Joined: 16 Jun 2006 Posts: 230 Location: Germany, BW
Posted: Sat Jul 27, 2024 14:39 Post subject: [SOLVED] More stable WLAN,VPN,DNS,Routing with correct MACs
FYI, might be helpful for some of you
I have two Mini-PCs w/o WLAN (Box1, Box2) and two old ASUS RT-N18 (Box1.1 and Box2.1). Box1.1/2.1 are doing WLAN for Box1/2. Box1 is on Build 55723 (last Build providing the little Driver for my USB-NIC, see here), Box2 is on 55615 and Box1.1/2.1 are on 53045.
Box1 (OVPN-Server) and Box2 (Client) are doing OpenVPN Bridge (TAP, not TUN) with own Subnet for IoT (.4.0/24), so my private Network (.3.0/24) is protected (with additional IPTables-Rules).
All the installed stuff (PLEX, DDNS, aso...) is running, but I had some issues. All these issues were solved after correcting the MACs.
WLAN:
- About 1% Errors in "Wireless Packet Info", mostly on RX.
- Sometimes the Packet Routing for WLAN-devices stopped, no Internet over VPN.
DNSmasq:
- different errors in dnsmasq-logfile
OpenVPN:
- the OVPN-Client did at least once an hour a keepalive related softreboot of OpenVPN, so pinging the Server failed.
- at least every 1 or 2 days the boxes did reboot as watchdog could not ping the other side for about 9 minutes.
- at high traffic times the openvpn deamon did the keepalive restart every 10 minutes.
- IPTables rules to allow access from private network into VPN network, but not vice versa, didn't work.
The initial moment for me to get into this all was when I was watching OVPN-Server Status/LAN/Active Clients entries.
Suddenly the OVPN-Client came up with two IPs, one was the expected .4.0/24-address, but the other one was the WAN-IP. That was a WTH moment for me.
Looking for the reason I found on all DD-WRT-Boxes multiple interfaces having the same MAC-address (do ifconfig | grep HWaddr on SSH-Terminal to check your router).
In my case br0 and eth0 on VPN-Client had the same MAC and that made the additional WAN-IP popup when only the eth0 IP should be shown.
Searching the forum and other sources I found out, this is an issue since maybe 2006 with some remarks on security, dnsmasq-errors, iptables errors aso.
But I was never aware of it until the WAN-IP pops up with the internal interface.
After fixing the MACs all my issues are gone, for me most important the VPN issues. The OpenVPN logs are looking really empty now, OVPN is running without any errors. No more errors on WLAN RX/TX packets too.
HINT: Don't change the MACs on the physical interfaces like (in my case) eth0 or eth1.
I did the changes under Setup/Networking, you can also use Terminal commands.
Don't change MAC on tun/tap, the MAC is switching every reboot when the VPN-interface gets created.
Here are some of my before/after MACs.
Code:
Box1: (Mini-PC w/o WLAN, DD-WRT 55723)
br0: eth1, tap2
OLD (from dd-wrt) NEW (my corrections)
br0 Link encap:Ethernet HWaddr xx:xx:xx:xx:AB:31 xx:xx:xx:xx:AB:32
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:AB:31 xx:xx:xx:xx:AB:31
eth1 Link encap:Ethernet HWaddr xx:xx:xx:xx:BF:F5 xx:xx:xx:xx:BF:F5
tap2 Link encap:Ethernet HWaddr xx:xx:xx:xx:E0:88 xx:xx:xx:xx:B0:53
Box2: (Mini-PC w/o WLAN, DD-WRT 55615)
br0: eth1, tap1
OLD (from dd-wrt) NEW (my corrections)
br0 Link encap:Ethernet HWaddr xx:xx:xx:xx:94:1D xx:xx:xx:xx:94:1E
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:94:1D xx:xx:xx:xx:94:1D
eth1 Link encap:Ethernet HWaddr xx:xx:xx:xx:D7:F8 xx:xx:xx:xx:D7:F8
tap1 Link encap:Ethernet HWaddr xx:xx:xx:xx:CC:E4 xx:xx:xx:xx:4F:02
Box2.1: (ASUS RT-N18U, DD-WRT 53045 as WLAN for Box2)
br0: eth1, vlan1, vlan2
OLD (from dd-wrt) NEW (my corrections)
br0 Link encap:Ethernet HWaddr xx:xx:xx:xx:3D:1E xx:xx:xx:xx:3D:1A
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:3D:1C xx:xx:xx:xx:3D:1C
eth1 Link encap:Ethernet HWaddr xx:xx:xx:xx:3D:1E xx:xx:xx:xx:3D:1E
vlan1 Link encap:Ethernet HWaddr xx:xx:xx:xx:3D:1C xx:xx:xx:xx:3D:1B
vlan2 Link encap:Ethernet HWaddr xx:xx:xx:xx:3D:1C xx:xx:xx:xx:3D:1D
Last edited by Sp1derman on Sun Jul 28, 2024 11:37; edited 2 times in total
Joined: 16 Jun 2006 Posts: 230 Location: Germany, BW
Posted: Sun Jul 28, 2024 17:50 Post subject:
Bug on Box2 was WAN-eth0 and br0 had same MAC. I'm sure this made the VPN Bridge disconnects all the time and triggered the often keepalive soft resets.
Bug on Box2.1 was vlan1/2 had same MAC as eth0 where eth0 was not part of br0. Since I fixed that I have no TX/RX errors any more.
In my case the main problem of course is that eth1 is loaded via startup-script as autoload doesn't work (on both Box1 and Box2). So the bridges got there Mac from first loaded eth0.
On both Boxes I now switched the MAC of br0 to be MAC of eth1 as I learned by more research that this is normal behavour.
At least I learned to check MACs in case of problems with dnsmasq, VPN, WLAN, Routing.
Here are some topics with MAC-Problems, most of then are old, but in most cases still valid.
Mod edit: Do not use p= links or links with &sid. Also, if you are going to use url tags, at least do a url= with the topic subject line in the link. -kp69
Bug on Box2.1 was vlan1/2 had same MAC as eth0 where eth0 was not part of br0. Since I fixed that I have no TX/RX errors any more.
VLANs inherit the MAC address of the physical interface on which they are created.
If you create a VLAN on ethX, it also gets the MAC address of ethX.
It does not matter if the physical interface is part of the bridge.
and dropped packets are also displayed as RX/TX errors.
packets are constantly being dropped somewhere because, for example, buffers are full or the link is busy. _________________ Quickstart guides:
Joined: 16 Jun 2006 Posts: 230 Location: Germany, BW
Posted: Mon Jul 29, 2024 16:03 Post subject:
ho1Aetoo wrote:
If you create a VLAN on ethX, it also gets the MAC address of ethX.
It does not matter if the physical interface is part of the bridge.
And that is the issue, same MAC on br0 and on an interface not part of br0 causes problems, as you can read in my posting and some of the links.
ho1Aetoo wrote:
and dropped packets are also displayed as RX/TX errors.
packets are constantly being dropped somewhere because, for example, buffers are full or the link is busy.
No they are not all different it all depends how you configured the router, e.g. Client,AP-Only, PPPOE, wihch interfaces are assigned to which bridges etc. a bridge has no seperate mac, it has the same mac. as the first interface that was added to the bridge.
This part was never a problem, the generation of vap macs was a problem, e.g. it happened before, that a vap on wl1 had the same mac as wl0 and thus caused problems if they were not bridged together e.g. guest setup.
I respond when I feel it is necessary, not when a user allows or prohibits me to do so.
So, once again, bridges and VLANs do not actually have a MAC address because they are virtual interfaces.
Virtual interfaces inherit the MAC addresses of physical interfaces.
VLANs are created on physical interfaces, for example.
The physical interface on your ASUS RT-N18U is eth0.
If you now create a VLAN (e.g., VLAN1) on eth0, then that is eth0.1, and eth0.1 inherits the MAC address from eth0....
eth0 itself is not used and is not bridged.
No data can be sent to eth0, and no data can be received from eth0... because a switch is connected to eth0 and the switch is configured so that it can only receive tagged traffic...
The switch can therefore only receive data from the VLAN interfaces that were created on eth0...
The VLANs do not need their own MAC addresses...
It is completely normal for VLANs to inherit the MAC address of the physical interface...
In your example, it is of course nonsense that VLAN1 and VLAN2 are bridged.
At this point, you should configure your switch correctly, remove VLAN2, and assign the WAN port to VLAN1 as well
In your other examples, the bridges should of course not have the MAC address of the active WAN port...
This is probably some kind of error that occurred during the initial installation.
The bridges should have the MAC address of the LAN interface.
So in your examples, the MAC address of eth1!
As I said, it makes no sense to configure everything randomly and assign each interface an individual MAC address manually—it's not necessary. _________________ Quickstart guides:
