Adding Bridge to connect VLAN and Wifi

Hello,

I have been using OpenWRT for a couple of days now and I am quite happy with it. My primary use was just to have a router that could segment my port forwarded hosts into their own VLAN and also support NAT loopback unlike my default AT&T router. All of those things seem to be working great but for some reason I cannot figure out how to add an SSID to the same VLAN as my servers. The goal of this is so that I can SSH into the servers or scp files back and forth as needed.

The interface that they're on is called host. the VLAN has an id of 3 and the ethernet port used by that VLAN is 1. I have been using LUCI for configuration since it reminded me more of ddwrt which I had used in the past.

I tried to mimic the existing lan interface by making a bridge with what I believe to be the default settings. I also used the same MAC address as the lan bridge which might be problematic? Anytime I add the ethernet port 'eth0.3 (host)' to the bridge, the bridge shows as 'connected: no'. If I try to change the host interface so that its device is the bridge 'br-host' instead of 'eth0.3', the interface shows 'Error: Network device is not present'

The wireless device is attached to the interface through the network drop down inside of the wireless settings for that SSID. In any of the above cases, devices connected to this SSID have no access to anything on the network or the internet.

I feel that I'm probably missing something super simple but I would appreciate any guidance you all may have.
Thank you!

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Sorry about that. Here's the requested output.

ubus call system board:

{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link Archer C7 v5",
	"board_name": "tplink,archer-c7-v5",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ath79/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

/etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd64:fef2:d85e::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr '84:d8:1b:7f:f1:7b'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 3 4 5'
	option vid '1'
	option description 'LAN'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'
	option description 'WAN'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 2'
	option vid '3'
	option description 'Host'

config interface 'host'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option type 'bridge'
	option device 'br-host'
	option defaultroute '0'

config device
	option type 'bridge'
	option name 'br-host'
	list ports 'eth0.3'
	option mtu '1500'
	option txqueuelen '1000'
	option mtu6 '1500'
	option macaddr '84:D8:1B:7F:F1:7A'

/etc/config/wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option channel 'auto'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'SSID5GHz'
	option encryption 'sae-mixed'
	option key 'password'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel 'auto'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'SSID2GHz'
	option encryption 'sae-mixed'
	option key 'password'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Dev'
	option encryption 'sae-mixed'
	option key 'password'
	option network 'host'

/etc/config/dhcp:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '1.1.1.1'
	list server '8.8.8.8'
	list server '8.8.4.4'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'domain.name'
	option ip '192.168.2.1'

config dhcp 'host'
	option interface 'host'
	option start '100'
	option limit '150'
	option leasetime '12h'

config domain
	option name 'other.domain.name'
	option ip '192.168.1.254'

config host
	option name 'web-server'
	option ip '192.168.3.130'
	option mac '54:04:A6:4D:1B:B0'

/etc/config/firewall:

config defaults
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config zone
	option name 'host'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'host'
	option log '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Drop-Ping'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	option target 'DROP'
	list icmp_type 'echo-request'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'host'
	option dest 'wan'

config redirect
	option dest 'host'
	option target 'DNAT'
	option name 'Reverse Proxy HTTP'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.3.130'
	option dest_port '80'

config redirect
	option dest 'host'
	option target 'DNAT'
	option name 'Reverse Proxy HTTPS'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.3.130'
	option dest_port '443'

Thank you for your help!

EDIT I just noticed that now when the wireless interface gets added to the interface that the interface does come up, but without the Ethernet Port. Looking in the bridge configuration still shows the bridge as grey/down.

Remove the bridge and default route lines from section:

Remove the last 4 lines of this one:

Using sae-mixed encryption doesn't work all that well with many devices. You should consider using WPA2 or WPA3 only, not mixed mode.

Instead of drop, you should usually use REJECT (but this is unrelated to your issue):

That solved it. Thank you so much! Guess it's time to ditch the GUI. Now I'm off to figure out how to enable NAT loopback into the host VLAN from the lan interface.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.