Hi all, I installed ver 24.10.5 without any issues and set about configuring vlans…without any success. The issue is that although I can enable vlan filtering and then create vlans as well as set tags etc, when I save and commit the changes, the network hangs and I have to power cycle or even do a hard reset. The situation is the same if I configure a new device as an 802.1q device and then alter /etc/config/network to add the tag information, restarting network service just hangs. Restarting loses the added configuration. Researching this provides conflicting information as to whether the mt7621 supports vlan or that earlier versions of openwrt were more reliable and that 24.10.5 is broken in respect of vlan. Other information suggests that there are two modules that need to be installed, that is ‘dsa’ and ‘mt7621’ modules (I assume kernel modules), these are not listed in lsmod and nor in the *.ko directories. Any help and guidance you can give to enable me to configure this AP will be appreciated. Snippet from dmesg below.
0.451556] mt7621-pinctrl pinctrl: there is not valid maps for state default
[ 0.615851] mt7621_gpio 1e000600.gpio: registering 32 gpios
[ 0.621848] mt7621_gpio 1e000600.gpio: registering 32 gpios
[ 0.627828] mt7621_gpio 1e000600.gpio: registering 32 gpios
[ 0.634049] mt7621-pci 1e140000.pcie: host bridge /pcie@1e140000 ranges:
[ 0.640694] mt7621-pci 1e140000.pcie: No bus range found for /pcie@1e140000, using [bus 00-ff]
[ 0.649474] mt7621-pci 1e140000.pcie: MEM 0x0060000000..0x006fffffff -> 0x0060000000
[ 0.657580] mt7621-pci 1e140000.pcie: IO 0x001e160000..0x001e16ffff -> 0x0000000000
[ 1.023606] mt7621-pci 1e140000.pcie: PCIE0 enabled
[ 1.028424] mt7621-pci 1e140000.pcie: PCIE1 enabled
[ 1.040616] mt7621-pci 1e140000.pcie: PCI host bridge to bus 0000:00
[ 1.490675] spi-mt7621 1e000b00.spi: sys_freq: 220000000
In some cases, there can be some bugs with respect to VLANs. But more often than not, it's a config issue, particularly in sequencing the changes on the VLANs.
Specifically, after adding bridge-VLANs, you need to also update the lan interface to use the newly created bridge vlan itself. So for example, you need to create a bridge-VLAN (i.e. VLAN 1) with the desired port assignments, and then you need to change the lan's device from br-lan to br-lan.1. Do this out of order and your networking breaks. For me, this is the reason I really like to work directly on the text files themselves (direct editing).
Let's take a look at your config.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
Usually this happens when you lock out yourself. Wifi is kind of good at this point, or save after ennabling filtering, or type 20 uci lines and reboot.
Thank you Peter for your quick response. I did reconfigure the AP in the sequence of:
enable vlan filtering and created vlans, clicked save
create interfaces and allocated 'br-lan.X' as network, selected unmanaged clicked save
created wireless SSID's and allocated new interface clicked save
I did not select save and apply as I wanted to copy the configuration before applying, see below
Rather`large but I knew that all configurations would be lost if not successfully applied
Notes:
mt7621_comfast_cf_ew72-v2.dts file not found
Can I use the wan port as my untagged default and use the lan1 as virtual interfaces configured as unmanaged, firewall zones?
I did have wifi setup to 'manage' if wired interface or vlans have no connection but this failed to connect although the 'manage' SSID was visible and requested a password to logon, but no connectivity
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.119",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "COMFAST CF-EW72 V2",
"board_name": "comfast,cf-ew72-v2",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.5",
"revision": "r29087-d9c5716d1d",
"target": "ramips/mt7621",
"description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
"builddate": "1766005702"
}
}
# /etc/config/firewall
uci del firewall.cfg03dc81.network
uci add_list firewall.cfg03dc81.network='wan'
uci add_list firewall.cfg03dc81.network='wan6'
uci add_list firewall.cfg03dc81.network='Guest'
uci del firewall.cfg03dc81.network
uci add_list firewall.cfg03dc81.network='wan'
uci add_list firewall.cfg03dc81.network='wan6'
uci add_list firewall.cfg03dc81.network='Guest'
uci add_list firewall.cfg03dc81.network='Media'
uci del firewall.cfg03dc81.network
uci add_list firewall.cfg03dc81.network='wan'
uci add_list firewall.cfg03dc81.network='wan6'
uci add_list firewall.cfg03dc81.network='Guest'
uci add_list firewall.cfg03dc81.network='Media'
uci add_list firewall.cfg03dc81.network='SecLan'
uci add firewall zone # =cfg0edc81
uci set firewall.@zone[-1].name='Guest'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='ACCEPT'
uci add_list firewall.@zone[-1].network='Guest'
uci add_list firewall.@zone[-1].network='wan'
uci add firewall forwarding # =cfg0fad58
uci set firewall.@forwarding[-1].src='Guest'
uci set firewall.@forwarding[-1].dest='lan'
uci add firewall forwarding # =cfg10ad58
uci set firewall.@forwarding[-1].src='Guest'
uci set firewall.@forwarding[-1].dest='wan'
uci del firewall.cfg0fad58
uci set firewall.cfg03dc81.input='ACCEPT'
uci set firewall.cfg03dc81.forward='ACCEPT'
uci del firewall.cfg03dc81.network
uci add_list firewall.cfg03dc81.network='Guest'
uci add_list firewall.cfg03dc81.network='wan'
uci add_list firewall.cfg03dc81.network='wan6'
uci del firewall.cfg03dc81.network
uci add_list firewall.cfg03dc81.network='Guest'
uci add_list firewall.cfg03dc81.network='Media'
uci add_list firewall.cfg03dc81.network='SecLan'
uci del firewall.cfg02dc81.network
uci add_list firewall.cfg02dc81.network='Guest'
uci add_list firewall.cfg02dc81.network='Media'
uci add_list firewall.cfg02dc81.network='SecLan'
uci add_list firewall.cfg02dc81.network='lan'
# /etc/config/network
uci add network bridge-vlan # =cfg07a1b0
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='4'
uci add_list network.@bridge-vlan[-1].ports='lan'
uci add network bridge-vlan # =cfg08a1b0
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='6'
uci add_list network.@bridge-vlan[-1].ports='lan'
uci add network bridge-vlan # =cfg09a1b0
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='99'
uci add_list network.@bridge-vlan[-1].ports='lan:t'
uci add_list network.@bridge-vlan[-1].ports='wan:u*'
uci del network.cfg030f15.ports
uci add_list network.cfg030f15.ports='lan'
uci add_list network.cfg030f15.ports='wan'
uci del network.cfg07a1b0.ports
uci add_list network.cfg07a1b0.ports='lan:t'
uci del network.cfg08a1b0.ports
uci add_list network.cfg08a1b0.ports='lan:t'
uci set network.Guest=interface
uci set network.Guest.proto='none'
uci set network.Guest.device='br-lan.4'
uci set network.Media=interface
uci set network.Media.proto='none'
uci set network.Media.device='br-lan.6'
uci set network.SecLan=interface
uci set network.SecLan.proto='none'
uci set network.SecLan.device='br-lan.99'
uci set network.Guest.type='bridge'
uci set network.Media.type='bridge'
uci set network.SecLan.type='bridge'
# /etc/config/wireless
uci set wireless.wifinet2=wifi-iface
uci set wireless.wifinet2.device='radio0'
uci set wireless.wifinet2.mode='ap'
uci set wireless.wifinet2.ssid='OpenWrtGuest'
uci set wireless.wifinet2.encryption='sae'
uci set wireless.wifinet2.ocv='0'
uci set wireless.wifinet2.network='Guest'
uci set wireless.wifinet2.key=''
uci set wireless.wifinet3=wifi-iface
uci set wireless.wifinet3.device='radio0'
uci set wireless.wifinet3.mode='ap'
uci set wireless.wifinet3.ssid='OpenWrtMedia'
uci set wireless.wifinet3.encryption='none'
uci set wireless.wifinet3.network='Media'
uci set wireless.wifinet3.encryption='sae'
uci set wireless.wifinet3.key=''
uci set wireless.wifinet3.ocv='0'
uci set wireless.wifinet4=wifi-iface
uci set wireless.wifinet4.device='radio0'
uci set wireless.wifinet4.mode='ap'
uci set wireless.wifinet4.ssid='OpenWrtSecLan'
uci set wireless.wifinet4.encryption='sae'
uci set wireless.wifinet4.key=''
uci set wireless.wifinet4.ocv='0'
uci set wireless.wifinet4.network='SecLan'
uci del wireless.radio1.disabled
uci set wireless.wifinet5=wifi-iface
uci set wireless.wifinet5.device='radio1'
uci set wireless.wifinet5.mode='ap'
uci set wireless.wifinet5.ssid='OpenWrtMedia'
uci set wireless.wifinet5.encryption='sae'
uci set wireless.wifinet5.key=''
uci set wireless.wifinet5.ocv='0'
uci set wireless.wifinet5.network='Media'
uci set wireless.radio1.country='ES'
uci set wireless.radio1.cell_density='0'
uci set wireless.wifinet6=wifi-iface
uci set wireless.wifinet6.device='radio1'
uci set wireless.wifinet6.mode='ap'
uci set wireless.wifinet6.ssid='OpenWrtSecLan'
uci set wireless.wifinet6.encryption='sae'
uci set wireless.wifinet6.key=''
uci set wireless.wifinet6.ocv='0'
uci set wireless.wifinet6.network='SecLan'
No they refer to luci uci commands before they are committed. Once committed, network fails and so a hard reset is required and so I lose the /etc/config files. The above shows what was committed beforehand. BTW the error above occurs once I tag the vlans. I can configure interfaces and devices that is 802.1q devices and the network interface stays up. It is only when I configure tagging that it all goes wrong
Config files below and some clarification:
The CE-72V2 has one lan port and one wan port. As my plan of using a 'manage' SSID in case of network interface failure, did not work, I have now used the wan port as an additional lan port and configured it with a static IP. This port will act as the trunk to an upstream switch. The three interfaces Guest, Media and Lan are all unmanaged at present. All the files are from a running AP apart from the network file. I have edited that, hopefully with the correct parameters but I would rather it be checked and corrected before I commit it to the AP. As this is intended to be a dumb AP, I have disabled the firewall. Also something I do not understand is that there is an entry for DHCP on the lan interface when this interface is unmanaged
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd50:7axxxxxxc::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan'
list ports 'wan'
# vlan 4: Untagged on lan, tagged on wan
config bridge-vlan
option device 'br-lan'
option vlan '4'
list ports 'lan:u'
list ports 'wan:t'
# vlan 6: Untagged on lan, tagged on wan
config bridge-vlan
option device 'br-lan'
option vlan '6'
list ports 'lan:u'
list ports 'wan:t'
# vlan 99: Untagged on lan, untagged and default on wan
config bridge-vlan
option device 'br-lan'
option vlan '99'
list ports 'lan:u'
list ports 'wan:u*'
config interface 'lan'
option device 'br-lan.99'
option proto 'none'
config interface 'Trunk'
option proto 'static'
option device 'br-lan'
option ipaddr '192.168.1.3'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
config device
option type '8021q'
option ifname 'br-lan'
option vid '4'
option name 'br-lan.4'
config device
option type '8021q'
option ifname 'br-lan'
option vid '6'
option name 'br-lan.6'
config device
option type '8021q'
option ifname 'br-lan'
option vid '99'
option name 'br-lan.99'
config interface 'Guest'
option proto 'none'
option device 'br-lan.4'
config interface 'Media'
option proto 'none'
option device 'br-lan.6'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option band '2g'
option channel '1'
option htmode 'HT20'
option country 'ES'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'Guest'
option mode 'ap'
option ssid 'AP_Guest'
option encryption 'none'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option band '5g'
option channel '36'
option htmode 'VHT80'
option country 'ES'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'Guest'
option mode 'ap'
option ssid 'AP_Guest'
option encryption 'none'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'AP_Media'
option encryption 'none'
option network 'Media'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'AP_Lan'
option encryption 'none'
option network 'lan'
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid 'AP_Lan'
option encryption 'none'
option network 'lan'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'hybrid'
option ra 'hybrid'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piofolder '/tmp/odhcpd-piofolder'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT''''
You have multiple VLANs set as untagged on the lan port -- only one network may be untagged on a given port.
What is the lan port connected to and what is the VLAN configuration of the device on the other end
You said that the wan port is the upstream connection. What does it connect to (a router or a switch or something else)? Is that one properly configured? Is it running OpenWrt or something else (like vendor firmware)?
The wan port has VLANs 4 and 6 tagged and VLAN 99 untagged. Does this match the upstream network configuration?
You need to be using the bridge VLANs on the Trunk interface. Which VLAN should that attach to?
And the 802.1q stanzas do not belong and should be deleted.
Yes I realised that was a mistake when I re-read it this morning. I have submitted another network configuration below
This is intended as an external dumb AP supporting three vlans that then are connected to a layer two managed switch. That switch is then routed to the main AP supplying DHCP/DNS and also configured with the required vlans on openwrt 24.10. The intermediate switch is running propriety firmware
Yes this is an error, the wan port was intended as a failsafe in case I lost connectivity with the lan port. the lan port is intended to be the production connected port while the wan port is the failsafe port while I am configuring the AP at my desk
Yes please see updated config file below
Still new to openwrt, very much in the learning phase. The lines commented out are those that break the network interfaces when enabled, as is with comments in, the networks works as expected. I look forward to your comments
When you are using bridge-vlans, all networks inside the bridge must be tagged. This means you need to choose a VLAN number for the Failsafe network and use br-lan.N for it.
Don't comment out the bridge-vlan definitions. Those are necessary for br-lan.4 etc to exist.
So this should be br-lan.99. this also the default vlan for interface wan. These lines are only commented out until I feel confident that the config file is correct before I commit
Put this backup network in the lan firewall zone. You may also (optionally) want to add a DHCP server to this network.
Delete the failsafe interface.
Now, I'm guessing that your failsafe address was related to the upstream trusted lan that you will use to manage the device. So, let's change the lan interface to match that (assuming 192.168.1.3 is the desired management address and doesn't conflict with anything upstream).
At this point, it is assumed that the upstream network switch (and router) has been properly configured -- including verification of all the functionality via wired connections), and that the port to which this device connects is setup with VLANS 4, 6, and 99 -- all tagged.
All good information here! Particularly a different network for 'backup' that makes it less complicated. As this is to be a dumb AP the firewall has been disabled and DHCP will be provided by the main AP. It is late here and so I will dive into this in the morning. Many thanks all
I changed the above to 'wan' carried out all the other mods, rebooted and ...........everything worked 'backup' I/F plugged into 'wan' port worked, all SSIDS worked picking up DHCP /DNS from main AP. All I have to do now is to find out why a local switch is not talking to the main switch Although dumb AP is talking to this main switch as well as main AP is talking to this main switch, but that is another topic Thanks Peter Just an aside, I will agree with brada4, that these so called AI chats can be a waste of time as I found out, I do use them a lot for IT problem solving but they failed big time with OpenWrt, so much stale information out there
