Can't get tagged connection working between two OpenWRT 22s

I have two routers A & B with OpenWRT 22 between which I'm trying to create a tagged connection with two vLANs on a single ethernet cable. I want B to be smart (DHCP, routing, firewall, dns), and A to be dumb, meaning I want A to behave like a switch supporting vLANs. I can't quite get it to work, as described below. If anybody knows what I'm doing wrong, help would be appreciated.

Both routers run OpenWRT 22.03.5, but present slightly different LuCI webinterfaces for the configuration of vLANs, I presume because of different hardware:
A has a "Network -> Switch" menu item, but B doesn't.

A = Asus RT-N16
B = Asus RT-AC56U

Both mention firmware version "OpenWrt 22.03.5 r20134-5f15225c1e / LuCI openwrt-22.03 branch git-23.093.57104-ce20b4a" on the overview page.

B (the intended smart router) is configured as follows:

FWZone IoT <- Interface IoT{Static address 192.168.22.1/24+DHCP} <- Device br-lan.3
FWZone lan <- Interface lan{Static address 192.168.23.1/24+DHCP} <- Device br-lan.99

Device br.lan{Bridge device} -> "Bridge VLAN filtering" tab has:

(port 1, vlan3) : T
(port 1, vlan99) : T*
(port 2, vlan99) : U
(port 3, vlan99) : U
(port 4, vlan3) : U

The firewall will forward zone lan to IoT, but not vice versa.

Router B works as I want it to: If I connect a device dIoT on port 4 = vlan3 = Zone IoT,
and device dlan on port 3 = vlan99 = Zone lan, then both devices get an IP address, dlan can ping dIoT, and dIoT cannot ping dlan, so far so good.

Now I want router B to be in another room, but devices dIoT and dlan to stay where they are. There is one cable going to the other room. I want that one cable to be a trunk for vlans 3 & 99, and have a dumb vlan-aware switch close to the devices, which will be router A with OpenWRT. I have configured it as follows:

As opposed to router B, router A has a "Networks -> Switch" menu entry, which looks as follows:

(port 1, vlan 3,99): tagged
(port 2, vlan 99): untagged
(port 3, vlan 99): untagged
(port 4, vlan 3) : untagged

I have an ethernet cable between router A port 1 and router B port 1.

I was hoping to be able to connect device dIoT to router A port 4, device dlan to router A port port 3 and get the same behaviour as before, however I don't. With the above configuration, I get that the lan (=99) connection works, but device dIoT doesn't get an IP address served. If I change router B's configuration to

(port 1, vlan3) : T*
(port 1, vlan99) : T,

then it's the other way around, i.e. the dlan device doesn't get DHCP-served, and the dIoT device does.

It looks like as if router A doesn't actually put tags on packets going over the trunk cable between A & B, and then router B dumps all packets to the port's primay vlan determined by the * in the configuration table. Even though I expected router A to publish tags because its switch table says

(port 1, vlan 3,99): tagged

Does anybody have an idea what could be the problem?

Thanks in advance!

I assume you're talking about 22.03.5? (23.x hasn't been released yet).

Let's take a look at the network config files from both routers. Please make it clear which is which, as well as the physical port on each that is the link between the two.

1 Like

Yes 22, sorry for that, getting old. Corrected the post.

On router A (intended dumb switch):
(edited out ula_prefix & mac_address)


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config interface 'wan'
	option device 'eth0.1'
	option proto 'dhcp'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.99'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '192.168.1.1'
	option ipaddr '192.168.23.2'
	option gateway '192.168.23.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 8t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '8t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '1 4t 8t'

config interface 'test_unman'
	option proto 'none'
	option device 'eth0.3'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '3'
	option name 'eth0.3'

config switch_vlan
	option device 'switch0'
	option vlan '99'
	option ports '2 3 4t 8t'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'eth0.99:t*'

root@asuswhite1:/etc/config# 

On router B (intended smart router):


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.23.1'
	option device 'br-lan.99'

config device
	option name 'wan'
	option macaddr 'xx:xx:xx:xx:xx:xx'

The intended trunk cable is between ports which on the LuCI interface are called:
Router A: "LAN 1" in the Network -> Switch menu item page
Router B: "lan1" in the "Bridge VLAN filtering" tab of device:br-lan
Looks like the numbering in the /etc/config/network file is different since I see "4t" mentioned there. In the LuCI gui "LAN 4" doesn't have tagged vlans.

On the dumb ap, vlan 3 must be used with a bridge if you want it to connect to a WiFi ssid. So make it look like this:

config device
	option name 'br-testunman'
	option type 'bridge'
	list ports 'eth0.3'

config interface 'test_unman'
	option proto 'none'
	option device 'br-testunman'

Delete this:

And this is not valid syntax - delete it, too:

Then, on the main router, you don’t have a vlan 99 definition, and then vlan 3 is missing entirely. Add the bridge vlan shown below for vlan 99 (I’ve made it tagged in port 1, untagged on 2 and 3). Then you’ll want to add vlan 3 - I’ve just done it as an example below.

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'lan1:t'
	list ports 'lan2:u*'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan1:t'
	list ports 'lan4:u*'

config interface 'unman'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.3.1'
	option device 'br-lan.3'

Don’t forget to add a dhcp server to vlan 3 and include the network in a firewall zone (put it in lan for the initial testing, adjust later if you want)

1 Like

Thanks for your fast reply!

Something went wrong with my cut-n-paste that caused the total absence that you noticed, trying again:

router A (dumb switch):

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config interface 'wan'
	option device 'eth0.1'
	option proto 'dhcp'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.99'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '192.168.1.1'
	option ipaddr '192.168.23.2'
	option gateway '192.168.23.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 8t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '8t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '1 4t 8t'

config interface 'test_unman'
	option proto 'none'
	option device 'eth0.3'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '3'
	option name 'eth0.3'

config switch_vlan
	option device 'switch0'
	option vlan '99'
	option ports '2 3 4t 8t'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'eth0.99:t*'

router B (smart router):

root@asusblack1:/etc/config# cat network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.23.1'
	option device 'br-lan.99'

config device
	option name 'wan'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan1:t'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'lan1:t*'
	list ports 'lan2'
	list ports 'lan3'

config interface 'IoT'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '192.168.22.1'
	option netmask '255.255.255.0'

Right now I don't intend to add a wifi device, do I need a bridge on the dumb ap in that case? I.e. a switch is good enough for me.

On the dumb ap (A) I deleted the two sections as you suggested. No apparent loss of functionality. Note that I do all configuration using the LuCI interface, so if those sections were syntactically invalid, then that's maybe a LuCI issue.

On the smart (B) router, comparing your suggestion with the /etc/config/network file - second try - that I pasted above, it looks like you're saying I should move all stars * away from the tagged connections to the untagged ones. I did that, lost my admin connection (which runs over the trunk 99 vlan), so I waited 90 seconds and reverted, and then my connection was back. Note that on the dumb ap (A) LuCI doesn't give a * option. If on the smart router (B) I add *s to all u's then I retain connectivity. It's the removing from t's that breaks it, see also summary below.

Actually, I don't understand why default vlan IDs should be associated with untagged ports. As I understand it, a star * is meant to tell the system how to interpret an untagged message coming over a trunk. It seems to me there is no ambiguity to be resolved on an untagged port, 'cause the LuCI gui prevents the user to associate two untagged vlans to one single port. Or did I misunderstand that?

I also deleted the dns reference to 192.168.1.1 in router A interface 'lan'.

The changes seem to leave me in the same original situation:
Devices connected to

dumb router A:LuCIport(LAN 4) = fileport 1 = vlan3

get DHCP-served if and only if

smart RouterB:LuCIport(lan1) = fileport lan1

has vlan3 starred "*" aka primary vlan.

Devices connected to

dumb router A:LuCIport(LAN 3) = fileport 2 = vlan99

get DHCP-served if and only if

smart RouterB:LuCIport(lan1) = fileport lan1

has vlan99 starred *.

I can't get devices to be DHCP served on both, because the smart router B LuCI gui doesn't allow me to have both vlans 3 and 99 to be primary, which in my understanding would be nonsense anyway.

In fact the way I understand it, the trunk should work without having stars at all, since I don't plan to send untagged packets over the trunk. The fact that those stars deliver partial functionality makes me suspect that the dumb ap (A) doesn't actually put tags on the trunk as I wish it to.

The switch in the dumb ap (A = Asus RT-N16) is a broadcom BCM53115. Looking at the specs, it says it has Q-in-Q double tagging:

https://docs.broadcom.com/doc/12381552

Could it be that one of the routers reads/writes the inner tag field when it should be outer tag field or vice versa?

let's see the latest config from both devices.

Hi @psherman, thanks again for your time, my current configs read:

Router A, dumb:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'yyyy:yyyy:yyyy::/48'

config interface 'wan'
	option device 'eth0.1'
	option proto 'dhcp'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.99'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.23.2'
	option gateway '192.168.23.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 8t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '8t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '1 4t 8t'

config interface 'test_unman'
	option proto 'none'
	option device 'eth0.3'

config switch_vlan
	option device 'switch0'
	option vlan '99'
	option ports '2 3 4t 8t'

Router B, smart:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.23.1'
	option device 'br-lan.99'

config device
	option name 'wan'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan1:t'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'lan1:t*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'

config interface 'IoT'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '192.168.22.1'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'lan1'

vlan99 over trunk works with its line

list ports 'lan1:t*'

If I remove that * then it breaks. vlan3 over trunk doesn't work. If I add the star to its line

list ports 'lan1:t'

then vlan3 works (but 99 doesn't).

That suggests the packets on the cable aren't being tagged by the swconfig device A. It is a Broadcom chip so there may be some strangeness. On Router A, run swconfig help to confirm it is 4096 VLAN compatible. If the switch only supports 16 VLANs the best thing to do is refactor your network so all the VLAN numbers are under 16. Also there is swconfig show which will show the configuration actually loaded into the swtch.

# swconfig dev switch0 help
switch0: eth0(BCM53115), ports: 9 (cpu @ 8), vlans: 4096
     --switch
	Attribute 1 (int): enable_vlan (Enable VLAN mode)
	Attribute 2 (string): ports (Available Ports (as bitmask))
	Attribute 3 (int): reset_mib (Reset MIB counters)
	Attribute 4 (int): enable_jumbo (Enable Jumbo Frames)
	Attribute 5 (int): allow_vid_4095 (Allow VID 4095)
	Attribute 6 (none): apply (Activate changes in the hardware)
	Attribute 7 (none): reset (Reset the switch)
     --vlan
	Attribute 1 (ports): ports (VLAN port mapping)
     --port
	Attribute 1 (string): mib (Get port's MIB counters)
	Attribute 2 (int): pvid (Primary VLAN ID)
	Attribute 3 (unknown): link (Get port link information)
# swconfig dev switch0 show
Global attributes:
	enable_vlan: 1
	ports: 0x011f
	reset_mib: ???
	enable_jumbo: 0
	allow_vid_4095: 0
Port 0:
	mib: TxOctets            : 39022776
TxDropPkts          : 0
TxBroadcastPkts     : 547
TxMulticastPkts     : 18
TxUnicastPkts       : 89367
TxCollisions        : 0
TxSingleCollision   : 0
TxMultipleCollision : 0
TxDeferredTransmit  : 0
TxLateCollision     : 0
TxExcessiveCollision: 0
TxPausePkts         : 0
RxOctets            : 574092764
RxUndersizePkts     : 0
RxPausePkts         : 0
Pkts64Octets        : 234176
Pkts65to127Octets   : 347279
Pkts128to255Octets  : 129849
Pkts256to511Octets  : 106796
Pkts512to1023Octets : 179520
Pkts1024to1522Octets: 280769
RxOversizePkts      : 0
RxJabbers           : 0
RxAlignmentErrors   : 0
RxFCSErrors         : 0
RxGoodOctets        : 574092828
RxDropPkts          : 0
RxUnicastPkts       : 1263786
RxMulticastPkts     : 3062
RxBroadcastPkts     : 11542
RxSAChanges         : 81152
RxFragments         : 0
RxJumboPkts         : 0
RxSymbolErrors      : 0
RxDiscarded         : 1087650

	pvid: 1
	link: port:0 link:up speed:1000baseT full-duplex auto
Port 1:
	mib: TxOctets            : 260004
TxDropPkts          : 0
TxBroadcastPkts     : 112
TxMulticastPkts     : 2
TxUnicastPkts       : 995
TxCollisions        : 0
TxSingleCollision   : 0
TxMultipleCollision : 0
TxDeferredTransmit  : 0
TxLateCollision     : 0
TxExcessiveCollision: 0
TxPausePkts         : 0
RxOctets            : 417316
RxUndersizePkts     : 0
RxPausePkts         : 0
Pkts64Octets        : 431
Pkts65to127Octets   : 1293
Pkts128to255Octets  : 580
Pkts256to511Octets  : 318
Pkts512to1023Octets : 83
Pkts1024to1522Octets: 20
RxOversizePkts      : 0
RxJabbers           : 0
RxAlignmentErrors   : 0
RxFCSErrors         : 0
RxGoodOctets        : 417316
RxDropPkts          : 0
RxUnicastPkts       : 1057
RxMulticastPkts     : 1152
RxBroadcastPkts     : 516
RxSAChanges         : 5
RxFragments         : 0
RxJumboPkts         : 0
RxSymbolErrors      : 0
RxDiscarded         : 0

	pvid: 3
	link: port:1 link:down
Port 2:
	mib: TxOctets            : 1024335
TxDropPkts          : 0
TxBroadcastPkts     : 520
TxMulticastPkts     : 265
TxUnicastPkts       : 3932
TxCollisions        : 0
TxSingleCollision   : 0
TxMultipleCollision : 0
TxDeferredTransmit  : 0
TxLateCollision     : 0
TxExcessiveCollision: 0
TxPausePkts         : 0
RxOctets            : 332152
RxUndersizePkts     : 0
RxPausePkts         : 0
Pkts64Octets        : 522
Pkts65to127Octets   : 1990
Pkts128to255Octets  : 309
Pkts256to511Octets  : 97
Pkts512to1023Octets : 53
Pkts1024to1522Octets: 1
RxOversizePkts      : 0
RxJabbers           : 0
RxAlignmentErrors   : 0
RxFCSErrors         : 0
RxGoodOctets        : 332152
RxDropPkts          : 0
RxUnicastPkts       : 2533
RxMulticastPkts     : 333
RxBroadcastPkts     : 106
RxSAChanges         : 1
RxFragments         : 0
RxJumboPkts         : 0
RxSymbolErrors      : 0
RxDiscarded         : 0

	pvid: 99
	link: port:2 link:down
Port 3:
	mib: TxOctets            : 990119748
TxDropPkts          : 0
TxBroadcastPkts     : 9031
TxMulticastPkts     : 1345
TxUnicastPkts       : 1299439
TxCollisions        : 0
TxSingleCollision   : 0
TxMultipleCollision : 0
TxDeferredTransmit  : 0
TxLateCollision     : 0
TxExcessiveCollision: 0
TxPausePkts         : 0
RxOctets            : 525183637
RxUndersizePkts     : 0
RxPausePkts         : 2
Pkts64Octets        : 117074
Pkts65to127Octets   : 180888
Pkts128to255Octets  : 111299
Pkts256to511Octets  : 84624
Pkts512to1023Octets : 169902
Pkts1024to1522Octets: 275421
RxOversizePkts      : 0
RxJabbers           : 0
RxAlignmentErrors   : 0
RxFCSErrors         : 0
RxGoodOctets        : 525183637
RxDropPkts          : 0
RxUnicastPkts       : 938331
RxMulticastPkts     : 635
RxBroadcastPkts     : 240
RxSAChanges         : 35615
RxFragments         : 0
RxJumboPkts         : 0
RxSymbolErrors      : 0
RxDiscarded         : 0

	pvid: 99
	link: port:3 link:down
Port 4:
	mib: TxOctets            : 529935294
TxDropPkts          : 0
TxBroadcastPkts     : 2149
TxMulticastPkts     : 2172
TxUnicastPkts       : 944970
TxCollisions        : 0
TxSingleCollision   : 0
TxMultipleCollision : 0
TxDeferredTransmit  : 0
TxLateCollision     : 0
TxExcessiveCollision: 0
TxPausePkts         : 2
RxOctets            : 1038728190
RxUndersizePkts     : 0
RxPausePkts         : 886
Pkts64Octets        : 3317
Pkts65to127Octets   : 385013
Pkts128to255Octets  : 192018
Pkts256to511Octets  : 196863
Pkts512to1023Octets : 308832
Pkts1024to1522Octets: 504803
RxOversizePkts      : 0
RxJabbers           : 0
RxAlignmentErrors   : 0
RxFCSErrors         : 0
RxGoodOctets        : 1038728190
RxDropPkts          : 0
RxUnicastPkts       : 1576974
RxMulticastPkts     : 2313
RxBroadcastPkts     : 10673
RxSAChanges         : 44697
RxFragments         : 0
RxJumboPkts         : 0
RxSymbolErrors      : 0
RxDiscarded         : 270575

	pvid: 0
	link: port:4 link:up speed:1000baseT full-duplex auto
Port 5:
	mib: ???
	pvid: 0
	link: port:5 link:down
Port 6:
	mib: ???
	pvid: 0
	link: port:6 link:down
Port 7:
	mib: ???
	pvid: 0
	link: port:7 link:down
Port 8:
	mib: TxOctets            : 56131465
TxDropPkts          : 0
TxBroadcastPkts     : 23014
TxMulticastPkts     : 7459
TxUnicastPkts       : 180778
TxCollisions        : 0
TxSingleCollision   : 0
TxMultipleCollision : 0
TxDeferredTransmit  : 0
TxLateCollision     : 0
TxExcessiveCollision: 0
TxPausePkts         : 0
RxOctets            : 39714521
RxUndersizePkts     : 0
RxPausePkts         : 0
Pkts64Octets        : 25986
Pkts65to127Octets   : 24449
Pkts128to255Octets  : 9400
Pkts256to511Octets  : 10323
Pkts512to1023Octets : 5718
Pkts1024to1522Octets: 18941
RxOversizePkts      : 0
RxJabbers           : 0
RxAlignmentErrors   : 0
RxFCSErrors         : 0
RxGoodOctets        : 39714521
RxDropPkts          : 0
RxUnicastPkts       : 92524
RxMulticastPkts     : 237
RxBroadcastPkts     : 2056
RxSAChanges         : 431
RxFragments         : 0
RxJumboPkts         : 0
RxSymbolErrors      : 0
RxDiscarded         : 325

	pvid: 0
	link: port:8 link:up speed:1000baseT full-duplex 
VLAN 1:
	ports: 0 8t 
VLAN 2:
	ports: 8t 
VLAN 3:
	ports: 1 4t 8t 
VLAN 99:
	ports: 2 3 4t 8t 

I managed to make the trunk connection work on other hardware (and OpenWRT 22). To be specific with the Asus-RT-AC56U as the dumb switch and a TP-LINK Archer C7 v1 as the smart router. I haven't figured out if there is something wrong with my RT-N16, or with OpenWRT22 on RT-N16, or whether I'm just a dodgy configurator. I won't be trying to find out in the forseeable future, but if I get trunks to work on/between RT-N16s, I'll post the config here for posterity.

Thanks for your time!