Connect wifi interface directly to switch port

I am trying to connect a wifi interface directly to an ethernet switch port independent of and isolated from the rest of the OpenWrt hardware/functionality. The aim is to connect wifi devices into this network completely isolated from other connections and the "internet router" functionality of the OpenWrt device. The switch port is connected to a separate network with its own DHCP server, etc.

The OpenWrt device is a BT Home Hub 5A running LEDE Reboot (17.01.4, r3560-79f57e422d).

I have a bridge interface on vlan 5 (interface option ifname eth0.5) and I have attached the wifi interface (wifi-iface option network) to it. I have configured a switch_vlan entry to connect switch port 2 to the vlan 5 bridge.

Note the "CPU" port is not connected to the switch. I presume this means the firewall config doesn't apply but I created a firewall rule for the bridge network that accepts all (just in case).

The basic topology is this:

            |<--------- OpenWRT -------->|
                                  |port 2|

When I connect a wifi device I can see it making DHCP requests and I can see the DHCP server responding to those requests with an offer. I can follow (with Wireshark) the offer right through the network to the network's switch port that is connected to switch port 2 of the OpenWRT device.

But the client never receives the offer.

When I tcpdump port 2 I can see the DHCP Discover packets but there are no DHCP offer packets. When I do similarly on the network's switch I can see both.

I also tried static configuration, just in case it was a DHCP problem. I can see ARP requests and replies on the network's switch but I can only see the requests on port 2.

I tried connecting two wifi devices with static ip addresses and they cannot see each other. Again, only outbound ARPs are visible. Both devices' outbound ARPs are visible on the network's switch.

It's like traffic is only able to flow one way, outbound.

OpenWrt shows the ethernet connection is established at 1000baseT full-duplex. I've done cable tests and tried everything else I can think of. Note otherwise, the OpenWrt has been installed for ages and works great.

If I replace the OpenWrt's connection to the network's switch with a laptop (so it's on the same port), that works fine.

Here is a config extract:

wifi-iface 'dmz_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'XXXX'
        option encryption 'psk2'
        option key 'XXXX'
        option isolate '1'
        option network 'testnet'

config interface 'testnet'
        option type 'bridge'
        option ifname 'eth0.5'
        option _orig_ifname 'eth0.5'
        option _orig_bridge 'true'
        option proto 'none'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '5'
        option ports '2'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'untrusted'
        option forward 'ACCEPT'
        option network 'testnet'

I've been struggling with this for days. Can anyone shed some light? Where am I going wrong?

Consider upgrading it!

Other than that, the second switch between OpenWrt and the server is simple unmanaged or has some vlan setup?

you need to tag also to cpu here, port 2 on it's own gets you nowhere...

The network-side switch is managed, the port that openwrt is connected to is untagged but is part of a server-side vlan so the appropriate server-side vlan id is applied to traffic passing the port. When I test using a laptop the same port works fine. Just wondering, why do I need to tag it on openwrt if the port on the network switch is untagged?

But I'm going to try tagging it anyway...

Re upgrading, it is in my plan but haven't got there yet. If there is a reason to do it now, like something is known not to work, then I will do it now. But it will be a pain...

Edit... tried tagging the openwrt port, and also the network switch port. Same behaviour, no difference (except the inbound frames are tagged now).

All wifi traffic passes through the CPU. So you have to attach the switch CPU port to the hardware VLAN in the switch. The CPU connections are all tagged so the kernel can tell which packet is for which VLAN.

Packets arriving at the CPU for VLAN 5 (eth0.5) then will go to a software bridge then to the WiFi AP driver. This bridge should not have an IP address (Protocol Unmanaged) so that users of that network can't possibly hack into the OS.

CLI commands brctl show and swconfig dev switch0 show are useful to check that the software bridges and hardware switch have been configured as you expect.

Duh! I feel silly now :slight_smile:

I added cpu (port 6t) to the switch config and, well guess what? It works!

I don't understand why it worked one way without the cpu port though. The fact it was 1/2 working like that and that I wanted to keep this vlan completely separate to everything else made me think I was on the right tracks...

Also, I'm unsure whether the firewall plays any part in this configuration?