAN trunk. The trunk consists of 4 VLANs with the IDs 1, 10, 11 and 12. LEDE's IP and the switch's management IP are located in VLAN 1. There are other switches connected to the first switch, also via VLAN trunk. Each VLAN has their own /24 IPv4 subnet in the format 192.168..0/24.

The phenomenon:
A device in VLAN 10 or 12 pings the switch. tcpdump confirms that the switch is sending exactly one reply per request. However, the device receives duplicate pings (for now, 2 duplicates and a valid response). A check with tcpdump running on the LEDE router sniffing on eth0.1 receives the valid reply as well. A check with tcpdump on the router sniffing on eth0 in general shows the duplicates as well. The duplicates go away when i ping from the LEDE explicitly on eth0.1, but re-appear when i ping without an explicit ethernet device to use. tcpdump shows me even more: The valid response is marked VLAN 10 with the pinging device as target address. One duplicate is marked VLAN 10 with the same target address as well, but the second duplicate is marked VLAN 12 but with the pinging device as target address, which is an IP located in VLAN 1's subnet. The pinging client receives all three answers.

This is also happening for ARP requests. The LEDE router makes an ARP request for the switch's management MAC address and replicates the answer to VLANs 10 and 12, so that these VLANs/subnets receive ARP answers they didn't request.

This only happens for this particular switch. The other trunked switches have no replicated answers when they get pinged. This only happens for VLANs 10 and 12, VLAN 11 is not affected, there is no duplicate addressing it. I tried to create more VLANs, but the number of duplicates doesn't increase. I tried to move all the stuff from VLAN 12 to VLAN 14, and the duplicate change their destination to VLAN 14 as well. When i start a ping and observe it in my terminal window, and deactivate one of the interfaces for either VLAN 10 or 12, the number of replicates decreases.

And last but not least: I started a ping and observed it in the terminal. Remember, it goes from VLAN 10 to VLAN 1. I created a firewall rule which should block all incoming ICMP responses from VLAN 1 back to VLAN 10. Nevertheless, with the rule activated, i still got three responses for each request, as if the firewall rule wasn't in place at all.

The switch i was pinging the whole time was an Allied Telesis GS950/24. This phenomenon happens with other routers running OpenWRT Chaos Calmer 15.01 as well (namely a TP Link WR841n)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant