Hi all,
User Kyle Sexson had this issue a while ago, too, but there’s no solution in his post - so…
I have a set of VLANs running on a bridge interface.
This works mostly well, but certain outgoing traffic will show up both on the bridge interface and the associated hardware port the traffic source is physically connected to.
This leads to a dropped server response because the router can’t associate it to the correct connection attempt.
E.g. log entry:
|
2022-12-27 14:50:31 |
Invalid Traffic |
Denied |
|
N/A |
0 |
Port3 |
|
172.24.10.16 |
212.227.17.170 |
56111 |
993 |
TCP |
0 |
1001 |
Open PCAP |
Could not associate packet to any connection. |
|
2022-12-27 14:50:22 |
Firewall Rule |
Allowed |
|
4 |
3 |
br0.10 |
Port4_ppp |
172.24.10.16 |
212.227.17.170 |
56111 |
993 |
TCP |
1 |
1 |
Open PCAP |
|
My guess is that I’m having issues with a combination of VLAN on a bridge interface and activated “routing on bridge”.
But the fact that only a certain (reproducible) part of traffic is affected makes me skeptical. The problem is for example triggered when trying to collect mail from GMX.net via IMAP/SSL (see log entry above) or by specific online banking apps. But other mail providers (also called via IMAP/SSL port 993) do work…
Detailed setup is as follows:
XG106 running 18.5MR5 / Port 3 is connected to CBS350-10
XG106 Port 1-3 are bridged (br0, IP 192.168.2.222) with activated routing option. No DHCP.
On the brigde, VLANS br0.10 / br0.20 / br0.30 / br0.40 are set up. IP-ranges are 172.24.10 / 20 / 30 / 40 respectively, with DHCPs.
CBS350-10 receives the four VLANs tagged from XG Port 3 and distributes them via untagged access ports (ge0 to ge3, one VLAN each).
Behind these ports are APX120 in brigde-to-LAN mode.
(Reason is that the APX are in relatively uncontrolled environments and i want to make sure that even if someone detaches an APX and tried to hook up his own stuff, he always will end up in the desired VLAN).
Any input / thoughts very much appreciated! :)
This thread was automatically locked due to age.
