22.03 "Dumb" access point - Vlan help

I have read through many previous posts related to this subject, but with versions changes over the months I'm just not getting there with my config.I have tried researching before posting here.

I am attempting to replace the Unifi access point in my working home network with OpenWRT 22.03 configured as a “dumb” access point running on a Belkin RT3200.

I flashed the RT3200 and followed the OpenWRT “dumb” AP setup in the OpenWRT documentation.

Lan access for clients utilizing SSID “Tilted Towers” and “Tilted Towers 5” work well and are assigned an IP correctly in the 10.0.0.0/24 subnet.

Firewall, dnsmasq and odhcpd are disabled.

I then attempted to add vlan 7 and an associated IoT SSID to mimic what was working previously with the Unifi access point. Clients connecting to this new IoT SSID are not assigned an IP address and have no internet connectivity as a result.

As a side note, in the configuration below, the IoT interface is set to a static IP of 10.7.0.2, but if I set it to “DHCP Client” it is assigned the IP of 10.7.0.10 from the OpnSense router.

I feel I am close, but I must have some vlan configuration error that I hope will be obvious to folks here.

Thanks for any advice.

{
	"kernel": "5.10.161",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Linksys E8450 (UBI)",
	"board_name": "linksys,e8450-ubi",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.3",
		"revision": "r20028-43d71ad93e",
		"target": "mediatek/mt7622",
		"description": "OpenWrt 22.03.3 r20028-43d71ad93e"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb5:ee00:8eab::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.0.0.2'
	list dns '10.0.0.1'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '7'
	option name 'br-lan.7'

config interface 'IoT'
	option device 'br-lan.7'
	option proto 'static'
	option ipaddr '10.7.0.2'
	option netmask '255.255.255.0'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Tilted Towers 5'
	option encryption 'psk2'
	option key '**********

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Tilted Towers'
	option encryption 'psk2'
	option key '**********'
	option network 'lan'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Tilted Towers IoT'
	option encryption 'psk2'
	option key '**********'
	option network 'IoT'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

head: /etc/firewall.user: No such file or directory
-ash: iptables-save: not found
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.0.0.2/24 brd 10.0.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
17: br-lan.7@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.7.0.2/24 brd 10.7.0.255 scope global br-lan.7
       valid_lft forever preferred_lft forever
10.0.0.0/24 dev br-lan scope link  src 10.0.0.2 
10.7.0.0/24 dev br-lan.7 scope link  src 10.7.0.2 
broadcast 10.0.0.0 dev br-lan table local scope link  src 10.0.0.2 
local 10.0.0.2 dev br-lan table local scope host  src 10.0.0.2 
broadcast 10.0.0.255 dev br-lan table local scope link  src 10.0.0.2 
broadcast 10.7.0.0 dev br-lan.7 table local scope link  src 10.7.0.2 
local 10.7.0.2 dev br-lan.7 table local scope host  src 10.7.0.2 
broadcast 10.7.0.255 dev br-lan.7 table local scope link  src 10.7.0.2 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
lrwxrwxrwx    1 root     root            16 Jan  3  2023 /etc/resolv.conf -> /tmp/resolv.conf
lrwxrwxrwx    1 root     root            35 Oct  6 16:40 /tmp/resolv.conf -> /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r--    1 root     root            36 Oct  6 14:56 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            36 Oct  6 14:56 resolv.conf.auto
==> /etc/resolv.conf <==
# Interface lan
nameserver 10.0.0.1

==> /tmp/resolv.conf <==
# Interface lan
nameserver 10.0.0.1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface lan
nameserver 10.0.0.1

Change:

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '7'
	option name 'br-lan.7'

to

config bridge-vlan
	option device 'br-lan'
	option vlan '7'
	list ports 'wan:t'  # or other port used as trunk in dumb AP

Other changes to consider:

  1. Adding option gateway '10.0.0.1' to the lan interface if you want to access Internet on this network.
  2. Adding tagging for LAN network on the link from the router to the AP (but this requires changes in the router configuration)
  3. Does your AP need an address in the IoT network? If not, you can change the IoT interface to:
config interface 'IoT'
	option device 'br-lan.7'
	option proto 'none'

Hey @m80, thanks for jumping in here. I greatly appreciate the help.

Starting slowly, I removed:

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '7'
	option name 'br-lan.7'

with

config bridge-vlan
	option device 'br-lan'
	option vlan '7'
	list ports 'wan:t'

And made no other changes, saved and then rebooted.

Upon coming back up, I was no longer able to connect to the AP over either previously working LAN WiFi SSIDs (Tilted Towers and Tiltelted Towers 5). Neither provided an IP from the router any longer.

But it's all good. I learned how to perform a failsafe recovery on the RT3200. I had not done that before, and I'm sure I will need to do it again at some point as I'm ordering a couple more of these.

Back to square one. I wish I understood this better, so I could ask more intelligent questions. Is there a reason the configuration that Luci generated for the "802.1q" device is not valid? Did I choose the wrong options from the Luci device screen for a vlan?

Also, you probably noticed that I had previously added the WAN port as well to the br-lan device. Since this is just an AP, I thought it would make sense to have it as another port there since there will be no need for WAN connection in this AP.

Lastly, I only have one physical cable from my OpnSense router, currently going into the LAN1 port of this OpenWRT AP. If you have time, please help me understand if I need to wire these differently with these tagging changes.

Thanks again!

The advice from @m80 was generally correct, but you need to also add the following:

config bridge-vlan
	option name 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'
	list ports 'wan:u*'

and then edit your lan interface to use br-lan.1 like this:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.0.0.2'
	list dns '10.0.0.1'

Try that and let us know if that fixes things... if not, please post your current complete config so we can see what is happening.

1 Like

Thanks @psherman @m80. I've attempted to make the edits correctly but I'm not confident I did. My complete vlan 7 config is below. I am getting good at recovering so that's something at least :slight_smile:

As a reminder, my downstream router is expecting untagged lan traffic for 10.0.0.0/24, and vlan tagged 7 traffic for 10.7.0.0/24 as this is how it was working with my previous Unifi AP at I am trying to replace with OpenWRT.

In the configuration below, I haven't set up a wifi for the IoT network because this config breaks the lan side. I want to get that working first. I don't get a dhcp assignment on the lan interface with this config currently.

Thanks guys. What do you see I got wrong here?

---- network ----

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config bridge-vlan
	option device 'br-lan'
	option vlan '7'
	list ports 'wan:t'

config bridge-vlan
	option name 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'
	list ports 'wan:u*'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.0.0.2'
	option gateway '10.0.0.1' 
	list dns '10.0.0.1'

config interface 'IoT'
	option device 'br-lan.7'
	option proto 'static'
	option ipaddr '10.7.0.2'
	option gateway '10.7.0.1' 
	option netmask '255.255.255.0'


---- wireless ----

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option ssid 'Tilted Towers'
	option key '**********'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option cell_density '0'
	option htmode 'HE20'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option ssid 'Tilted Tower 5'
	option key '**********'


You can (and likely should) simply make the IoT interface unmanaged...

config interface 'IoT'
	option device 'br-lan.7'
	option proto 'none'

It should work at this point... attach a new SSID to the network IoT.

1 Like

Hi Peter, again I appreciate your assistance.

I need to start over. I've tried many times to get this configuration right, but no matter what I try it keeps breaking my Lan interface, forcing me to recover the device and start over.

Below is a configuration that is working for my Lan interface. I connect fine via the wifi associated with this interface.

My downstream router is plugged into lan1 on this OpenWRT AP of course. So starting over, what do I need to add/change in the working configuration below to also enable vlan7, without it breaking the Lan interface? (my router is expecting Lan on 10.0.0.0/27,and vlan7 is 10.7.0.0/24)

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd0d:37b4:c766::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '10.0.0.1'
	option ipaddr '10.0.0.2'

I'm not quite sure why this isn't working for you... but it is always possible that this is related to a hardware quirk... there are some switch chips that actually don't like having untagged + tagged networks on the same trunk port. The 802.1q standard allows for this, but some chips just don't work that way, and there are also some personal/professional opinions out there that say "don't mix untagged + tagged; go tagged only."

Let's try once more, though... All of this needs to be completed in one step, so you can do this by editing the config file directly and then rebooting when this is complete.

I see that you're now using br-lan on only port lan1... so make sure that is the port that is physically connected to the main router. This is what it should look like for your br-lan, bridge-vlan, and network interface statements (I've omitted the loopback and globals sections; it also seems highly likely that you've also omitted a bunch from this latest config file, but that's fine as long as it doesn't conflict with the below):

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '7'
	list ports 'lan1:t'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '10.0.0.1'
	option ipaddr '10.0.0.2

config interface 'vlan7'
	option device 'br-lan.7'
	option proto 'none'

Thanks for not giving up on this, Peter. There is some progress to report.

First though, just to clarify, the small config I posted in my immediately prior post to this was the entire network config file. Nothing was omitted.

This time. here is the entire network config file that I used and the ethernet cable plugged into to lan1. I made this change and rebooted.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd0d:37b4:c766::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '7'
	list ports 'lan1:t'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '10.0.0.1'
	option ipaddr '10.0.0.2

config interface 'vlan7'
	option device 'br-lan.7'
	option proto 'none'

Upon rebooting, wifi connected successfully and I was assigned an appropriate IP address for the lan subnet (10.0.0.133). I had internet access. I could log in to my main router at 10.0.0.1. I could ping and connect to other lan wifi clients that automatically connect to this wifi SSI when it lights up.

But...the OpenWRT access point itself at 10.0.0.2 was not reachable. ???

I ssh'd into the main router at 10.0.0.1 to see if it could ping back to the ap from that side. It could not.

So the lan network is working, but the OpenWRT box is not reachable at it's static ip.

I made sure the firewall was disabled on OpenWRT. And there is nothing in my main router firewall rules to prevent lan clients from seeing each other.

Lastly, I wasn't able to test vlan7 yet because I couldn't get in to add the wifi association.

Create an admin network that has a wifi AP and a DHCP server. Then you can always log into the 3200 by wifi if LAN connectivity breaks.

I agree with @psherman you should tag both networks on the trunk cable as mixing tagged and untagged on the same port doesn't work with all hardware. This of course will require reconfiguring the OpnSense main router to use tagged packets on both networks.

1 Like

I'll get on this later today. Thanks for the great suggestions Mike.

Anyone reading this thread can pretty much disregard everything I posted previously and chalk it up to a terribly confused madman. But I did finally get this working. Wooo Hooo!

I changed up my design a bit so I have a new diagram.

I want to first thank and @mk24, @psherman and @m80 for their assistance.

Network Config:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd61:a885:daea::/48'

###########################################
# admin wifi interface in case I screw up #
###########################################
config interface 'ADMINWIFI'
	option proto 'static'
	option device 'wlan0'
	option netmask '255.255.255.0'
	option ipaddr '10.10.10.10'


#######################
# vlan1 - lan         #
#######################
config device
	option type 'bridge'
	option name 'br-lan'
	list ports 'lan1'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'

config interface 'lan'
	option proto 'none'
	option device 'br-lan.1'   


#######################
# vlan2 - Guest         #
#######################
config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan1:t'

config interface 'guest'
	option proto 'none'
	option device 'br-lan.2'  


#######################
# vlan3 - IoT         #
#######################
config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan1:t'

config interface 'iot'
	option proto 'none'
	option device 'br-lan.3' 
	

A couple other things that helped. Picking up a second Belkin RT3200 made testing more convenient. And surprisingly, ChatGPT4 was helpful. It often gave incorrect information, but it was right some times.

I hope this will be helpful to others.

1 Like

in the long term, you may want to give this device an address on the trusted lan so you can administer it without needing to connect to a unique wifi network. But that's a matter of preference.

Great info for a vlan and guest wifi wannabe!

Minor advice - consider using the same name for 5Ghz network, openwrt can handle it (depends on hardware probably) and it simplifies clients setup.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.