Last I decide to take care of my upgrade backlog. So I flash 22.3. Didn't come out quite right:
My guest network is gone.
The Switch page is gone. And all the ports were bridged together...
I start fiddling around. There are some device pages that a reminiscent of the switch page. I ended up making the router inaccessible. Reset, back to 21.2, restored settings - all good.
Now I understand there's this new (to me) DSA thing going around. And my router was migrated to it. So my guess is something with the DSA went sideways. I have another router (Acer Archer C7), and that one went through the upgrades without a problem.
(1) Should I expect the upgrade to seamlessly migrate to DSA?
(2) Should I do some prep work before upgrading to 22.3? My /etc/config/network is posted below. I really never looked at it before - did all through the UI. Is there something sub-optimal that could mess up the DSA conversion? Like why there's a br-lan device with a single port, and it's not referenced anywhere?
No. The migration from swconfig to DSA requires a reset-to-defaults as part of the process (i.e. do not keep settings, it will reset to defaults when it does the flash)
You must configure from scratch after this has been completed -- restoring a backup will soft-brick your device. Some (limited) things may be able to be manually copied into place, depending on the specifics (tell us what you want to preserve and we can advise accordingly).
The prep-work is really about making a backup of your previous configuration and understanding what your end-goal is for the functional aspects of your config (since you'll need to recreate the config).
Also, read up on DSA if you are implementing VLANs (or ask here in the forums for guidance).
Understood. Although I haven't come across a document that says reset-to-defaults is required. I am sure I've missed it. I did read that I can't upgrade from version 21 to 23 - have to go through 22 first. This also implies that the OpenWRT on my Archer (which I upgraded with settings through 19 -> 21 -> 22 -> 23) could very well be messed up somehow. Although it works as expected.
I do have VLAN and firewall setup. Fairly straightforward - should be easy to re-apply on a default install.
In the case of n-1 > n upgrades, it is usually compatible unless there has been a major backend change cuch as swconfig > DSA (or ar71xx > ath79 that happened several years ago for that specific set of target devices).
Every recent release has stated that n-2 > n upgrades (as a single step) are not supported. This doesn't necessarily mean that it won't work, but it isn't tested and there isn't logic in the code to migrate config items where syntax may have changed, potentially leading to a soft-brick situation. Upgrading from n-3 and further back is increasingly more likely to cause major problems.
If you went through each n-1 > n upgrade along the way working up to the pressent version and didn't need to reset, you should probably be okay, espeically if everything is working as expected. If you run into issues, though, the syntax changes may be relevant and need verification.
If a device has transitioned to DSA, there will be a big warning when you attempt to run the upgrade saying that you cannot keep settings and that it is required to allow the upgrade process to reset to defaults.
If you've actually run the upgrades and haven't seen the warning, it means your device has not gone through the swconfig > dsa transition. (I didn't check to see if your device is on DSA or swconfig as of the latest).
@psherman,
Thank you for the pointers. I flashed the ASUS without restoring setting. Recovered my configs easily. Works. Mostly. I really was hoping I wouldn't need to bother you (or anyone)... The AC68U is the main router+firewall. It is also connected to an Archer C7 AP only. Ethernet port 1 on both is setup to be a vlan "trunk". Both vlan 1 and 3 should go over that cable. The C7 was already running v23. But now that trunk doesn't work. Nothing connected on the C7 can reach the AC68U. I am troubleshooting with wired connections - forget the wifi. I am fairly certain something on the AC68U isn't right. Used to work fine on v21 via switch based vlans, that were setup the same way.
The config doesn't look that complicated to me. Can you spot the error. Config follows (without the wan parts)
tjk
# Asus RT-AC68U
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd8d:7074:7a33::/48'
option packet_steering '1'
# Bridge over the four ethernet ports
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option ipv6 '0'
# With couple of VLANs.
# lan1 is "trunk", tagged 1 and 3,
# connected to another OpenWRT AP Archer C7
# private vlan
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:t'
list ports 'lan2'
# guest glan
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan1:t'
list ports 'lan3'
list ports 'lan4'
# The interfaces
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.111.1'
option netmask '255.255.255.0'
config interface 'glan'
option proto 'static'
option device 'br-lan.3'
option ipaddr '192.168.222.1'
option netmask '255.255.255.0'
# Wan stuff follows
However - something I didn't test before. I am able to reach the Archer C7 from a device (laptop) on the AC68U guest interface (vlan 3). But still can't "get out" of the Archer C7.
(I also went and check to made sure that "lan1" does indeed corresponds to its label on the ethernet jack.)
Let's review the complete configuration of your main router (the AC68U):
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Is there a copy/paste error, or is the netmask really truncated? It should look like this:
option netmask '255.255.255.0'
What is this for?
Please try connecting a computer to port 2 to make sure it gets a DHCP lease in the main lan (192.168.111.0/24). Then test connectivity by testing pings to:
Sorry, copy/paste error. That was the last line, and I obviously didn't "grab" part of it. That won't work at all - missing closing tick. Here's the ending of config/network:
"devicepass" is a rule for some devices, that I let go out to the internet. Mostly because they had some issues with my local DNS (192.168.222.12 - AdBlocker), and didn't bother to investigate.
Here's the test info. Works as expected:
Testing laptop connected to AC68U with solid wires
lan2:
enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.111.222 netmask 255.255.255.0 broadcast 192.168.111.255
~$ ping 139.59.210.197
PING 139.59.210.197 (139.59.210.197) 56(84) bytes of data.
64 bytes from 139.59.210.197: icmp_seq=1 ttl=49 time=121 ms
64 bytes from 139.59.210.197: icmp_seq=2 ttl=49 time=118 ms
64 bytes from 139.59.210.197: icmp_seq=3 ttl=49 time=121 ms
lan3:
enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.222.222 netmask 255.255.255.0 broadcast 192.168.222.255
~$ ping 139.59.210.197
PING 139.59.210.197 (139.59.210.197) 56(84) bytes of data.
64 bytes from 139.59.210.197: icmp_seq=1 ttl=49 time=120 ms
64 bytes from 139.59.210.197: icmp_seq=2 ttl=49 time=119 ms
64 bytes from 139.59.210.197: icmp_seq=3 ttl=49 time=120 ms
# Acer C7 /et/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option forward 'REJECT'
option name 'glan'
option output 'ACCEPT'
list network 'glan'
config forwarding
option dest 'glan'
option src 'lan'
The Archer C7 ended up having both a switch page/setup and device/dsa one as well. I expected either one or the other. But this was the device that I've been upgrading from before v18 keeping settings along the way, and this is where it ended. And it was working fine with v21 on the AC68U.
Generally, it’s best to only have one address on the dumb ap - that is usually the address of either the trusted lan or a management network. Which one would that be in your situation?
We want to repeat the test with the wired computer. Logical port 2 is your trunk. We would expect that when connecting a computer to logical port 3, your computer will get an address in the 111 network.
Likewise, logical ports 4 and 5 should result in an address in the 222 network.
No connectivity on either port to any network. Can't get an IP from the AC68U.
Here's how the sockets on the router match with the numbers in the config:
One address on the AP? I don't have a management network, so then it would be the trusted lan. But I have two interfaces. So I make the guest lan without IP? Is that the idea?
The strange thing is that I can reach the Archer on either 111.21 or 222.21 when connected through the AC68U - either cable or wifi. Funny stuff.
At some point I also tried to do away with the br-lan an br-glan devices, and use eth0.3 and eth1.1 on the interfaces. Didn't work.
Yup. This protects the AP against users on the guest network.
Let's try this:
Reset your C7 to defaults and then post the network config from the default state. Be sure to unplug this from your main network and connect a computer directly to one of the lan ports to login to the router (192.168.1.1 is the default address).
Same situation. I can't even ping the RT-AC68U (192.168.111.1), when connected on the C7. I still can reach the C7 when connected to the AC68U.
Peter,
I am very thankful you are helping me real time. But I feel I am starting to abuse your time. It's Sunday evening. I'll happily try any ideas you might have, but I suggest we... you(!) take a break. Nothing about the AP is urgent. I can downgrade it to v19 (no DSA), see if it works, and then check at what version it breaks. But I can do that on my own.
Have a great rest of the day - whatever is left of it for you.
