AP with OpenWRT (Zyxel AWX50AX) directly connected into OPNSense custom box VLANs configuration

Hey Forum.

Trying to configure my first network build, but keep getting stuck without really understanding why (98% confident I'm misunderstanding how VLANs should actually work).

Looked at documentation, bunch of videos and posts on this forum, but nothing seems to be working for me.

What I want to achieve is: having AP to transmit two SSIDs, one for LAN (for "trusted" devices) and another for VLAN (for "untrusted" devices).

I have OPNSense box as a router with 2 interfaces configured, LAN and VLAN (tag: 10) based on this LAN interface.

Directly into this LAN port connected AP (configured as "dumb" AP following OpenWRT documentation).

AP config is almost default, because sometimes I have to reset AP as it gets stuck trying to revert changes.

cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '[redacted]'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

Trying to add Bridge VLAN filtering, as lot's of comments suggest, to br-lan device doesn't work, OpenWRT reverts changes (doesn't matter adding Tagged or Not Tagged VLAN, but, from my understanding, VLAN should be Not Tagged as devices connected to the AP ((like smartphone etc.)) don't know about VLAN?).

VLANFiltering899×413 17.3 KB

What seems to kinda work is adding VLAN as 802.1q device and creating interface based on this device. In such case interface gets IP address from router.

Config:

cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '[redacted]'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '110'
	option name 'br-lan.110'
	option mtu '1500'
	option macaddr '[redacted]'

config interface 'UNTRUSTED'
	option proto 'dhcp'
	option device 'br-lan.110'

cat /etc/config/wireless 

config wifi-device 'radio0'
	option type 'mac80211'
	option path '[don't understand what is it so redacted]'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '[don't understand what is it so redacted]'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'UNTRUSTED'
	option mode 'ap'
	option ssid 'OpenWrt.Test'
	option encryption 'sae'
	option key '[:)]'

But then the problem is that wirelessly connected devices can not get IP address from router. I can see my phone connecting to router in LuCI, but it fails to get IP address (disconnects after phone message "Obtaining IP address" ((android))).

When using lan interface for wireless - everything works fine.

Configuration for LAN and VLAN:10 on OPNSense side is basically the same, just different subnets 192.168.100.x vs 192.168.110.x.

Sorry for posting yet another question on this topic, but this is my last resort as I'm stuck on this for some time now without really understanding the problem.

You need to use bridge vlan filtering, so start again from the default network configuration.

Go to the Bridge VLAN filtering menu and create the VLANs:
VLAN 1 - untagged
VLAN 110 - tagged

In the Devices tab, use the Save button, NOT the Save & Apply button.

Then go to the Interfaces tab and edit the LAN interface by changing the device from br-lan to br-lan.1. Now use the Save & Apply button and the changes should not be reverted.

Create the UNTRUSTED interface using device br-lan.110.
If you are going to use DHCP, set a metric for the interface.

Yep, it's working now, thank you!

If I may ask, was my problem that I've tried to use VLAN and, like, "physical" lan port at the same time and that is just wrong?

I've read that VLAN:1 is reserved (at least on some routers) for internal use, so I assume using VLAN:1 is the same as using just a normal LAN device?

Or am I missing something?

Also don't quite understand why I cannot apply changes right after creating new VLANs without using them, but that's something I can find out by myself.

Your goal was to bridge the "untrusted" wlan interface and the tagged lan interface.

Without using bridge vlan filtering, the other option would be to create a second bridge device and set vlan tagging using the [dev].[vid] notation:

config device
	option name 'br-untr'
	option type 'bridge'
	list ports 'lan.110'

config interface 'UNTRUSTED'
	option proto 'dhcp'
	option device 'br-untr'
	option metric '10'

Unfortunately, this option does not always work as expected, and some devices do not even allow the creation of a second bridge.

Well, some devices are reported to be problematic when the default vid (1) is used for custom vlan settings. IMO, not using VLAN 1 is more of a good practice recommendation. On a one-port device, the PVID value shouldn't really matter, but you can always change it to something else if that will make you feel more comfortable.

When you add a VLAN to br-lan, you change the rules. If you do not modify the interface used for management (before applying the settings), you will lose access to the device, because the traffic will be dropped as entering or leaving the AP on the wrong vlan interface.

The auto rollback feature is something that keeps you out of trouble.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.