I'm a networking novice. I have a BPI-R4 running 24.10.5.
I have an interface called "management" with a static address configured for the lan1 port, and I've removed the lan1 port from all bridge devices. DHCP is ignored for the management interface. I have an AP pointed solely at the management network, and "isolate clients" is not checked. I have a firewall zone called "management" that controls the management interface configured to accept incoming, outgoing, and intra-zone traffic.
I can access LuCI by plugging my computer into the lan1 port and navigating to the static address. I cannot access LuCI by connecting to the AP and navigating to the static address.
Where do I start troubleshooting this issue? I'm having similar issues with every AP that I configure that isn't pointed at my "lan" interface, but this is the simplest case.
It would be best if you could share a topology diagram showing the upstream router (I assume that this is an AP only) and the connection on your BPI-R4 (indicating the ports in use). Also, does your upstream router have VLANs?
Finally, we need to see your configuration:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
The topology is that I have this single BPI-R4 operating as a router and AP (with nowhere to route except to itself at the moment), and a laptop that can connect either via 2.4 GHz WiFi or via a CAT6 cable. I reached this configuration after trying some more traditional and complex typologies and having similar issues.
root@boss-pi:~# ubus call system board
{
"kernel": "6.6.119",
"hostname": "boss-pi",
"system": "ARMv8 Processor rev 0",
"model": "Bananapi BPI-R4 2.5GE PoE",
"board_name": "bananapi,bpi-r4-poe",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.5",
"revision": "r29087-d9c5716d1d",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
"builddate": "1766005702"
}
}
root@boss-pi:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3e:8363:53c8::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.0.0.0'
option ip6assign '60'
option ip6ifaceid 'eui64'
config device
option name 'br-wan'
option type 'bridge'
list ports 'wan'
list ports 'eth2'
config interface 'wan'
option device 'br-wan'
option proto 'dhcp'
config interface 'wan6'
option device 'br-wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix '60'
option extendprefix '1'
option norelease '1'
option ip6ifaceid 'eui64'
config interface 'management'
option proto 'static'
option device 'lan1'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option type 'bridge'
config device
option type '8021ad'
option ifname 'br-lan'
option vid '8'
option name 'trusted.8'
config device
option type 'bridge'
option name 'br-trusted'
list ports 'trusted.8'
option macaddr 'f5:de:6d:3d:e7:d6'
config interface 'trusted'
option proto 'dhcp'
option device 'br-trusted'
option hostname '*'
root@boss-pi:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option radio '0'
option band '2g'
option channel '6'
option htmode 'EHT20'
option cell_density '0'
option country 'US'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'management'
option mode 'ap'
option ssid 'Blaze-dev'
option encryption 'sae'
option key 'redacted'
option ocv '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option radio '1'
option band '5g'
option channel '36'
option htmode 'EHT80'
option disabled '1'
option country 'US'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-device 'radio2'
option type 'mac80211'
option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option radio '2'
option htmode 'EHT80'
option disabled '1'
option country 'US'
option cell_density '0'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'Blaze'
option encryption 'sae'
option key 'redacted'
option ocv '0'
option network 'lan'
root@boss-pi:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/home/'
option domain 'home'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
list interface 'lan'
list interface 'trusted'
list interface 'trusted6'
config dhcp 'lan'
option interface 'lan'
option start '128'
option limit '127'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option dhcpv6_pd_min_len '62'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piofolder '/tmp/odhcpd-piofolder'
root@boss-pi:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'management'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'management'
config zone
option name 'trusted'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'trusted'
config forwarding
option src 'trusted'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'trusted'
config forwarding
option src 'trusted'
option dest 'wan'
Do you have an active wan? or is this an "air gapped" network?
Why are you using the entire /8? This is generally bad practice. Typically /24's are used for a number of good reasons.
Remove the bridge line below:
delete all of this (it's not doing anything):
Your management network is connected to ethernet (lan1), but it cannot also connect to a wireless SSID because it isn't part of a bridge... (bridges are defined outside the interface stanza, and given the fact that your device is DSA, this uses bridge-vlans).
Sine the trusted network isn't doing anything, you can also delete all of this:
This is an air-gapped network that I'm using as a learning platform, so I can work out some problems I'm having in my main network.
I went ahead and did as you said, and I deleted the lines you told me to including the wifi-iface for the AP that I was trying to fix. I also deleted the two disabled wifi-iface sections for the disabled APs.
Is there a correct way to configure the AP to use the management interface? You said I need to use a bridge; do I make a bridge device encompassing the lan1 device and assign the interface to the bridge?
Ultimately, I want to be able to reach LuCI on this BPI-R4 via a specific RJ-45 port and a specific WiFi network, and I want that port and WiFi network to be separate from the rest of my network so that I can make changes and still have a safe way to connect to LuCI in case I make any mistakes that would otherwise lock me out.
Forgive my ignorance, but I don't know what a bridge-vlan is. If I try to configure a new device, I have the options of:
Network device
Bridge device
VLAN (802.1q)
VLAN (802.1ad)
MAC VLAN
Virtual Ethernet
I’ve tried a few combinations of bridge devices and 802.1ad VLANs, but nothing seems to work (LuCI is inaccessible and pings to the management interface IP address fail), so I think I need more specific advice.
Now both the lan and the management network are able to be used from ethernet and wifi. They're separate networks and inter-VLAN routing is governed by the rules int he firewall.
Joy! This works exactly as intended, and you’ve given me a new subject to learn. Thanks a lot!
I’ll probably need to use a /16 for my production network because I have a few subnets in mind. Why are /24 networks so strongly recommended? I suppose I could get by with a /20, but things might get a little weird.
even a /16 is usually larger than necessary and not advisable.
The size of the subnet is important for network optimization, but there is no hard and fast rule. The reason that a /24 is considered the 'recommended' option is that it strikes a good balance between all of the factors. For example, at 254 total host addresses, this is sufficiently large for most normal home and small business networks. And critically, it limits the size of the broadcast domain which allows for improved efficiency. As the number of hosts increases, the network becomes very 'chatty' with broadcast messages between hosts. You can think of this like the difference in volume of a between a small gathering of say 4-6 people vs a largish party of 100 or more... things tend to get exponentially louder (and chattier) as the number of participants increases. If you have more than 254 devices. try a /23 (for ~500 hosts) or a /22 (~1k hosts).... beyond that, consider that the network will start to get bogged down unless you are controlling multicast and broadcast messages.
Another benefit of /24 is that it is really easily readable -- the last octet is the host address, everything to the left of that is the subnet -- the third octet in particular becomes the most relevant so it's very easy to visually tell the network to which a device belongs (i.e. 10.1.2.0/24 vs 10.1.3.0/24 -- the 2 vs 3 is all you need to look at to know which subnet). Yes, you can do this on larger subnets, but this is just a very human readable approach.
The other two reasons a /24 is recommended is that you have more room for additional subnets (the larger your subnets are, the fewer of those can be created), and it is also useful to have a smaller subnet so that you can avoid overlapping with upstream (only relevant if the network is 'connected' -- right now you said that there is nothing upstream) and/or remote (in the case of an upstream + VPN) networks. All subnets in the equation must be unique and non-overlapping. The chance of a conflict rapidly increases when you have huge subnets.
There is another reason. Quite a few proprietary devices (particularly printers, surveillance cameras, IoT- and smarthome devices) do not like anything but /24 at all. Yes, that is a bug in those devices, but that's not going to get it fixed for you - even many name brand vendors won't really care.
All but a small handfull of devices are going to end up in one of a few /24 subnets. This should be one of those acceptable use cases for a /16 network, right? I prefer /16 over the /20 that I could get away with because I know there are tools (even if I’m not using them) that will only work with /8, /16, /24, and /32 addresses. My production network will probably have fewer than 200 devices, but I want a larger network for organization purposes.
I'm not sure I understand the premise here... you can fit your devices into a /24 but you want to move to a /16? That seems like serious overkill.
What tools are you talking about? Any properly designed networking tools should work with whatever size subnet you assign. But as @slh points out, some IoT and other gear that is cheaply engineered will be unhappy with anything other than a /24.
What is your "organizational" plan? Can you give a rough idea of how you plan to layout your address space? For example:
I’m planning on putting some IoT devices on a VLAN that has its own subnet where every device can’t reach out to any other device or the Internet. Similarly, I have some other IoT devices that I want to put on another VLAN with its own subnet where devices can communicate with eachother within the VLAN but not outside the VLAN. I also want some devices to go on a VLAN that has its own subnet where devices can only reach the Internet but not eachother. Then, I have some devices that I want to be able to reach all other devices and the Internet. Finally, and this is more of a bonus goal, I have two remote networks that I want to use the same VLANs.
