Skip to content

VLAN leak with bridge VLAN filtering on MOX running TOS 6.0.4

Possibly related to #355.

In my setup, Turris Mox have all interfaces in a bridge and VLAN filtering is used to setup different roles for different ports. In this output of bridge vlan command, port lan1 has only one allowed VLAN number 60 that is also PVID. This port is used as an access port for computers.

# bridge vlan
port              vlan-id  
eth0              20 PVID Egress Untagged
                  21
                  60
lan1              60 PVID Egress Untagged
lan2              62 PVID Egress Untagged
lan3              20 PVID Egress Untagged
                  21
                  60
lan4              22 PVID Egress Untagged
br-guest_turris   1 PVID Egress Untagged
br-lan            20
                  21
                  22
                  60
                  62
wlan1             22 PVID Egress Untagged
wlan0             22 PVID Egress Untagged
wlan0-1           62 PVID Egress Untagged

Despite this setup, I can see some tagged frames with VLAN tag 20 or 22 leaking into the lan1 port. Only multicast traffic leaks like this. This is especially harmful for Windows, since that OS mostly ignores 802.1q header and receive data from all VLANs, breaking IPv6 configuration every time a RA is sent into some of the other VLANs.