Hi,
I have an issue with DHCP running with VLAN depending of the HW config of the network.
Network structure1 is: router WRT32X (21.02.3) with 2 Dumb APs RT3200 (22.03.3) X5000R (22.02.3). A Guest network made of a set VLANs bridged together so that to fully isolate guest clients from each others (regardless of wired or wireless). Each APs connected to router via a trunk
This configuration works.
Network structure2 is: router RT3200 (22.03.3) with 2 Dumb APs RT3200 (22.03.3) X5000R (22.02.3). A Guest network with same network topology as above.
In this case DHCP guest process donnot complete from RT3200 AP while it does from X5000R AP one. 802.11 connection to AP works but the DHCP process is never completed.
Looking at the DHCP process using tcpdump both ends the client never receives DHCP reply fron the router while the router sends the message. Look like DHCP messages evaporate somewhere in between.
I realized that DHCP UPD frames had bad checksum and have applied the soluce proposed in [solved] DHCP on VLAN interfaces - #5 by oofnik unfortunately with no effect.
What I donnot understand (because of no consistency in the results) is:
WRT32X(router)+RT3200(AP) works (wifi clients connect to both router and AP and receive DHP)
WRT32X(router)+X5000R(AP) works (wifi clients connect to both router and AP and receive DHCP)
RT3200(router)+RT3200(AP) fails (wifi clients connect to router and AP donnot receive DHCP through AP)
RT3200(router)+X5000R(AP) works (wifi clients connect to both router and AP and receive DHCP)
a diagram of your network topology (a photo of a sketch on paper is sufficient).
Let’s see your main router config (then we’ll move on to the dumb APs)
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Sorry for the late reply, no internet for a while in my living place due to my ISP.
quick overview:
Lan network is segmented into three parts:
admin (Lan): 192.168.66.0/24 single user, used only for network config
users (LanUtil): 192.168.6.0/24 only wired home users
guest (Invite): 172.16.19.0/24 wired/wireless guest isolated from each others
What is the intent with br-invite? I’m not entirely certain that this is a valid method of configuration, but it also defeats the purpose of creating VLANs in the first place if you then bridge them together like this.
The background idea was to have any guest being isolated to each other while belonging to the same IP segment (single DHCP server).
For any guest the lan network look like a single wire straight to the internet
.
Therefore wired smartTV, DVD reader, ISPTV adapter, but also wireless IPAD, Smartphones .. etc have access to internet but cannot see each other.
If I had a single VLAN for the guest network they can see each other.
if I donnot bridge the VLAN for each guest I have one DHCP server per VLAN.
There is a solution that works for a single ap - WiFi client isolation will prevent all WiFi clients on a given network from seeing each other. However, they can see wired devices on the same network, so if you have a second ap, the clients on one ap will appear as if they are wired clients from the perspective of the ones connected to the other.
Would this be a reasonable approach for your situation?
Sorry to say that its works. See above one of my config
Router WRT32X (21.02.3)+AP RT3200 (22.03.3)+AP X5000R (22.03.3)
There is only one thing that I did'nt detail which is the need to block the default bridge forward mode and manage the bridge forward using the firewall (forward mode enabled by default)
Nevertheless w/wo bridge forward, using the RT3200 (22.03.3) as router donnot work with AP RT3200 (22.03.3) while is does with AP X5000R (22.03.3). Why two APs behave deferently?
This is this non consistencey that I donnot understand
I have to admit that I didnt try to update the WRT32X with 22.03.3
There is a solution that works for a single ap - WiFi client isolation will prevent all WiFi clients on a given network from seeing each other. However, they can see wired devices on the same network, so if you have a second ap, the clients on one ap will appear as if they are wired clients from the perspective of the ones connected to the other.
As you write above it doesn't meet my requirement of isolation between guest of the same network. Meaning I'll have to set up as many networks as ports with separate address segment. Ugly!
Normally, a bridge acts as a software defined unmanaged switch. So bridging a bunch of vlans (especially bridge vlans) would typically defeat the purpose of creating the VLANs. I’m not really sure how the VLANs remain separate (especially with respect to things like DHCP servers) and how the client devices get assigned to the correct network when you bridge them all together.
But, beyond what I would normally advise and expect from this type of situation, I honestly don’t have knowledge about why your setup works at all. Therefore, since I may not really be able to help you solve the issue, I’m going to step away from this thread (I’ll keep reading, though — I’m interested in learning). Hopefully someone else will be able to assist, though!
Hi
hope that some Bridge or VLAN Guru will spend the time to read
I made some more extended tests. still with exactly the same config (see details above). As a summary guest network (invite) is a bridge of VLAN (Eth ports and Wifi interfaces)
Router WRT32X running 21.02 => 3 different dumb AP (X5000R, RT3200, WT3020) works fine either wired or CPL link (reachable, ethernet, Wireless)
Router WRT32X running 22.03 => X5000R running 22.03 works wired link (reachable, ethernet OK, Wireless OK)
Router WRT32X running 22.03 => X5000R running 22.03 has pb CPL link (reachable, ethernet OK, Wireless no DHCP)
Router WRT32X running 22.03 => RT3200 running 22.03 works wired link (reachable, ethernet OK, Wireless OK)
Router WRT32X running 22.03 => RT3200 running 22.03 has pb CPL link (reachable, ethernet OK, Wireless no DHCP)
Router WRT32X running 22.03 => WT3020 running 22.03 has pb either wired or CPL link (not reachable)
Router RT3200 running 22.03 has the same behaviour as WRT32X running 22.03
Concern is not comming from the router
Concern depends on the OpenWrt release 21 or 22
Concern depends on AP I suspect smth different between true DSA devices (X5000R an RT3200) and DSA like device (WT3020)
While i can understand that CPL is not ideal, I donnot understand why 21.02 works fine any wiring conditions any AP while 22.03 has problems with CPL link
The other problem is related to WT3020, why 21.02 router connects without problem while 22.03 donnot see the AP (DHCP process not completed) even when connected straight to the router
Most probably some changes happen either in the bridge management or the VLAN management (the both?) between 21.02 and 22.03 while DSA was there since 21.02 and therefore normally no change.
Does it sound to somebody in the OpenWrt community?
Maybe it's some edge case regarding loops. But I agree with @psherman. Bridging a bunch of vlan will not accomplish anything. Vlans are just a way to transfer network packets through virtual links. At their source or destinations there is no "vlan".
Back to the motivation
a) have a guest network spread across router and dumb APs
b) any client wired/wireless of the guest network is separated from any other (no cleint to client communication)
c) single DHCP server
I am open to consider any suggested config meeting these requirements
THX for your proposal
This is normally accomplished by normal (not bridged-together) vlans,
This is tricky when dealing with multiple APs in general. You can easily set wifi client isolation which will prevent any two wifi clients on the same AP from talking to each other. The problem is that when you have multiple APs, the clients on one AP will appear as if they are wired relative to the clients connected to another AP. This means they will be able to talk to each other.
One way to fix this is to use a managed switch (usually mid-range and up, low end ones don't have this feature) that has "port isolation" to prevent the two APs from talking to each other.
Again, normally handled with typical VLANs.
It seems to me that your approach of bridging all the VLANs is exactly counter to what you want to achieve.
Use dynamic vlan with wpa enterprise/radius service.
For wired you have a few options. Switches with port isolation that @psherman mentioned, or switches with similar dynamic vlan/radius service.
Maybe you can use batman-adv as wired backhaul with OpenWrt. Batman-adv has extended isolation.
Combine with a managed switch if you have more clients that needs to be isolated, but you’d need to set up vlans for each device. («Vlans» in this particular context meaning an interface or interface/bridge that is connected via vlan to their respective clients)
This is tricky when dealing with multiple APs in general. You can easily set wifi client isolation which will prevent any two wifi clients on the same AP from talking to each other. The problem is that when you have multiple APs, the clients on one AP will appear as if they are wired relative to the clients connected to another AP. This means they will be able to talk to each other.
One way to fix this is to use a managed switch (usually mid-range and up, low end ones don't have this feature) that has "port isolation" to prevent the two APs from talking to each other.
No! This is preciselly the motivation of this config based on bridged VLANs. No need of an extra managed switch. THX to OpenWrt to be versatile and have a great flexibility. With the bridged VLANs config and the forward bridge control enabled (disabled by default) using the firewall (kmod-br-netfilter) you can exactly obtain what I describe w/wo APs.
I moved the failing AP to a wired connection that I was able to set up in place of the CPL and it works fine (except WT3020).
Dont understand why it fails on CPL (two different types with ping and jitter comparable to cable), I'll have to live with...
THX to the suggestions
802.1X is very interesting (dynamic VLANs) at the cost of a radius server and mainly the full authentication process. Meaning clients must be declared in the radius database. This is not very flexible for friends coming at home.
Will have to look in more details at Batman that i dont know yet.
I am aware of the bridge firewall features, but I've honestly never used them and I know they have some quirks. (traditionally L2 networks cannot be filtered, but I know it is possible with this method). Maybe it's a bit different in the new realm of DSA -- this is something I'd most certainly like to learn about.
If you have the opportunity when your full system is working, please share your final config and explain any quirks or special bits of the config pertaining to the bridge filtering. This will be useful for me to learn and probably many others on this forum.
No problem
However I was a bit optimist after being able to communicate with the remote AP. Presently the forward control of the bridge don't work on 22.03 as it perfectly does on 21.02.
I'll open a new thread and come back when solved.
