Can't access 'management' address from 'lan'

Hi!

I have two TP-Link Archer C7 routers, one is working as a router and the other one as a dumb AP (no DNS, no firewall, no wan). They are connected through wire. The router has the wan, lan and management interfaces. Each interface has their firewall zone defined. lan can forward to management and wan. management can only forward to wan. On the AP, lan has 192.168.1.2 address and management 192.168.2.2.

I can access the AP portal using both addresses while lan is configured as Static IP address. But if I change lan to Unmanaged, then I can't access using the management address while connected to the lan network. I still have internet access, but to access the AP portal I need to change network. Is there any way that I can stay on lan and use the management address to access the AP portal in this scenario?

I know it might make no sense why I would want to do this, but this is actually a simplification of my network setup to show only where the issue is.

DumbAPs should have only one interface, used for the management. Decide which one you want to keep and delete the other, or make it unmanaged. The remaining interface needs to have the default gateway if packets are coming from other networks.

That's what I'm trying to do, but the thing is that I can't access the dumb AP while connected to lan if I set lan to unamanaged. The request to access the dumb AP needs to be done from the same network that the interface for management is on? Is there any way to allow other networks to access?

It is the (primary) router's job to route between networks, so you need to make sure the firewall on the main router allows the inter-VLAN routing.

Are both the devices running OpenWrt? If so, please post the network and firewall configs from each.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

router ubus call system board

{
        "kernel": "5.15.137",
        "hostname": "router",
        "system": "Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz",
        "model": "QEMU Standard PC (Q35 + ICH9, 2009)",
        "board_name": "qemu-standard-pc-q35-ich9-2009",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "x86/64",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

(I know I said it was another TP-Link Archer C7, but I don't think that's relevant since I have the same problem with two C7 as well)

dumb ap ubus call system board

{
        "kernel": "5.15.137",
        "hostname": "dumbap",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer C7 v5",
        "board_name": "tplink,archer-c7-v5",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

router network config

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'eth0:t'

config interface 'lan'
        option device 'br-lan.10'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'

config interface 'management'
        option proto 'static'
        option device 'br-lan.20'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '64'

router firewall config

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'management'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'management'

config forwarding
        option src 'lan'
        option dest 'management'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'management'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        list proto 'udp'
        option src '*'
        option src_port '5353'
        list dest_ip '224.0.0.251'
        list dest_ip 'ff02::fb'
        option dest_port '5353'
        option target 'ACCEPT'
        option name 'Allow-mDNS'

config rule
        option name 'Allow-DHCP'
        list proto 'udp'
        option src '*'
        option dest_port '67 68'
        option target 'ACCEPT'

config rule
        option name 'Allow-DNS'
        option src '*'
        option dest_port '53'
        option target 'ACCEPT'

dumb ap network config

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.10'
        option ipv6 '1'

config device
        option type 'bridge'
        option name 'br-management'
        list ports 'eth0.20'
        option ipv6 '1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 1t 2 3 4'
        option vid '10'
        option description 'lan'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1t 5t'
        option vid '20'
        option description 'management'

config interface 'lan'
        option device 'br-lan'
        option proto 'static' # this is the want I want to change to unmanaged
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.0'
        option ip6assign '64'

config interface 'management'
        option proto 'static'
        option device 'br-management'
        option ipaddr '192.168.2.2'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option gateway '192.168.2.1'
        list dns '192.168.2.1'

dumb ap firewall is disabled

when I switch the dumb ap lan interface to unmanaged I loose acces to the portal and can't ping the router anymore (using the management IP address)

Is the management network also used to broadcast an SSID, or only used on ethernet?

On your main router, does this device have wifi and is it in use to broadcast any SISDs? I'll recommend some changes, but the answer here will affect the details.

The short answer is yes

The more accurate answer is that I actually have 2 dumb aps, the second AP is connected wirelessly to the first using WDS, the management wireless is only used to make the 2nd dumb ap aware of that network, but it's not accepting any other client (the 2nd dumb ap is MAC whitelisted on the first). If the full network configuration is required I can provide it, not an issue. I didn't do it so far because it's a bit large and I thought it might obscure what I'm actually trying to fix

Sounds like the setup is more complex than originally described. How about a topology diagram so that we can get a better idea of how things are setup -- what's wired, what's wireless, what networks/addresses on each device and so on.

image1420×326 17.8 KB

Does this help?

The dumb aps are two because of coverage reason

The only wireless part is the connection between the APs

Ok... which AP are we working with? The one that is wired or the wireless one?

Both, but we can get rid of the second AP to simplify things and the problem still persists.

If I switch lan to unamanged I can't access the AP portal anymore. I need to switch the connection on my PC to actually be in the management network. What I want is to be able to access the AP portal from lan, even when the portal address is the one from the management network.

Let's start here with the main router...

Delete these:

Create bridges using dotted notation like this:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.10'

config device
        option name 'br-mgmnt'
        option type 'bridge'
        list ports 'eth0.20'

Then adjust the management interface to use the new bridge:

config interface 'management'
        option proto 'static'
        option device 'br-mgmnt'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '64'

Next, usually your management network is highly trusted... I'd recommend making the input rule = accept for it like this:

config zone
        option name 'management'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'management'

That also means you can remove these rules:

Next, moving to the AP...

remove the IPv6 lines below:

And remove the IPv6 from here, too:

And now make your lan interface unmanaged on the wired dumb AP:

config interface 'lan'
        option device 'br-lan'
        option proto 'none'

Restart both devices and test again.
If it doesn't work, please post the firewall file from the dumb AP.

Thank you for the answer, sadly It didn't work. The dumb ap firewall is disabled

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

service firewall status

inactive

Let’s see the complete firewall file. And while you are at it, also the dhcp file.

That's the complete firewall file, I deleted all rules, zones and disabled the firewall service on the dumb ap. I disabled DHCP as well by disabling dnsmasq service.

This is not the recommended approach.

And neither is this... this particular service will be re-enabled (silently) when you run an upgrade on your OpenWrt installation. The preferred way to disable DHCP is to explicitly disable it (option ignore '1') in the config file and leave the service running.

I'd recommend the following:

1. Make a backup of your current dumb AP configuration
2. reset the dumb AP device to defaults.
3. Once in the default state, manually restore the /etc/config/network and /etc/config/wireless files from the backup you took in step 1 (this means decompress the backup file and scp those two files into place in your dumb AP).
4. edit the /etc/config/dhcp file to add option ignore '1' to the lan DHCP server stanza.
5. add the management network to the lan firewall zone on the dumb AP.
6. reboot the dumb AP.

Then test again.

This is not the recommended approach.

I saw https://openwrt.org/docs/guide-user/network/wifi/dumbap the 5th item is that the dumb AP doesn't provide DNS, DHCP nor firewall. It also proceeds to disabling firewall, dnsmasq and odhcpd.

That aside, I re-did what you mentioned hoping that I messed somewhere and looks like I did! I was able to get this working for the wired AP. But now when I try to do it for the second one (that it's conected wireless to the wired one) I get the same issue.

this is the wireless configuration for the first AP

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '48'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option country 'AR'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'LAN'
        option encryption 'psk2+ccmp'
        option key 'supersecurepassword'
        option wds '1'
        option ieee80211r '1'
        option mobility_domain '1234'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid 'MANAGEMENT'
        option encryption 'sae'
        option wds '1'
        option key 'supersecurekey'
        option hidden '1'
        option network 'management'
        option macfilter 'allow'
        list maclist '01:23:45:67:89:AB'

this is the wireless configuration for the second AP

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '48'
        option band '5g'
        option htmode 'VHT80'
        option country 'AR'
        option cell_density '0'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'sta'
        option network 'lan'
        option ssid 'LAN'
        option encryption 'psk2+ccmp'
        option key 'supersecurepassword'
        option wds '1'

config wifi-iface 'wifinet5'
        option device 'radio0'
        option mode 'ap'
        option ssid 'LAN'
        option encryption 'psk2+ccmp'
        option wds '1'
        option key 'supersecurepassword'
        option ieee80211r '1'
        option mobility_domain '1234'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option network 'lan'

config wifi-iface 'wifinet6'
        option device 'radio0'
        option mode 'sta'
        option ssid 'MANAGEMENT'
        option encryption 'sae'
        option wds '1'
        option key 'supersecurekey'
        option network 'management'

this is the network configuration for the second ap

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.10'
        option stp '1'

config device
        option type 'bridge'
        option name 'br-management'
        list ports 'eth0.20'
        option stp '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static' # this is the one I want unmanaged
        option ipaddr '192.168.1.3'
        option netmask '255.255.255.0'

config interface 'management'
        option proto 'static'
        option device 'br-management'
        option ipaddr '192.168.2.3'
        option netmask '255.255.255.0'
        option gateway '192.168.2.1'
        list dns '192.168.2.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 1t 2 3 4'
        option vid '10'
        option description 'lan'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1t 5t'
        option vid '20'
        option description 'management'

do you see any miss-configuration here?

Try removing STP from these:

Are you able to ping the management address on the 2nd AP from the management network in general?

Let's see the dhcp and firewall files from that one, as well.

I fixed it by NOT making the SSID for management hidden. That would be great, but I can live without it.

Thanks for all your help, I will mark your previous explanation as the solution.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.