I am new to networking and OpenWrt, and I've been having trouble setting up VLANs on a managed switch and access point both running OpenWrt 22.03.0 r19685-512e76967f.
Network hardware:
OPNsense x86 PC (192.168.1.1) <-> OpenWrt managed switch Netgear gs308t (192.168.1.2) <-> OpenWrt access point tp-link eap615 (192.168.1.3)
Ultimately I want to have multiple VLANs for different wireless SSIDs and for LAN ports on my switch. My immediate goal is to setup VLAN 10 for my wireless pi-hole, which I plan to use as a DNS server for all of my devices. Currently all of my devices are connected to the internet and can ping each other. So far this is what I've done.
In OPNSense:
created a VLAN interface with tag 10.
set the interface static IP to 192.168.10.1.
enabled DHCPv4 for this interface and arbitrarily set the IPv4 range to 192.168.10.10 - 192.168.10.200.
created a firewall rule to "pass" traffic going "in" to this OPNsense interface.
Thanks. I read the article and also watched the video. The video has some great content explaining the theory of VLANs, but I found some configuration explanations confusing while jumping between the different versions of OpenWrt. Version 22.03.0 is the only version I have flashed and I am still new to it.
I'm a bit unclear when it comes to setting up the wireless portion. On the AP, do I need to add a wireless device to the bridge device br-lan?
I'm not sure where to start since my hardware differs slightly from the examples. Would you recommend starting configuring at the switch or AP?
You prepare the bridges with its connected VLANs in /etc/config/network (proto=none, if you don't want the AP to be visible on non-management VLANs) and then use /etc/config/wireless to make your different SSIDs hop onto the individual bridges. swconfig and dsa have different semantics, but both would get the job done - good that all of your devices appear to use one (dsa) instead of a wild mixture between both concepts.
Thanks. Yes I would like to start learning DSA rather than swconfig. I've decided to start configuring the AP in LUCI since it seems more forgiving with the revert changes safety net. But I will also be reading /etc/config/network to see how it appears in the config file.
AP
First I will need to make a new bridge device (I will name it "br-test"). Then I will need to create an interface "TEST", select "br-test" as the device, and set the protocol to unmanaged.
I am unsure which bridge ports to select for br-test. My AP has 4 ports.
I've got the EAP615-Wall as well and just set up a guest network. Find my annotated /etc/config/network below. I have shared a script that does some basic VLAN setup that should get you going (should have popped up in your forum search...):
Network configuration
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
# Default bridge device which includes normally all ports.
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
# Your LAN needs to point to the VLAN 1 bridge explicitly: br-lan.1, once you start setting
# VLANs explicitly.
config interface 'lan'
option proto 'static'
option ip6assign '60'
option ipaddr '10.0.0.12/24'
option dns '10.0.0.1'
option gateway '10.0.0.1'
option device 'br-lan.1'
config interface 'lan6'
option proto 'dhcpv6'
option reqprefix 'no'
option device '@lan'
option ifname '@lan'
# Guest network interface using the fancy 'guest' name instead of br-lan.20.
config interface 'guest'
option proto 'static'
option ipaddr '10.0.20.12/24'
option device 'guest'
# VLAN bridge with VLAN 1, untagged. Lan0 is shared between VLANs,
# hence the PVID is set since VID 1 is the default VLAN.
config bridge-vlan 'lan_vlan'
option device 'br-lan'
option vlan '1'
list ports 'lan0:u*'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
# VLAN bridge with VLAN 10, tagged. Lan0 is shared between VLANs, so it
# needs to be tagged.
config bridge-vlan 'lan_vlan'
option device 'br-lan'
option vlan '10'
list ports 'lan0:t'
@a1ftp I'm afraid I should add this is how it's supposed to be, especially the second bridge VLAN, since you'll be bridging the wireless to it AFAIK, but that's not what's working for me for the guest network, in fact was is working is ugly. I have an OpenWrt switch between the EAP615 and my OpenWrt router, and only setting lan0:u* at the config device level makes the guest network function .
Thanks for the script and notes. Sorry, I missed your script in my searching. I was filtering my searches to the "Installing and Using OpenWrt" topic only.
I ran your script and attempted to setup a test vlan. However, I am not getting connectivity when I connect to my wireless test network. I am trying to wrap my head around the concepts. Is my understanding of DSA correct?
br-lan is a device that bridges the physical ports of the device (in this case the 4 physical ports of the eap615).
br-lan.1 is a child of br-lan with VID 1. This is a [virtual] VLAN device.
We defined br-lan.1 as the device for the LAN interface.
The LAN interface is a virtual connector that connects devices to br-lan.1.
Additional br-lan.x devices can be created for additional VLANs, such as the test VLAN I created (br-lan.10).
Additional interfaces can be created for these br-lan.x devices, so that wireless networks can connect to the br-lan.x devices.
I created an interface test, defined device br-lan.10, and connected it to my wireless network test.
All VLAN devices that are a child of br-lan can be managed under br-lan (in Luci: Bridge VLAN filtering).
There is probably something wrong with my configuration. I apologize if I missed something basic, I'm still learning. This is what I have so far.
AP:
VID 10: egress tagged on lan0 (lan0 is connected to switch port 3).
The intent here is to bridge your lan0 port to the wireless, right? I believe this should be correct then, as per the DSA mini tutorial.
You shouldn't be specifying a device in this case AFAIK. A 802.1q type device should only be specified when that port is used standalone. You won't be doing that here; you'd be bridging it to the wireless network.
The intent here is to bridge your lan0 port to the wireless, right?
Yes, that's correct.
Thanks for your insight and help. I ssh'd into my AP and tried editing my network config to be similar to yours. I also removed the lines you specified.
Unfortunately now I'm unable to reach my AP. This is entirely my fault. I will do a factory reset and try again tomorrow. I will run the script and resume configuring in luci so that if I make a mistake the changes will auto-revert. I spent a lot hours last weekend and yesterday trying to cram all the info into my head and troubleshoot. I'm a little burnt out. Will try again tomorrow.
@a1ftp What used to work for me - but which is far from orthodox - is the following. The default (untagged) VLAN is set a the device level (where documentation says it should be at the bridge-vlan level, which isn't working for me either though).
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan0:u*'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option proto 'static'
option ip6assign '60'
option ipaddr '10.0.0.12/24'
option dns '10.0.0.1'
option gateway '10.0.0.1'
option device 'br-lan.1'
config interface 'guest'
option proto 'static'
option ipaddr '10.0.20.12/24'
option device 'br-lan.20'
config bridge-vlan 'lan_vlan'
option device 'br-lan'
option vlan '1'
list ports 'lan0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config bridge-vlan 'guest_vlan'
option device 'br-lan'
option vlan '20'
list ports 'lan0:t'
Comparing my config to yours, I think this is setup correctly. This is my network config on the AP now:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
option ipv6 '0'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.3'
option gateway '192.168.1.1'
option device 'br-lan.1'
list dns '192.168.1.1'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan0:u*'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan0:t'
config interface 'test'
option proto 'static'
option device 'br-lan.10'
option ipaddr '192.168.10.3'
option netmask '255.255.255.0'
option gateway '192.168.10.1
From the AP (192.168.10.3), I am able to ping my switch (192.168.10.2), however I am not able to ping the gateway (192.168.10.1). Any wireless device I connect to SSID test does not get assigned an IP and cannot ping the gateway. From my router, I am not able to ping my switch or AP either.
Do you have any suggestions for troubleshooting this?
Is there a specific reason that you have an address on VLAN 10 and VLAN 1? Typically, an AP will only have an address on one network (the one that will be used to manage the device), and then the additional VLANs will be unmanaged (proto none), simply forming a bridge between the wired and wireless physical interfaces. This is what I would recommend, but it doesn't address your specific issue.
Does the uplink between your switch and the main gateway (192.168.10.1) have the correct VLAN assignments (presumably a trunk port)? It is entirely likely that your issue is between the gateway and the switch, and not the OpenWrt device to the switch. Your switch clearly has an address, but it may be disconnected from the gateway if the VLANs aren't set correctly. The way you can verify this is to try pinging the switch from the main gateway. And then ping the OpenWrt device from the gateway... chances are that neither will work from the main gateway (based on your description).
Is there a specific reason that you have an address on VLAN 10 and VLAN 1?
No, there is not sorry. I'm still learning about these concepts. Thank you for clarifying. I changed the protocol in my switch and AP configs.
chances are that neither will work from the main gateway (based on your description).
This is true. When I tried pinging both neither worked.
Does the uplink between your switch and the main gateway (192.168.10.1) have the correct VLAN assignments (presumably a trunk port)?
This question helped me so much. Thank you! My switch was not configured correctly. I needed to setup the trunk port. Now I am able to ping my switch from the main gateway and ping the OpenWrt device from the gateway. And my wireless devices are being assigned IP addresses.
I’m glad it helped. It is so easy to overlook the other parts of the equation when you are absorbed in a particular aspect. That is why these forums can be so useful!
Touché
But the same thing could have been determined based on the lack of DHCP functionality. My next suggested step would have been to verify that a wired computer (not necessarily the router/AP) could get DHCP via an access port for the affected VLAN on the upstream switch. It just so happened that the OP offered some details that got us there slightly faster in this case.
Edit: I just want to make sure I'm understanding this correctly. Am I setting PVID on lan3 so that the switch can receive (ingress) untagged packets from any devices connected through lan3?