I have three Linksys wireless routers all flashed with v19.07 OpenWrt. My main router is a WRT1900ACS v2 and my two dumb APs are EA6350s. I have several VLANs setup and I have configured the WAN port on each switch to be the trunk port where all the VLANs are tagged. Between the WRT1900ACS v2 and the two EA6350s I have a 5-port managed switch which is used to bridge them together via the VLAN trunk and also untag the WAN VLAN to my ISP's ONT. The VLAN ID for each network matches the third octet for each VLANs subnet to keep everything easy to manage.
My Admin (management) VLAN uses the IP subnet 192.168.1.0/28 and my private LAN is on the subnet 192.168.5.0/24.
The following IP addresses are used for the three switches:
-
Main Router/AP1 (WRT1900ACSv2)
192.168.1.1 (Admin VLAN)
192.168.5.1 (LAN VLAN)/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'config globals 'globals'
option ula_prefix 'fdfd:1057:ecab::/48'config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.5.1'
option ifname 'eth0.5'
option igmp_snooping '1'config interface 'wan'
option ifname 'eth1.10'
option proto 'pppoe'
option password ''
option ipv6 'auto'
option username ''config interface 'admin'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.240'
option broadcast '192.168.1.15'
option type 'bridge'
option igmp_snooping '1'config interface 'iot'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.7.1'
option ifname 'eth0.7'config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '3 4t 5t'config switch_vlan
option device 'switch0'
option vlan '2'
option vid '10'
option ports '4t 6t'config switch_vlan
option device 'switch0'
option vlan '3'
option vid '5'
option ports '0 4t 5t'config switch_vlan
option device 'switch0'
option vlan '4'
option vid '7'
option ports '4t 5t'/etc/config/firewall
config defaults
option input 'DROP'
option forward 'REJECT'
option output 'DROP'config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'config forwarding
option src 'lan'
option dest 'wan'config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'config include
option path '/etc/firewall.user'config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'config zone
option name 'admin'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'admin'
option forward 'ACCEPT'config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'iot'config forwarding
option dest 'wan'
option src 'iot'config rule
option src '*'
option name 'allow-mDNS'
option target 'ACCEPT'
list dest_ip '224.0.0.251'
option dest_port '5353'
list proto 'udp'
option enabled '0'config rule
option src '*'
option name 'Allow-mDNS'
option target 'ACCEPT'
list dest_ip '239.255.255.250'
option dest_port '1900'
list proto 'udp'
option enabled '0'config forwarding
option dest 'iot'
option src 'lan'config forwarding
option dest 'lan'
option src 'iot'config forwarding
option dest 'admin'
option src 'lan'config forwarding
option dest 'lan'
option src 'admin' -
AP2 (EA6350)
192.168.1.2 (Admin VLAN)
192.168.5.2 (LAN VLAN)/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'config globals 'globals'
option ula_prefix 'fdc1:fcd5:dff7::/48'config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.5.2'
option broadcast '192.168.5.255'
option ifname 'eth0.5'
option gateway '192.168.5.1'
list dns '192.168.5.1'config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr '60:38:e0:8d:2e:1b'config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '60:38:e0:8d:2e:1a'config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 1 5t'config interface 'admin'
option ipaddr '192.168.1.2'
option ifname 'eth0.1'
option netmask '255.255.255.240'
option proto 'static'
list dns '192.168.1.1'
option gateway '192.168.1.1'
option igmp_snooping '1'
option type 'bridge'config switch_vlan
option device 'switch0'
option vlan '2'
option vid '5'
option ports '0t 4 5t'/etc/config/firewall
DISBALED
-
AP3 (EA6350)
192.168.1.3 (Admin VLAN)
192.168.5.3 (LAN VLAN)/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'config globals 'globals'
option ula_prefix 'fdc1:fcd5:dff7::/48'config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.5.3'
option broadcast '192.168.5.255'
option ifname 'eth0.5'
option gateway '192.168.5.1'
list dns '192.168.5.1'config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr '60:38:e0:8d:2e:1b'config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '60:38:e0:8d:2e:1a'config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 1 5t'config interface 'admin'
option ipaddr '192.168.1.3'
option ifname 'eth0.1'
option netmask '255.255.255.240'
option proto 'static'
list dns '192.168.1.1'
option gateway '192.168.1.1'
option igmp_snooping '1'
option type 'bridge'config switch_vlan
option device 'switch0'
option vlan '2'
option vid '5'
option ports '0t 4 5t'/etc/config/firewall
DISBALED
I have setup Inter-VLAN access from very specific hosts in my private LAN to the Admin VLAN so that I can reach the LuCI web page for each of the switches. With STP enabled on all interfaces of all three switches, if I shut down the LAN interface on one of my dumb APs from a device on that subnet, and then try to connect to the Admin interface on that very same dumb AP I lose connection. I can't regain access to the router until I reboot the router which of course brings the LAN interface backup that was shut down. However, if keep the bridge enabled on the Admin interface but uncheck STP on the dumb APs I can stay connected to the dumb AP via Admin interface from the LAN where an inter-VLAN connection is established.
I have tried playing around with the STP priority parameter but didn't make any difference and there is no loop detection/STP enabled on my 5-port managed switch.
Any ideas?