Dumb AP clients cannot reach internet through VLAN

Router : Dlink Dir-885L

OpenWRT Version : OpenWrt SNAPSHOT, r18684-0c635cf830

Hey I am having a hell of a time configuring my AP.

I setup a VLAN in pfsense aswell as created a dhcp server in pfsense.

vlan IP subnet : 192.168.100.0/24
router IP : 192.168.100.100
gateway : 192.168.100.1
firewall IP : 192.168.1.1

I've connected my router to the vlan port as a dhcp client and have assigned a static mac address for the lan connection so that the router can get the same address each time it restarts (Because the port mac is randomized on each reset and static ip assignment does not work with the vlan), the router can update opkg and ping other subnets and is full internet accessible.

Heres where the problems start. After I create a wifi network and try to connect a client to it, I cannot get assigned an ip address. My DHCP requests do not get received by my firewall. The router gets one when I plug it in but none of my wireless clients will.
I have found a workaround by adding this line to dnsmasq.conf

dhcp-relay:192.168.100.100,192.168.1.1

This allows me to get an ip address from my firewall.

When my wireless client gets on the wireless network with an IP for example 192.168.100.8 it does not have an internet connection. Capturing packets at the firewall shows no traffic or requests comming from 192.168.100.8. On my client I cannot ping the gateway 192.168.100.1 or 192.168.1.1. I can only ping the router 192.168.100.100.

So basically the way I see it right now, the wifi clients can only get to the router but no farther, thats why they cannot receive ip addresses in the first place. I've got rules set to on the firewall to allow any and all traffic on the wifi vlan.

I've tried all types of configurations over the past 3 days and I cannot get anywhere. I've disabled the dhcp and firewall on the router and tried everything on the dumb AP tutorial. Ive also tried all different types of wifi networks The only thing I am not doing normally is using dhcp for the router ip because static addresses do not work over the vlan. If anyone has any help they could lend me I would really appreciate it.

Here are copies of my network settings

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option macaddr '86:19:ed:97:34:1a'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'
	option netmask '255.255.255.0'
	option gateway '192.168.100.1'
	option dns '192.168.100.1'

/etc/conig/dhcp

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
	"kernel": "5.10.92",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 0 (v7l)",
	"model": "D-Link DIR-885L",
	"board_name": "dlink,dir-885l",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r18684-0c635cf830",
		"target": "bcm53xx/generic",
		"description": "OpenWrt SNAPSHOT r18684-0c635cf830"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option macaddr '86:19:ed:97:34:1a'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'
	option netmask '255.255.255.0'
	option gateway '192.168.100.1'
	option dns '192.168.100.1'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '18000000.axi/bcma0:7/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '18000000.axi/bcma0:8/pci0001:00/0001:00:00.0/0001:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'psk2+ccmp'
	option key '1234567890'
	option network 'lan'

package dhcp

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'
	list ra_flags 'none'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

head: /etc/firewall.user: No such file or directory
-ash: iptables-save: not found
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.100.100/24 brd 192.168.100.255 scope global br-lan
       valid_lft forever preferred_lft forever
default via 192.168.100.1 dev br-lan  src 192.168.100.100 
192.168.100.0/24 dev br-lan scope link  src 192.168.100.100 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.100.0 dev br-lan table local scope link  src 192.168.100.100 
local 192.168.100.100 dev br-lan table local scope host  src 192.168.100.100 
broadcast 192.168.100.255 dev br-lan table local scope link  src 192.168.100.100 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
lrwxrwxrwx    1 root     root            16 Jan 31 11:59 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Feb  4 08:51 /tmp/resolv.conf
-rw-r--r--    1 root     root            81 Feb  4 08:51 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            81 Feb  4 08:51 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface lan
nameserver 192.168.100.1
nameserver 192.168.100.1
search private

There is no VLAN here. The basic dumb AP which you are trying to set up has only one network, lan. Wifi or wired users are bridged back to the main router on an untagged Ethernet interface. This will be one of the LAN ports. The WAN network and port are unused in a dumb AP. As an optional step, you can delete the wan and wan6 networks and move the wan physical port into br-lan so it works the same as the other 4 lan ports.

The dumb AP needs to have an IP address in order to log into it. This should be within the same subnet that the main router is using, but of course not the same IP as anything else in the network. The clients are bridged (or hardware switched) at layer 2, so it does not matter what the dumb AP's IP is. They will interact directly with the main router.

I don't understand the "firewall IP" being different from everything else. The main router should support plugging a laptop into the port you are going to use for the dumb AP, and grant that laptop a DHCP IP and Internet access. If not, you need to fix the configuration of the main router.

Ethernet MAC should be the same on every bootup, and within a few numbers of the factory determined MAC on the nameplate sticker. If not there is a bug. Some models do use a firstboot script to create a device definition with the factory MAC within /etc/config/network. This generally should not be altered or deleted.

2 Likes

Sorry my original post is confusing I will give a better explanation.

I have a pfsense firewall as well as a cisco catalyst 2960S and I have configured the cisco switch and firewall to work as a VLAN for my wifi using the 192.168.100.0/24 network.The firewall runs the dhcp server and dns resolver. My main LAN network with my workstations are 192.168.1.0/24. The router can contact the internet successfully but none of the wireless clients are able to communicate with the gateway interface 192.168.100.1.

Are your VLANs configured properly? Does your firewall accept connections from 192.168.100.0/24? Does your firewall have the appropriate configuration to route those clients to the internet and/or other VLANs?

Yes I have an outbound nat rule allowing all traffic from 192.168.100.0/24 as well as a rule allowing all traffic on the wifi's VLAN. The router itself has no problem connecting to the internet.

If you plug a wired client into the dumb AP's switch...

  • does it get a DHCP lease on the correct subnet and with all of the correct parameters?
  • does it have the expected connectivity to the other subnet(s) in your network?
  • does it have proper internet connectivity?

So I just tested with my desktop

With the this line in dnsmasq.conf

dhcp-relay=192.168.100.1,192.168.1.1

I get an ip address 192.168.100.12 assigned to my desktop from the dhcp server on the firewall. I cannot ping 192.168.100.1 but I can ping the router at 192.168.100.100

When I removed that line from dnsmasq.conf and rebooted the router and tried again I was not able to get an ip address.

Repeat the same test, but this time unplug the OpenWrt device from the upstream network and connect your desktop directly to your upstream network via the cable that was plugged into OpenWrt device.

In plain terms, the idea here is that the OpenWrt device will be completely out of the equation.

Report back with the result.

OK interesting result, my desktop was able to get an ip address 192.168.100.16 but it was unable to access the internet. I cannot ping 192.168.100.1 but I can ping 192.168.1.1.

So the problem is not on the openwrt side of things. Check your pfsense and Cisco configs. Once those are working, try again with openwrt.

Ok there was indeed a problem with the VLAN. After deleting it and starting over I am able to have other devices assigned an IP address in 192.168.100.0/24 over the same VLAN and they all have access to each other and can communicate over the internet. I have tested it on a raspi my desktop, laptop and another computer, so the vlan is working as intended. Now that I have my Openwrt router on it, I can update OPKG and wget files but the wifi network will not assign an ip address so I am back where I started. If I forward dhcp-relay=192.168.100.100,192.168.1.1 I will get an IP address but no internet connectivity.

Reset your OpenWrt router to defaults and follow the guide for a dumb AP setup. Connect the upstream via one of the LAN ports and it should just work. If you want to be able to use the WAN port, that usually possible with a quick adjustment to the config, but get it working first on the LAN port.

You don't need to do dhcp-relay or anything like that... a dumb AP is just a simple bridge and doesn't require any special routing, DHCP options, etc.

I've downloaded the stable release for my router not the snapshot. I have then configured it the same as in the DumbAP guide, the only difference is that I configured its ip address as a dhcp client. My wireless clients cannot receive Ip addresses and I do not see any DHCP requests comming into my router for the wireless clients. I have captured packets on the VLAN interface and non of the requests from the wireless clients are making it past openwrt.

If this is still current, remove the netmask, gateway, and dns. Those wi be provided by the dhcp server.

Are you connecting to one of the lan ports on the dumb ap?

It was set without those at the time of my last post and I am plugging it into a lan port on my router. After doing more testing i've configured the router to use a static IP address in the /etc/config/network over the vlan. My wireless clients are still unable to receive an IP address from my dhcp server unless i forward dhcp-relay=192.168.100.100,192.168.1.1

using tcpdump -n -i wlan1

I am seeing my wireless device search for 192.168.100.1

15:25:41.535261 ARP, Request who-has 192.168.100.1 tell 192.168.100.25, length 28

Packet capture at the firewall shows no traffic comming through the VLAN network from my wifi client

Router still has access to the internet and can access 192.168.100.1 but the wireless clients don't seem to be be able to find the gateway for some reason. I think my router may have issues running OpenWRT currently based off of another users bug report.

Did this topic come to a positive end?
I am asking because I have a very similar setup and exactly the same symptoms:
The clients that are connected via Wifi don´t get an ip address.
If the clients are connected via a LAN port of the router everything works as expected and he gets an ip address from the DHCP service on the pfSense.
Does it make sense to continue this thread or should I create a new one?

Not sure how the OP configured their network that clients could not obtain DHCP services from pfSense but there is a misconceptions you must have VLAN managed switches to utilize VLANs. If the switch is only for your wireless infrastructure you are actually better off with utilizing a dumb unmanaged switch and just let the openwrt dumb APs send VLAN tags directly to pfSense without any further processing in the switch. I have never come across a cheap unmanaged no-name brand switch that will not pass through VLAN tags unfettered. Effectively the unmanaged switches are operating in trunk mode. PS: The only time I need to use managed VLAN switches is when there are non-VLAN aware devices on the network like credit card payment terminals that require configuring the access ports. Also some Windows dekstop PCs with cheap NICs that do not have the option to configure VLANs.

By default pfSense DHCP server will listen to all networks however you will still need to go to each VLAN tab in the GUI to turn on the DHCP server for that particular VLAN and also set the address range. Allowing access to the internet requires you setup rules in the firewall for each VLAN which you can just copy over the default rules from LAN.

I would recommend opening your own thread. This way we can dive into the details without confusing future readers.

I wholeheartedly disagree. IMO, this is bad advice, and bad practice. While it is true that some unmanaged switches will pass VLANs properly, the behavior of tagged frames through an unmanaged switch is, by definition undefined. Unmanaged switches are designed to work with a single, untagged network. Passing VLANs through unmanaged switches can, in some cases, cause major problems -- some switches may simply not pass the tagged networks. Others may strip the tags and actually cause major issues by combining the networks when they should be kept separate. Furthermore, even in a best case scenario, unmanaged switches have no mechanism by which an administrator can specify which ports should be members of any given VLAN. Therefore, all VLANs may be accessible on all ports. There are also other potential side effects such as reduced network efficiency and even mixing of broadcast domains under certain circumstances.

The price of managed switches these days is only marginally more than some unmanaged switches, and configuring them is not particularly complicated. If you're working with VLANs, the correct way to do so is to use managed switches anywhere that tagged networks are used.

4 Likes