DSA VLAN on Asus Lyra as AP Only

I'm setting up a pfSense firewall as the router, and VLAN master node, and want to use OpenWRT for getting VLAN out as Wifi networks around my house.

I have 3 VLANS I want to configure, and have tried every method / tutorial I can find with no luck.

I've read documentation, watched multiple videos (all of which 1. show different ways of doing this, and 2. never show the VLAN having any connection to the internet, even if successful).

I'm frustrated at this point, but really want to understand how to make this work. I just don't get any feedback on what is or isn't happening when I connect things up, beyond not getting a DHCP address passed along from pfSense, through OpenWRT to my device.

If I connect directly to the pfSense box, I get an address. If I just setup OpenWRT as a "dumb" AP with no VLANs I get an address via DHCP from pfSense, so I know it can work, but there's something I'm missing (obviously) when it comes to the VLAN tagging setup.

I have successfully done this using pfSense and DD-WRT in the past, so I feel confident in my pfSense configuration as well.

My question: How can I troubleshoot? I've tried pinging the pfSense box using the diagnostics screen in OpenWRT, and the main LAN address will work in some ways I've set it up, but still nothing from the VLAN pings...beyond that and hoping for an IP via DHCP, I am a bit stuck on what to try, or look for. Any help is greatly appreciated.

Hi

best is to reset your device to factory default and then paste here your untouched

cat /etc/config/network

then someone could guide you with the rest of setup

Ok, here's the base install /etc/config/network information:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd65:a770:2311::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

Thanks so much, I can also provide any setups I've attempted. I'll need to re-create them, but if helpful, I can do that as well.

Hi

ok, what is a vlans IDs?
and which vlan will be a management vlan ?
and which vlans will be tagged/untagged ?

Ok, I have the main LAN as 192.168.22.1 on pfSense. I then have 3 VLANs defined as 192.168.3.1, 192.168.4.1, and 192.168.5.1, being VLAN IDs of 3, 4, and 5 respectively.

I would like to keep the .22 subnet for direct access to the pfSense box, and the AP, but if it's not possible, we could add another VLAN id of 6 for that purpose, and use 192.168.6.1 on pfSense, and some other ip on the AP in the same subnet.

Does that answer the questions?

ipq40xx has been moved from swconfig (and a very temperamental/ broken driver) to DSA with master and 23.05~, don't spend your time chasing the particular quirks of that driver, upgrade to 23.05.0-rc2 and start fresh with the DSA driver.

Ok, I'll give it a try for sure. I didn't think moving to an RC would be a good option, but willing to try it for sure.

It is a better option than trying to wrap your head around VLAN tagging with the ipq40xx/ essedma swconfig driver (I would (and did) even say this before -rc1, using random daily master snapshots, the difference is that huge, at least as soon as custom VLANs configurations enter the picture).

Hi

as @slh wrote, it is better to switch to RC
i was using Mikrotik HAP AC2 with same problematic essedma driver, and i was happy when platform finally switched to DSA driver in 23.05 branch

so, yes, please, update FW on your device