Hi,

After configuring DSA Vlan, wired is working, wireless is not. Where am I going wrong? I have reviewed many posts on the forum and reddit but cannot find the missing piece.

Netgear WAX206 with OpenWrt 23.05.2. Trying to configure simple vlan setup to understand how vlans work on OpenWrt and expand later.

Here are the steps I followed using Luci:

Bridge device:

1. Went to Network > Interfaces > Devices.
2. Configure the bridge device br-lan.
3. Go to bridge vlan filtering tab.
4. Enable VLAN filter and add vlan 10.
5. Set all the ports (4) to untagged and enabled local.

Interface

1. Go to network > interfaces
2. Edit lan.
3. Set device to br-lan.10

Wireless

1. Go to Network > Wireless
2. Edit SSID
3. Network already set to LAN.
4. If I hover, I can see "Software VLAN br-lan.10".

If I save, the router automatically rolls back after x time (I love this feature btw, great to see this in OpenWrt) because my wireless device cannot reach the router. I know wired is working as I left ping running in tmux sessions on one of my wired servers.

Thanks!

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I also have this issue, for some reason some devices have trouble communicating on some wired LAN device under a VLAN, not all device have this issue since majority of them are working (eg it can connect to my NAS that is member of that VLAN) but all my IP cams and esp dev board are no dice.

I did managed to fix it by first, go to Devices tab, and add a new device, select bridge on the device type and choose the vlan id you want to attach that bridge to (in your case its br-lan.10) save the changes and apply, Now add or edit the interface you want that VLAN to get assigned to and make sure to choose the "Bridge" where the vlan 10 is attached to, do not choose the 802.1q vlan itself, after that hit save and apply.

I also need to go to my wireless SSID and remove the current SSID and readd it back. After that it works great, all devices can now communicate to that VLAN including the wired devices.

Device in broken state with VLAN 10 configured:

Wired working
Wifi not working

Requested outputs:

{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Netgear WAX206",
	"board_name": "netgear,wax206",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "mediatek/mt7622",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '<REDACTED>::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option channel 'auto'
	option band '2g'
	option htmode 'HT20'
	option country 'AU'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel 'auto'
	option band '5g'
	option htmode 'HE80'
	option country 'AU'
	option cell_density '0'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'FOOBAR5'
	option encryption 'psk2'
	option key 'REDACTED'
	option network 'lan'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'FOOBAR2'
	option encryption 'psk2'
	option key 'REDACTED'
	option network 'lan'

config wifi-iface 'wifinet5'
	option device 'radio0'
	option mode 'ap'
	option ssid 'FOOBAR2-Guest'
	option encryption 'psk2'
	option isolate '1'
	option key 'REDACTED'
	option network 'lan'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'FOOBAR5-Guest'
	option encryption 'psk2'
	option isolate '1'
	option key 'REDACTED'
	option network 'lan'

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'
	list server '127.0.0.1#5054'
	list server '/mask.icloud.com/'
	list server '/mask-h2.icloud.com/'
	list server '/use-application-dns.net/'
	list server '127.0.0.1#5053'
	option doh_backup_noresolv '-1'
	option noresolv '1'
	list doh_backup_server '127.0.0.1#5054'
	list doh_backup_server '/mask.icloud.com/'
	list doh_backup_server '/mask-h2.icloud.com/'
	list doh_backup_server '/use-application-dns.net/'
	list doh_backup_server '127.0.0.1#5053'
	list doh_server '127.0.0.1#5053'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

Unless you intend to add additional VLANs, I'm not sure what you're trying to achieve by adding VLAN10. But that said, you should explicitly designate each port's status -- in this case, add :u* to indicate that it is untagged + PVID:

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

I see several SSIDs -- do any of them work? What specifically happens when you try to connect? Does your computer get an IP address?

On this one, your guest network would have access to all of the wired devices on your lan, and they may also have access to wifi devices on the lan (via the other SSIDs), too. They just won't be able to reach another network on the same SSID. Therefore, your guest network should be an entirely different subnet if your goal is to isolate guest devices from your lan.

Plan is add few more segments and trunk the vlans to another switch. Are ports untagged implicitly? Typically you should not use PVID for security reasons.

I'm able to connect to the SSID but from what I can tell DHCP is failing which leads me to believe there is some plumbing missing for wireless > interface.

Guest network is non-goal at the moment, since east-west traffic is already blocked by guest mode.

Ok... I assume you have a managed switch?

It seems so, yes, but it is always best to be explicit here.

No, this is not a correct statement. PVID has nothing to do with security. It is a way of specifying the VLAN to which untagged traffic should be assigned. The ports, in this case, are already operating with untagged VLAN 10... PVID simply ensures that the ingress traffic is properly associated with the that VLAN. In some implementations (such as TP-Link, Netgear, and Ubiquiti EdgeOS), PVID is actually the way that you select the VLAN that will be untagged (in general) on a port.

There is no missing plumbing, AFAIK. I'm not seeing anything specific that would cause DHCP to fail.

I would recommend removing all the extra SSIDs -- just have one on each band associated with the lan.

What do you mean "east-west traffic" being blocked by guest mode? What guest mode are you talking about here?

I will.

Ack.

Never mind, I'm confusing PVID with VLAN 1 best practices.

I don't see how this will help? I have SSID for 2.4GHz and 5GHz bands.

There is something blocking communication to the vlan interface. Any other ideas here?

I was referring to isolate=1 configuration.

You currently have 4 ssids, 2 on each band and using the same underlying network. Remove the guest ssids and see if that helps.

Nope, that is not how isolate works. It can only isolate clients from each other that are connected to the same ssid it does not isolate wired clients, for example, from the guest devices - they will still be able to reach each other. And I suspect that the guest devices will also be able to reach the non-guest WiFi clients, too.

Also, there's nothing wrong with VLAN 1. Again, the VLAN ID is not relevant to security. VLAN 1 is totally fine -- there is no inherent security risk using it. And there is nothing from a best practices perspective that suggests that VLAN 1 is problematic. While I'm sure you may be able to find some people who prefer not to use it and have various justifications for that opinion, this is by no means a universal or common concern.

I'm observing similar symptoms with my WAX202 unit, running OpenWRT 23.05.2 too. @gp33 - did you make any progress?

Hi @gift5640 there seems to be a bug in either OpenWRT or Luci. I suspect it is not restarting the wireless interfaces/radios when re-configuring for VLAN filtering.

I was able to get this working by configuring an additional foobar SSID on each radio at the same time configuring the vlan filtering. Apply and save and it should be working then delete the additional SSID.

If I configured an additional SSID on the 2.4GHz radio only, then only the 2.4GHz SSID's would work.

Thanks for that info!
After further playing around, I observed that if I simply rebooted the device after setting the config, it worked.
Frustrating that a reboot is required though.

Nice! So confirms affected services are not been restarted on the device.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.