Can’t create APs on VLANs using devices that don’t support the DSA

Hello,
I’m trying to setup a few devices as access points using VLANs.
However, the stations associate but they don’t get an IP. If I set up the interface as DHCP client it gets an IP, but the clients don’t. I'm using LUCI.
What I tried:

• checked that the CPU is tagged
• Tried putting the VLAN (eth0.x) into a bridge. Didn’t work.

eth0.x has to be dhcp server and gateway for "vlan wifi" subnet.

Let's start with the following:

• Is this your main router, or is this just a bridged AP?

  • If there is there another device as the main router, does it already have VLANs configured?
  • And is the AP directly connected to the router, or are there any other devices (such as switches) between the main router and the AP?

• What is the output of the following:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Thanks everybody!

I'm trying the dumb AP configuration, with unmanaged interfaces

Yes, and I can even get an IP from the AP if I switch the interface to DHCP client

I will post the config files in another post.

Ok... so we need three bits of information, then...

1. What are the VLAN IDs that you want to setup (ideally also with the purpose/name of the network -- like guest, iot, lan, etc.)
2. are all VLANs tagged, or is one untagged from the upstream?
3. Which VLAN is used for managing the AP? and what address do you want it to use (if static), or do you want DHCP?

• VLAN 10: LAN A
• VLAN 11: Guests
• VLAN 30: management interface
• VLAN 31: LAN B
  Currently I have a DHCP client on VLAN 20 and I'd like to have an AP on VLAN 31

One is untagged, I think 10

This should be already been answered

Do you mean VLAN 30 is the DHCP client? (you mention that VLAN 30 is the management interface, but then say that you have DHCP client on VLAN 20 which isn't described in the bullets above).

Yes, sorry

Ok... thanks for the clarification. We'll figure out the rest once you post the configs.

{
	"kernel": "5.15.167",
	"hostname": "ap",
	"system": "MediaTek MT7628AN ver:1 eco:2",
	"model": "Xiaomi Mi Router 4A (100M Edition)",
	"board_name": "xiaomi,mi-router-4a-100m",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "ramips/mt76x8",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}

root@ap:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd9:1df3:bdc6::/48'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '10'
	option ports '0 6t'

config switch_vlan
	option device 'switch0'
	option vlan '11'
	option ports '0t 2 4 6t'

config switch_vlan
	option device 'switch0'
	option ports '0t 6t'
	option vlan '30'

config switch_vlan
	option device 'switch0'
	option ports '0t 6t'
	option vlan '31'

config interface 'lan'
	option proto 'dhcp'
	option device 'eth0.31'

config interface 'lan_b'
	option proto 'dhcp'
	option device 'eth0.30'
	option type 'bridge'

config interface 'lan_a'
	option proto 'none'
	option device 'eth0.10'

config interface 'guest'
	option proto 'none'
	option device 'eth0.11'

root@ap-rdp:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/10300000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option country 'IT'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'My SSID'
	option encryption 'psk2'
	option key ''
	option network 'lan_b'
	option macaddr 'random'
	option wmm '0'
	option disabled '1'

The radio is disabled since it is not working

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Also, note how it gets an IP:

25: eth0.30@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether de:ad:be:ef:ca:fe brd ff:ff:ff:ff:ff:ff
    inet 10.142.10.57/24 brd 10.142.10.255 scope global eth0.30
       valid_lft forever preferred_lft forever
    inet6 fe80::a6a9:30ff:fef4:f58/64 scope link 
       valid_lft forever preferred_lft forever

Assuming the port assignments are correct, the problem is with your definition of the bridges...

The bridge must be defined in its own device stanza.

So, add these:

config device
	option name 'br-lana'
	option type 'bridge'
	list ports 'eth0.10'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.11'

config device
	option name 'br-mgmt'
	option type 'bridge'
	list ports 'eth0.30'

config device
	option name 'br-lanb'
	option type 'bridge'
	list ports 'eth0.31'

Now, edit the network stanzas:

config interface 'lan_a'
	option proto 'none'
	option device 'br-lana'

next:

config interface 'lan_b'
	option proto 'none'
	option device 'br-lanb'

then:

config interface 'guest'
	option proto 'none'
	option device 'br-guest'

and finally:

config interface 'lan'
	option proto 'dhcp'
	option device 'br-mgmt'

Then reboot and test again.

Wait, I tried something similar from LUCI but it didn't work (I created a bridge under Devices, then I added the VLAN there, but no luck).
Nonetheless, I'll test this tomorrow.
Edit: can I try your config only for lan_b?

sure. But you might find it easiest to make all the changes at one time.

I'll have to wait to have physical access since I have broken the configuration. I think I'll reconfigure from scratch (so no failsafe) to see if the issue is still there.

If you're going to reset to defaults (probably a good idea), please post the default /etc/config/network file so that I can review that file to make sure that the port assignment is correct for the VLANs.

I've restored the AP. Here's the default /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb1:a7b1:4302::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr 'a4:a9:30:f4:0f:59'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '4 2 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

Ok... so from this:

We are able to determine that:

• logical port 6 is the CPU
• logical port 0 is the wan port
• logical ports 2 and 4 are the lan ports

Which physical port do you want to use for the uplink?

The WAN port

Ok... so you'll create new switch and bridge entries like this:

config switch_vlan
	option device 'switch0'
	option vlan '10'
	option ports '0t 6t'

config switch_vlan
	option device 'switch0'
	option vlan '11'
	option ports '0t 6t'

config switch_vlan
	option device 'switch0'
	option vlan '30'
	option ports '0t 6t'

config switch_vlan
	option device 'switch0'
	option vlan '31'
	option ports '0t 6t'

config device
	option name 'br-lana'
	option type 'bridge'
	list ports 'eth0.10'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.11'

config device
	option name 'br-mgmt'
	option type 'bridge'
	list ports 'eth0.30'

config device
	option name 'br-lanb'
	option type 'bridge'
	list ports 'eth0.31'

Then create your network interfaces:

config interface 'lan_a'
	option proto 'none'
	option device 'br-lana'

config interface 'lan_b'
	option proto 'none'
	option device 'br-lanb'

config interface 'guest'
	option proto 'none'
	option device 'br-guest'

config interface 'mgmt'
	option proto 'dhcp'
	option device 'br-mgmt'

Add the mgmt network to the lan firewall zone:

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'mgmt'

And that should do it... just make your SSIDs and connect them with the respective networks.

Note two things:

1. I've made the assumption that all 4 VLANs are tagged. Make sure that is true on the upstream connection
2. I've left the lan network interface intact... that's fine for now. But if your management network uses the same subnet (192.168.1.0/24), this will conflict, so be sure to change the lan subnet if there is an overlap.