Can I have a hand with my Velop setup?

Installing and Using OpenWrt
1

Hi! Could I have a hand setting up OpenWrt on my Velop? I'm quite new to the world of real networks, and I've having trouble achieving what I want. I have RTFM'd and followed examples, but I can't quite get it working.

System is a Velop WHW03v2, running the latest available v24.10.4. Upstream is a Netgear GS108E feeding to OpnSense.

So... the Velop has 3 radios, and I'd one radio to be untagged, and each of the other radios on a different VLAN, like so :

phy1-ap0 -> VLAN.20 ------+
                          v
phy0-ap0 -----------------> bridge -> lan -> switch -> opnsense
                          ^
phy2-ap0 -v               |
          VLAN.30 --------+
wan ------^

with all DNS/DHCP/firewalling done by OpnSense (this part I've done. Yay me!)

Here's /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd17:919a:e01c::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.1.1'
        option gateway '192.168.1.1'

and /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '5g'
        option channel 'auto'
        option htmode 'VHT40'
        option country 'GB'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option encryption 'sae-mixed'
        option ocv '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option band '2g'
        option channel 'auto'
        option htmode 'HT40'
        option country 'GB'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option encryption 'sae-mixed'
        option ocv '0'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option band '5g'
        option channel '36'
        option htmode 'VHT40'
        option cell_density '0'
        option country 'GB'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option network 'lan'
        option mode 'ap'
        option encryption 'sae-mixed'
        option ocv '0'

At this stage, I'd be happy to get the top two paths (phy1-ap0 on the VLAN, and phy-ap0 untagged) working. phy2-ap0 and wan I can leave till later and figure out from example.

LuCI preferred since that removes most footguns, but I'm not afraid of the shell.

Many thanks for any assistance!

2

First create VLANs and interfaces.

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config bridge-vlan
        option vlan '1'
        option device 'br-lan'
        list ports 'lan' # <-- VLAN 1 untagged

config bridge-vlan
        option vlan '20'
        option device 'br-lan'
        list ports 'lan:t'

config bridge-vlan
        option vlan '30'
        option device 'br-lan'
        list ports 'lan:t'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
	    ...

config interface 'vlan20'
        option device 'br-lan.20'
        option proto 'none'

config interface 'vlan30'
        option device 'br-lan.30'
        option proto 'none'

Then attach each wireless interface to a network (logical interface) of your choice.

You can initially assign IP addresses to interfaces vlan20/30 to make sure that the vlan settings on the other network devices are correct.

3

Fantastic! Thank you!

I don't think I would've figured this out on my own, so you saved me many stressful hours.

4

Ah. Uh... I spoke too soon. While the radios are now attaching to their correct VLANs, I can't seem to connect out from within a VLAN. When testing the WiFi, my laptop was never able to successfully connect to the network.

If I could beg a few more moments of your experience, I'm all ears.

Briefly :
192.168.1.1 = OpnSense (I believe the VLAN setup is correct here)
192.168.1.2 = OpenWrt/Velop
192.168.1.3 = managed switch
192.168.20.1 = OpnSense VLAN.20 gateway

The problem is the packets don't seem to be leaving OpenWrt. All tests are from a wired ssh session on the Velop itself.

These all work, from the lan interface :

# ping 192.168.1.1
# ping 192.168.1.2
# ping 192.168.1.3
# ping 192.168.20.1

Just for rigor, specifying the VLAN.1, these all work too :

# ping -I br-lan.1 192.168.1.1
# ping -I br-lan.1 192.168.1.2
# ping -I br-lan.1 192.168.1.3
# ping -I br-lan.1 192.168.20.1

But none of these work, specifying the VLAN.20

# ping -I br-lan.20 192.168.1.1
# ping -I br-lan.20 192.168.1.2
# ping -I br-lan.20 192.168.1.3
# ping -I br-lan.20 192.168.20.1

and all report 100% loss. However, on the Network > Interface tab, I can see the TX count tick upwards, but RX remains 0.

I've given br-lan.20 a static IP of 192.168.20.222, and this is the only ping that works.
# ping -I br-lan.20 192.168.20.222

All non-trivial traceroutes fail with 'host, network or protocol unreachable' :

# traceroute -i br-lan.20 192.168.20.1
traceroute to 192.168.20.1 (192.168.20.1), 30 hops max, 46 byte packets
 1  192.168.20.222 (192.168.20.222)  3100.980 ms !H  3118.914 ms !H  3119.595 ms !H

# traceroute -i br-lan.20 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 46 byte packets
 1  192.168.20.222 (192.168.20.222)  3099.034 ms !H  3118.380 ms !H  3119.554 ms !H

I've tried disabling the firewall, and re-enabling it, and moving all interfaces into the same zone. At this stage, I'm just twiddling buttons and sacrificing chickens.

More data :

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf7:5099:e4e7::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'
        list ports 'wan'
        list ports 'wan6'
        option acceptlocal '1'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'

config bridge-vlan
        option vlan '1'
        option device 'br-lan'
        list ports 'lan'

config bridge-vlan
        option vlan '20'
        option device 'br-lan'
        list ports 'lan:t'

config bridge-vlan
        option vlan '30'
        option device 'br-lan'
        list ports 'lan:t'

config interface 'vlan20'
        option device 'br-lan.20'
        option proto 'static'
        option ipaddr '192.168.20.222'
        option netmask '255.255.255.0'

config interface 'vlan30'
        option device 'br-lan.30'
        option proto 'none'

br-lan filtering

openwrt-vlan
openwrt-vlan889×407 19.3 KB

GS108E VLAN setup. I think this is right - both pipes are trunks, and should be tagged, right? Regardless, I've tried every combination of U/T/E, and none permit vlan.20 traffic (vlan.1 is fine, though). PVID for port 6 is 1.
Apparently, I can't embed two images, but both ports (Velop-switch and switch-OpnSense) are T.

Man, networks are haaaaard.

5

This should be unmanaged.

But more importantly, start debugging upstream. Look at your router and your switch.

Pro-tip: setup an access port on your managed switch for the additional networks (one port per network for testing) - then connect via Ethernet directly to ensure that the switch and the router are working as expected.

6

It was, but I switched to static to try and debug it by connecting to anywhere.

With the exception of the AP, my network is working. Buut this is my first experience with trunking, so it's likely I've made a mistake.

If you can't see anything egregious in my config, I'll look at the switch and the router.

7

When you set a static IP to interface vlan20, you should be able to ping 192.168.20.1 from br-lan.20.

If the ping fails, there is a problem with the vlan settings on the Netgear, OPNsense, or both.

8

I agree that there is a reasonable chance the issue is upstream. However, let’s see the wireless file as well.

9

It was OPNsense's firewall. Of course it was the firewall. I'd neglected to open it up before testing OpenWrt.

sigh Firewalls and SELinux will be the death of me.

Thanks to you both!

10

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.