PPPoE traffic is classified as invalid
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	opswill
	Nov 27 2024, 11:00 AM

Description

Hi Vyos experts,
My previous image is 1.5-rolling-202407280023， everything works perfect, when I upgrade to the 1.5-rolling-202411230007, there is a lot of invalid pppoe traffic, if I keep the firewall global state-policy invalid action 'drop', my pppoe connection will not up. here is the details:

vyos@vyos:  **monitor log**
Nov 27 18:17:57 kernel: [STATE-POLICY-INV-A]IN= OUT=eth0 MAC=d4:c1:c8:92:76:b0:52:37:9c:d2:22:eb:88:64
Nov 27 18:17:57 kernel: [STATE-POLICY-INV-A]IN= OUT=eth0 MAC=d4:c1:c8:92:76:b0:52:37:9c:d2:22:eb:88:64
Nov 27 18:17:57 kernel: [STATE-POLICY-INV-A]IN= OUT=eth0 MAC=d4:c1:c8:92:76:b0:52:37:9c:d2:22:eb:88:64
Nov 27 18:17:57 kernel: [STATE-POLICY-INV-A]IN= OUT=eth0 MAC=d4:c1:c8:92:76:b0:52:37:9c:d2:22:eb:88:64
Nov 27 18:17:57 kernel: [STATE-POLICY-INV-A]IN= OUT=eth0 MAC=d4:c1:c8:92:76:b0:52:37:9c:d2:22:eb:88:64
Nov 27 18:17:57 kernel: [STATE-POLICY-INV-A]IN= OUT=eth0 MAC=d4:c1:c8:92:76:b0:52:37:9c:d2:22:eb:88:64
Nov 27 18:17:57 kernel: [STATE-POLICY-INV-A]IN= OUT=eth0 MAC=d4:c1:c8:92:76:b0:52:37:9c:d2:22:eb:88:64
Nov 27 18:17:57 kernel: [STATE-POLICY-INV-A]IN= OUT=eth0 MAC=d4:c1:c8:92:76:b0:52:37:9c:d2:22:eb:88:64
Nov 27 18:17:57 kernel: [STATE-POLICY-INV-A]IN= OUT=eth0 MAC=01:80:c2:00:00:00:60:be:b4:10:7a:6a:00:26
Nov 27 18:17:57 kernel: [STATE-POLICY-INV-A]IN= OUT=eth0 MAC=d4:c1:c8:92:76:b0:52:37:9c:d2:22:eb:88:64
Nov 27 18:17:57 kernel: [STATE-POLICY-INV-A]IN= OUT=eth0 MAC=d4:c1:c8:92:76:b0:52:37:9c:d2:22:eb:88:64
Nov 27 18:17:57 kernel: [STATE-POLICY-INV-A]IN= OUT=eth0 MAC=d4:c1:c8:92:76:b0:52:37:9c:d2:22:eb:88:64
Nov 27 18:17:57 kernel: [STATE-POLICY-INV-A]IN= OUT=eth0 MAC=d4:c1:c8:92:76:b0:52:37:9c:d2:22:eb:88:64
Nov 27 18:17:58 kernel: [STATE-POLICY-INV-A]IN= OUT=eth0 MAC=d4:c1:c8:92:76:b0:52:37:9c:d2:22:eb:88:64
Nov 27 18:17:58 kernel: [STATE-POLICY-INV-A]IN= OUT=eth0 MAC=d4:c1:c8:92:76:b0:52:37:9c:d2:22:eb:88:64
Nov 27 18:17:58 kernel: [STATE-POLICY-INV-A]IN= OUT=eth0 MAC=d4:c1:c8:92:76:b0:52:37:9c:d2:22:eb:88:64

52:37:9c:d2:22:eb is my br0 mac (wan interface ), and the member of br0 is eth0, eth0 connected to my gpon onu.
I can't find which interface has d4:c1:c8:92:76:b0 . I guess it is the mac of ONU interface.

vyos@vyos:~$ **monitor traffic interface eth0  verbose  |match d4:c1:c8:92:76:b0**
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:28:09.587210 d4:c1:c8:92:76:b0 > 52:37:9c:d2:22:eb, ethertype PPPoE S (0x8864), length 125: PPPoE  [ses 0xf602] IP (0x0021), length 105: (tos 0x90, ttl 56, id 4415, offset 0, flags [DF], proto UDP (17), length 103)
18:28:09.597515 d4:c1:c8:92:76:b0 > 52:37:9c:d2:22:eb, ethertype PPPoE S (0x8864), length 74: PPPoE  [ses 0xf602] IP (0x0021), length 54: (tos 0x90, ttl 54, id 65203, offset 0, flags [DF], proto TCP (6), length 52)
18:28:09.606693 52:37:9c:d2:22:eb > d4:c1:c8:92:76:b0, ethertype PPPoE S (0x8864), length 74: PPPoE  [ses 0xf602] IP (0x0021), length 54: (tos 0x0, ttl 64, id 21640, offset 0, flags [DF], proto TCP (6), length 52)
18:28:09.607215 52:37:9c:d2:22:eb > d4:c1:c8:92:76:b0, ethertype PPPoE S (0x8864), length 184: PPPoE  [ses 0xf602] IP (0x0021), length 164: (tos 0x0, ttl 64, id 29965, offset 0, flags [DF], proto TCP (6), length 162)
18:28:09.618476 d4:c1:c8:92:76:b0 > 52:37:9c:d2:22:eb, ethertype PPPoE S (0x8864), length 74: PPPoE  [ses 0xf602] IP (0x0021), length 54: (tos 0x90, ttl 54, id 64911, offset 0, flags [DF], proto TCP (6), length 52)
18:28:09.619073 d4:c1:c8:92:76:b0 > 52:37:9c:d2:22:eb, ethertype PPPoE S (0x8864), length 74: PPPoE  [ses 0xf602] IP (0x0021), length 54: (tos 0x90, ttl 54, id 65204, offset 0, flags [DF], proto TCP (6), length 52)
18:28:09.655779 d4:c1:c8:92:76:b0 > 52:37:9c:d2:22:eb, ethertype PPPoE S (0x8864), length 142: PPPoE  [ses 0xf602] IP (0x0021), length 122: (tos 0x90, ttl 56, id 4419, offset 0, flags [DF], proto UDP (17), length 120)
18:28:09.668675 52:37:9c:d2:22:eb > d4:c1:c8:92:76:b0, ethertype PPPoE S (0x8864), length 184: PPPoE  [ses 0xf602] IP (0x0021), length 164: (tos 0x0, ttl 64, id 29966, offset 0, flags [DF], proto TCP (6), length 162)
18:28:09.680520 d4:c1:c8:92:76:b0 > 52:37:9c:d2:22:eb, ethertype PPPoE S (0x8864), length 74: PPPoE  [ses 0xf602] IP (0x0021), length 54: (tos 0x90, ttl 54, id 65205, offset 0, flags [DF], proto TCP (6), length 52)

This is my system version:

vyos@vyos:~$** show version**
Version:          VyOS 1.5-rolling-202411230007
Release train:    current
Release flavor:   generic

Built by:         autobuild@vyos.net
Built on:         Sat 23 Nov 2024 00:07 UTC
Build UUID:       17e0c561-6d4c-4a06-bea4-185407cdb7fb
Build commit ID:  50f8304f920335

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal
Secure Boot:      disabled

Hardware vendor:  CncTion
Hardware model:   N4100-4L
Hardware S/N:     Default string
Hardware UUID:    03000200-0400-0500-0006-000700080009

Copyright:        VyOS maintainers and contributors

I am using zone-based firewall:

set firewall global-options all-ping 'enable'
set firewall global-options apply-to-bridged-traffic invalid-connections
set firewall global-options apply-to-bridged-traffic ipv4
set firewall global-options apply-to-bridged-traffic ipv6
set firewall global-options state-policy established action 'accept'
set firewall global-options state-policy invalid action 'accept'
set firewall global-options state-policy invalid log
set firewall global-options state-policy invalid log-level 'debug'
set firewall global-options state-policy related action 'accept'
set firewall group address-group OpenDns address '208.67.220.220'
set firewall group address-group OpenDns address '208.67.222.222'
set firewall group address-group OpenDns address '208.67.220.222'
set firewall group address-group OpenDns address '208.67.222.220'
set firewall group address-group OpenDns address '208.67.222.123'
set firewall group address-group OpenDns address '208.67.220.123'
set firewall group address-group OpenDns address '208.67.222.2'
set firewall group address-group OpenDns address '208.67.220.2'
set firewall group ipv6-address-group OpenDNS-IPv6 address '2620:119:35::35'
set firewall group ipv6-address-group OpenDNS-IPv6 address '2620:119:53::53'
set firewall group ipv6-address-group OpenDNS-IPv6 address '2620:119:35::123'
set firewall group ipv6-address-group OpenDNS-IPv6 address '2620:119:53::123'
set firewall group ipv6-address-group OpenDNS-IPv6 address '2620:0:ccc::2'
set firewall group ipv6-address-group OpenDNS-IPv6 address '2620:0:ccd::2'
set firewall ipv4 name BGP_to_LOCAL default-action 'accept'
set firewall ipv4 name BGP_to_WAN default-action 'accept'
set firewall ipv4 name BGP_to_WG default-action 'accept'
set firewall ipv4 name LAN_to_LOCAL default-action 'accept'
set firewall ipv4 name LAN_to_WAN default-action 'accept'
set firewall ipv4 name LAN_to_WAN rule 10 action 'drop'
set firewall ipv4 name LAN_to_WAN rule 10 destination group address-group 'OpenDns'
set firewall ipv4 name LAN_to_WAN rule 10 log
set firewall ipv4 name LAN_to_WAN rule 10 protocol 'all'
set firewall ipv4 name LAN_to_WAN rule 20 action 'return'
set firewall ipv4 name LAN_to_WAN rule 20 description 'ipv4 stateful from LAN to WAN'
set firewall ipv4 name LAN_to_WAN rule 20 state 'established'
set firewall ipv4 name LAN_to_WAN rule 20 state 'related'
set firewall ipv4 name LAN_to_WAN rule 20 state 'new'
set firewall ipv4 name LAN_to_WAN rule 20 state 'invalid'
set firewall ipv4 name LAN_to_WG default-action 'accept'
set firewall ipv4 name LOCAL_to_BGP default-action 'accept'
set firewall ipv4 name LOCAL_to_LAN default-action 'accept'
set firewall ipv4 name LOCAL_to_WAN default-action 'accept'
set firewall ipv4 name LOCAL_to_WG default-action 'accept'
set firewall ipv4 name LOCAL_to_WG description 'Allow Vyos to HK WG server'
set firewall ipv4 name WAN_to_BGP default-action 'drop'
set firewall ipv4 name WAN_to_BGP default-log
set firewall ipv4 name WAN_to_LAN default-action 'drop'
set firewall ipv4 name WAN_to_LAN default-log
set firewall ipv4 name WAN_to_LOCAL default-action 'drop'
set firewall ipv4 name WAN_to_LOCAL default-log
set firewall ipv4 name WG_to_LOCAL default-action 'accept'
set firewall ipv6 name LAN_to_LOCAL-ipv6 default-action 'accept'
set firewall ipv6 name LAN_to_WAN-ipv6 default-action 'accept'
set firewall ipv6 name LAN_to_WAN-ipv6 description 'ipv6 stateful from LAN to WAN'
set firewall ipv6 name LAN_to_WAN-ipv6 rule 10 action 'drop'
set firewall ipv6 name LAN_to_WAN-ipv6 rule 10 destination group address-group 'OpenDNS-IPv6'
set firewall ipv6 name LAN_to_WAN-ipv6 rule 10 log
set firewall ipv6 name LAN_to_WAN-ipv6 rule 10 protocol 'all'
set firewall ipv6 name LAN_to_WAN-ipv6 rule 20 action 'return'
set firewall ipv6 name LAN_to_WAN-ipv6 rule 20 state 'established'
set firewall ipv6 name LAN_to_WAN-ipv6 rule 20 state 'new'
set firewall ipv6 name LAN_to_WAN-ipv6 rule 20 state 'related'
set firewall ipv6 name LAN_to_WAN-ipv6 rule 20 state 'invalid'
set firewall ipv6 name LOCAL_to_LAN-ipv6 default-action 'accept'
set firewall ipv6 name LOCAL_to_WAN-ipv6 default-action 'accept'
set firewall ipv6 name WAN_to_LAN-ipv6 default-action 'drop'
set firewall ipv6 name WAN_to_LAN-ipv6 default-log
set firewall ipv6 name WAN_to_LOCAL-ipv6 default-action 'drop'
set firewall ipv6 name WAN_to_LOCAL-ipv6 default-log
set firewall ipv6 name WAN_to_LOCAL-ipv6 rule 10 action 'drop'
set firewall ipv6 name WAN_to_LOCAL-ipv6 rule 10 icmpv6 type-name 'echo-request'
set firewall ipv6 name WAN_to_LOCAL-ipv6 rule 10 protocol 'ipv6-icmp'
set firewall ipv6 name WAN_to_LOCAL-ipv6 rule 20 action 'accept'
set firewall ipv6 name WAN_to_LOCAL-ipv6 rule 20 protocol 'ipv6-icmp'
set firewall ipv6 name WAN_to_LOCAL-ipv6 rule 30 action 'accept'
set firewall ipv6 name WAN_to_LOCAL-ipv6 rule 30 destination port '546'
set firewall ipv6 name WAN_to_LOCAL-ipv6 rule 30 protocol 'udp'
set firewall ipv6 name WAN_to_LOCAL-ipv6 rule 30 source port '547'
set firewall zone BGP from LOCAL firewall name 'LOCAL_to_BGP'
set firewall zone BGP from WAN firewall name 'WAN_to_BGP'
set firewall zone BGP interface 'pod-bgpnetwork'
set firewall zone BGP interface 'veth0'
set firewall zone LAN default-action 'drop'
set firewall zone LAN from LOCAL firewall ipv6-name 'LOCAL_to_LAN-ipv6'
set firewall zone LAN from LOCAL firewall name 'LOCAL_to_LAN'
set firewall zone LAN from WAN firewall ipv6-name 'WAN_to_LAN-ipv6'
set firewall zone LAN from WAN firewall name 'WAN_to_LAN'
set firewall zone LAN interface 'br1'
set firewall zone LOCAL default-action 'drop'
set firewall zone LOCAL from BGP firewall name 'BGP_to_LOCAL'
set firewall zone LOCAL from LAN firewall ipv6-name 'LAN_to_LOCAL-ipv6'
set firewall zone LOCAL from LAN firewall name 'LAN_to_LOCAL'
set firewall zone LOCAL from WAN firewall ipv6-name 'WAN_to_LOCAL-ipv6'
set firewall zone LOCAL from WAN firewall name 'WAN_to_LOCAL'
set firewall zone LOCAL from WG firewall name 'WG_to_LOCAL'
set firewall zone LOCAL local-zone
set firewall zone WAN default-action 'drop'
set firewall zone WAN from BGP firewall name 'BGP_to_WAN'
set firewall zone WAN from LAN firewall ipv6-name 'LAN_to_WAN-ipv6'
set firewall zone WAN from LAN firewall name 'LAN_to_WAN'
set firewall zone WAN from LOCAL firewall ipv6-name 'LOCAL_to_WAN-ipv6'
set firewall zone WAN from LOCAL firewall name 'LOCAL_to_WAN'
set firewall zone WAN interface 'br0'
set firewall zone WAN interface 'pppoe0'
set firewall zone WG default-action 'drop'
set firewall zone WG from BGP firewall name 'BGP_to_WG'
set firewall zone WG from LAN firewall name 'LAN_to_WG'
set firewall zone WG from LOCAL firewall name 'LOCAL_to_WG'
set firewall zone WG interface 'wg0

my interfaces configurations of pppoe and wan bridge:

set interfaces pppoe pppoe0 authentication password '***'
set interfaces pppoe pppoe0 authentication username ' ***'
set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface br1 address '1'
set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface br1 sla-id '0'
set interfaces pppoe pppoe0 dhcpv6-options pd 0 length '60'
set interfaces pppoe pppoe0 ip adjust-mss 'clamp-mss-to-pmtu'
set interfaces pppoe pppoe0 ipv6 address autoconf
set interfaces pppoe pppoe0 ipv6 adjust-mss 'clamp-mss-to-pmtu'
set interfaces pppoe pppoe0 mtu '1480'
set interfaces pppoe pppoe0 source-interface 'br0'

It seems that the pppoe traffic is marking invalid, please let me know if you need anything else, Thanks

Details

Version: -
Is it a breaking change?: Perfectly compatible
Issue type: Bug (incorrect behavior)

Related Objects

Mentioned In: T7523: PPPoE Discovery and Wake-on-LAN Traffic marked invalid on bridge interfaces
T7150: Traffic marked invalid on bridge member interfaces
rVYOSONEX60743702bf2f: Merge pull request #4236 from opswill/current
rVYOSONEXc94dabede314: T6918: Accept invalid PPPoE Session in stateful bridge firewall.
rVYOSONEX833d5866b69d: T6918: Fix punctuation
Mentioned Here: T6647: Zone-based Firewalls on Bridges would flag related DHCP traffic invalid

Event Timeline

opswill created this task.Nov 27 2024, 11:00 AM

opswill created this object in space S1 VyOS Public.

pasik subscribed.Nov 27 2024, 11:10 AM

Can you check manually adding next rule?

sudo nft insert rule bridge vyos_filter VYOS_OUTPUT_filter ct state invalid ether type 0x8864 counter accept

Patch similar to what was done in https://vyos.dev/T6647

Hi @n.fort
the error messages disappeared after manual add your command. there still has few stp traffic with same error

Can you share logs for those entries?

21:35:57.958675 60:be:b4:10:7a:6a > 01:80:c2:00:00:00, 802.3, length 38: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1d, Config, Flags [none], bridge-id 8000.52:37:9c:d2:22:eb.8001, length 35

this isthe invalid stp traffic log

Nov 27 21:47:20 kernel: [STATE-POLICY-INV-A]IN= OUT=eth3 MAC=01:80:c2:00:00:00:60:be:b4:10:7a:6d:00:26
Nov 27 21:47:20 kernel: [STATE-POLICY-INV-A]IN= OUT=eth2 MAC=01:80:c2:00:00:00:60:be:b4:10:7a:6c:00:26

Hi @n.fort，

Based on your suggestion, I submitted a PR to accept the traffic for the PPPoE session. However,I'm not sure how to accept these STP traffic , so the STP was not included.

PR ： https://github.com/vyos/vyos-1x/pull/4236

Thanks

opswill mentioned this in rVYOSONEXc94dabede314: T6918: Accept invalid PPPoE Session in stateful bridge firewall..Dec 18 2024, 11:17 AM

Restricted Repository Identity mentioned this in rVYOSONEX833d5866b69d: T6918: Fix punctuation.Dec 18 2024, 11:17 AM

Restricted Repository Identity mentioned this in rVYOSONEX60743702bf2f: Merge pull request #4236 from opswill/current.

andrin mentioned this in T7150: Traffic marked invalid on bridge member interfaces.Feb 9 2025, 4:53 PM

opswill mentioned this in T7523: PPPoE Discovery and Wake-on-LAN Traffic marked invalid on bridge interfaces.Jun 5 2025, 4:02 AM

dmbaturin added a project: VyOS 1.5 Circinus (1.5-stream-2025-Q2).Jul 9 2025, 11:33 AM

dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.

dmbaturin changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).

dmbaturin renamed this task from pppoe traffic is classified as invalid to PPPoE traffic is classified as invalid.Jul 9 2025, 1:16 PM

dmbaturin moved this task from Open to Finished on the VyOS 1.5 Circinus (1.5-stream-2025-Q2) board.

Viacheslav closed this task as Resolved.Sep 25 2025, 1:39 AM

Viacheslav claimed this task.

PPPoE traffic is classified as invalidClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

PPPoE traffic is classified as invalid
Closed, ResolvedPublic
Actions