Bridge ports act like they are isolated from each other

zedalert · June 5, 2022, 8:19am

Not sure if it is a bug or a feature, but seems mostly like a bug, since there is a port isolation feature (aka Private VLAN) available and it is disabled by default. My config is mostly simple:

interfaces {
    bridge br0 {
        address 172.xx.xx.xx/24
        member {
            interface eth0 {
            }
            ...
            interface eth11 {
            }
        }
        mtu 9000
        stp
    }
    ethernet eth0 {
        hw-id 0c:c4:7a:xx:xx:xx
        mtu 9000
        offload {
            gro
            gso
            rps
            sg
            tso
        }
    }
    ...
    ethernet eth11 {
        hw-id 00:e0:ed:xx:xx:xx
        mtu 9000
        offload {
            gro
            gso
            sg
            tso
        }
    }
}

(I need an offload and mtu since most of the ports are 10G and this helps a lot to reduce the cpu load)

The problem is that every device connected to one of these ports can ping and access the router, router can ping and access every device, but devices are isolated from each other, they cannot ping or access anything except the router. I started thinking that port isolation somehow turned on by itself, but bridge -d link shows isolated off on every bridge port, promiscuous mode is also enabled on every bridge port according to ip -d link | grep promisc. I also tried different 1.3 versions - official 1.3.0rc6, latest developer 1.3 build, latest release 1.3.1 build, they behave the same. The only thing that helped to get that flat bridge to work was sysctl net.bridge.bridge-nf-call-iptables=0. So I’m wondering why netfilter was turned on.

florin · June 12, 2022, 8:32am

I am facing a similar issue. I believe it is definitely a bug, since it works on the 1.4 rolling release. The bug might be driver related though. The network devices i am bridging are an intel i225-V 2.5gb nic and an vmxnet virtual device.

 interfaces {
     bridge br0 {
         enable-vlan
         mac 00:e2:69:xx:xx:xx
         member {
             interface eth0 {
                 allowed-vlan 2-4094
             }
             interface eth5 {
                 allowed-vlan 2-4094
             }
         }
         mtu 9000
         stp
         vif 2 {
             address 192.168.1.3/24
         }
     }
     ethernet eth0 {
         hw-id 00:e2:69:xx:xx:xx
         mtu 9000
         offload {
             gro
             gso
             rps
             sg
             tso
         }
         ring-buffer {
             rx 4096
             tx 4096
         }
     }
     ethernet eth5 {
         hw-id 00:0c:29:xx:xx:xx
         mtu 9000
         ring-buffer {
             rx 4096
             tx 4096
         }
     }
 }

zsdc · June 13, 2022, 7:21pm

Would it be possible to reproduce this in any other (preferably virtual) environment?
I cannot get the same problem in both 1.3 and 1.4, so would be good to have an instruction on how to do this.

florin · June 15, 2022, 4:23pm

I actually have this in a virtual environment, but i’m trying to bridge the passthrough interfaces with some virtual nics, so that traffic doesn’t go through the switch between the VMs and the router. I will see if I can repro this with only virtual interfaces.

florin · June 16, 2022, 6:41pm

update: on my side it seems like it’s a driver issue (igc)

zedalert · June 16, 2022, 6:57pm

In your case manually disabling netfilter also helps?

florin · June 16, 2022, 7:04pm

Actually no. Only thing that worked was upgrading to 1.4 rolling.