AP with 2 SSIDs and 3 VLANs

Hi,

I just installed OpenWRT on a TP EAP245 v1 a few days ago, but got some trouble configuring it.
Traffic is routed on a OPNSense and my Network is mainly segmented using VLANs tagged by a HP v1910 switch. The TP EAP245 is also connected to the switch and has VLANs 100,300,301 tagged on the port.

The goal:

• The TP should just act as an WIFI AP
• it is connected via it's only Ethernet port to the switch
• it offers two SSIDs, one tagged with 300, one tagged with 301
• other traffic should be tagged with 100 (management)

What I got:

• 2 SSIDs, but cannot reach WAN / DHCP
• AP is accessible and I can get the default traffic working (100)

What I did:

• I disabled DHCP+Firewall
• Set LAN Bridge (br-lan) interface Prot = Unmanaged
• Added VLAN devices with respective VLAN IDs (br-lan300, br-lan301, br-lan100)
• Created interfaces: WAN300 ->br-lan300, WAN301->br-lan301, WAN->br-lan100. Each interface uses DHCP and gets a correct IP assigned
• I can reach them using that IP from the respective subnets
• I setup 2 WIFI SSIDs, assigned them the interfaces (one WAN300, one WAN301)
• If I want to connect to the WIFI, it cannot reach the DHCP. If I set a static IP, it can reach the AP but not the LAN (routed by the OPNSense)
• If I set the WIFI network=lan, it receives a (false) IP that is not part of any VLAN and cannot reach my LAN

On my Proxmox instances, I just need to setup my trunk (vmbr+vmbr.XXX) - that works without any issues. Tagged VMs are routed as expected.

My Config:

/etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd5e:5245:94ea::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option acceptlocal '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'none'

config interface 'wan'
        option proto 'dhcp'
        option device 'br-lan.100'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '301'
        option name 'br-lan.301'

config interface 'WAN300'
        option proto 'dhcp'
        option device 'br-lan.300'

config device
        option name 'wlan0'

config device
        option name 'wlan1'

config device
        option name 'wlan0-1'

config device
        option name 'wlan1-1'

config device
        option name 'eth0'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '100'
        option name 'br-lan.100'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '300'
        option name 'br-lan.300'

config interface 'WAN301'
        option device 'br-lan.301'
        option proto 'dhcp'

/etc/config/wireless
config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option band '5g'
        option htmode 'VHT80'
        option channel 'auto'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'WRT'
        option encryption 'psk2'
        option key 'oiafio29IaOS09'
        option network 'WAN300'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'WRT'
        option encryption 'psk2'
        option key 'oiafio29IaOS09'
        option network 'WAN300'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'WRT-IOT'
        option encryption 'psk2'
        option key '2j98fahfsd8ahf8ASI'
        option network 'WAN301'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'WRT-IOT'
        option encryption 'psk2'
        option key '2j98fahfsd8ahf8ASI'
        option network 'WAN301'

Any ideas? Thank you

delete the last line in the br-lan device stanza

You probably want to delete the wan interface and put the lan on br-lan.100 with proto dhp or static.

delete this, it's not necessary:

not sure why you're calling this wan300, but this should be proto none (unmanaged) since it is not your management network (typically a dumb AP will only have an address on the management network, all others just get bridged but with no local address on the AP).

Delete all references to wlan devices in the network file. They should only be specified in the wireless file.

delete this:

and this one should also be proto none.

Then, add this:

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '300'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '301'
        list ports 'eth0:t'

Thank you for the reply.

So, I removed the WIFI devices and set the WAN300/WAN301 to Unmanaged.
If I want to add bridge-vlan, it becomes unresponsive (via SSH it completly loses the connection, via GUI it failovers).

What I dont get at your recommendation: if I kick all the br-lan.300,br-lan.100 etc. out - how can I tag the SSIDs?

That doesn't entirely surprise me for a few reasons... let's dig into that in a moment.

I'm not sure exactly what the question is here. I'm not suggesting to 'kick out' the VLANs. But maybe you're asking why I'm suggesting removing the pevious 802.1q device types (can you confirm this as the root of the question)? If so, yes, I'm suggesting deleting those, but simultaneously replacing those with the bridge-vlan device type, which will acheive that same thing (i.e. sets up 802.1q tagging at the ethernet port, based on the option vlan line and the port tagging line.

The other part is that you'll be associating the network with the wifi SSIDs in the wireles file. Tagging is only relevant on the ethernet port, so what we want to achieve is a bridge for each VLAN, a network interface for that network (unmanaged none except for the management network which will have an address), and then the ability for SSID to connect to the bridge. That should all happen with the suggestions I provided.

Now... back to the other issue where things went unresponsive...
(disclaimer: there are still some parts of DSA that I don't totally understand, so I could have some of this wrong, but the end result that I'll suggest should still work. The good news is that if I'm wrong, there are other contributors who will chime in to set things right again, so we'll get your problem solved either way)

When you setup bridge vlans, you usually cannot attach directly to the 'original' bridge device. In other words, when you create br-lan.300, br-lan itself (which is the device currently used by the lan interface) is no longer directly usable. Instead, you need to use a bridge-VLAN for all networks. So once you have br-lan.300, you'll need br-lan.< some_VLAN_ID > in the lan instead of just br-lan.

It just so happened that you specified that the management network is VLAN 100, so I suggested adding br-lan.100.

But, I didn't ask a critical question -- is VLAN 100 (the management network) tagged or untagged on the upstream connection (i.e. switch port or router port)?

Below assumes that you'll have VLAN 100 tagged on your trunk.

If that is an incorrect assumption and it is actually untagged, simply change the eth0:t to eth0:u* and that will fix that problem.

Note: the 802.1q standard allows untagged networks to exist on a trunk, but there are split opnions about this from a practical perspective -- some will argue that it is best practice to have only tagged networks on a trunk. And, in some cases, the physical hardware may not place nice when there is a mixed tagged+untagged situation.

Does that answer your questions?
If you've got an updated network config file, we can review that.