Cant get VLAN traffic to flow from AP to Router

Hey all - I swear that i have read every guide, and watched every tutorial available, but i just cannot get this to work. My main router is an Asus AC-88U (DSA) that is using the default br-lan bridge to support a legacy network, while i build out the new environment. I have a single Ethernet cable connecting the access point -- Ubiquiti AP AC-Pro (SwitchConfig).

The main router VLAN setup works, and i am able to connect to each interface and get assigned an address from that VLAN's subnet. The AP, however, i cannot get working. I have not configured the wifi at all on the AP just yet, as my initial test consists of getting a DHCP address for each of the AP interface, from the main router... and that is not working, so i havent moved on to adding the wifi.

Even though i have looked over these configs until i was cross-eyed, im sure the mistake(s) are glaring, and someone here will notice it right away, and would be willing to help!

Main router (connected to AP via Lan4 port):

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd47:421e:0aed::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config device
	option name 'br-Test'
	option type 'bridge'
	option ipv6 '0'
	list ports 'extsw'	

config device
	option name 'br-AccessPoints'
	option type 'bridge'	
	option ipv6 '0'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.88.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'backupConnect'
	option proto 'static'
	option ipaddr '192.168.100.1'
	option netmask '255.255.255.0'
	option device 'br-Test'

config interface 'intFamily'
	option proto 'static'
	option ipaddr '10.10.88.1'
	option netmask '255.255.255.0'
	option device 'br-AccessPoints.88'

config interface 'intGuest'
	option proto 'static'
	option ipaddr '10.10.100.1'
	option netmask '255.255.255.0'
	option device 'br-AccessPoints.10'

config interface 'intHouse'
	option proto 'static'
	option ipaddr '10.10.99.1'
	option netmask '255.255.255.0'
	option device 'br-AccessPoints.99'

config bridge-vlan
	option device 'br-AccessPoints'
	option vlan '10'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-AccessPoints'
	option vlan '88'
	list ports 'lan4:t*'

config bridge-vlan
	option device 'br-AccessPoints'
	option vlan '99'
	list ports 'lan4:t'

I have the firewall disabled on the AP, but in case this is a firewall config issue on the main router, here is that config, which is almost all default:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'backupConnect'
	list network 'intFamily'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'Guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'intGuest'

config zone
	option name 'House'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'intHouse'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'Guest'
	option dest 'wan'

config rule
	option name 'Guest-Allow_DHCP'
	option src 'Guest'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	option family 'ipv4'

config forwarding
	option src 'lan'
	option dest 'Guest'

config forwarding
	option src 'lan'
	option dest 'House'

AP (connected to main router via "main" ethernet switchport [port2]):

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdac:b805:9a92::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 3'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '10'
	option ports '0t 2t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '88'
	option ports '0t 2t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 2t'
	option vid '99'

config device
	option type 'bridge'
	option name 'br-Guest'
	list ports 'eth0.10'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-House'
	list ports 'eth0.99'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-Family'
	list ports 'eth0.88'
	option ipv6 '0'

config interface 'intFamily'
	option proto 'dhcp'
	option device 'br-Family'
	option hostname 'apWest-88'

config interface 'intHouse'
	option proto 'dhcp'
	option device 'br-House'
	option hostname 'apWest-99'

config interface 'intGuest'
	option proto 'dhcp'
	option device 'br-Guest'
	option hostname 'apWest-10'

When checking the system log on the AP, i see that all 3 networks send out a DHCP discover that just goes unanswered -- with no information in the system logs on the main router.

Start by putting port lan4 back into br-lan (and obviously remove br-AccessPoints). Then create vlans 10, 88, and 99 using bridge-vlans against the br-lan device, update the respective network interfaces to use br-lan.10 (and 88, 99).

Then test again... I think that's the real issue, but if not, we'll keep looking deeper.

Thank you for the reply. I will have to test that out later, as i dont want to bring the legacy bridge down to test. I am curious though, why having more than one bridge would cause an issue here. In its current setup all the VLANs behave as expected, on the main router, and as lan4 is tagged for all 3 VLANs, on the 2nd bridge, i just assumed that the AP would be plug and play.

I don't really know the technical reason behind this, but what I have observed is that a device with a hardware switch (in your case, lan1-lan4 are all on the HW switch) must have all ports on the main bridge (br-lan, typically) in this type of configuration. If lan4 was carrying exactly 1 network (i.e. no trunking), I think it would be acceptable to pull it out of the bridge and then use lan4 as the device in a network interface stanza. However, it doesn't seem that you can have a single switch chip handling multiple bridges. I know it's a bit odd, and hopefully I've communicated clearly (because it can also be confusing)... but basically stick with a single bridge (and of course the bridge-vlans) and it should work.

Did you, in fact, test that the 2nd bridge is indeed working properly.... for example, using a managed switch instead of the AP to test each VLAN?

Per my description above, the issue is, in fact, the main router, not the AP. The AP should be plug and play based on a cursory look at your config there. But I think that the VLANs are not working on the 2nd bridge using port lan4 from the main router.

you communicated that perfectly, in all its odd-ness i will test by creating the VLANs on the main bridge and test again.
i wonder if the 'extsw' grouping in the 88U counts as its own switch and i could create a new bridge there, while leaving the main bridge alone -- might be worth testing as well.
thank you for your insight!

@psherman thank you for your help with this, i have marked your solution, as such.
couple things to note, in case anyone else runs across this

i needed to add the extsw switch to the br-lan as well, for VLANs to start working.

also having a wifi issue on the main router since configuring br-lan -- clients just cannot connect anymore. fortunately, while i figure this out, i have added the same wifi networks to the AP and it is providing access just fine!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.