Dumb AP VLANs per SSID

I have OpenWRT devices across my network all on version 23.05 (x86 router, two managed switches and three access points). I have several VLANs running on the wired part of the network flawlessly, allowing me to isolate cameras, IoT devices etc, managed through configuring tagging on the port switches then firewalling by VLAN on the x86 router.

My next step is to create additional SSIDs on the dumb APs, which I can then pass on to the wired network with the appropriate VLAN tags, which will then be filtered by the firewall on the router. I've tried various methods but I either end up locked out of the AP (unable to access the management interface even over wired) or when I connect to my new SSID on a separate VLAN it's not getting a DHCP IP from the router and setting a static ID doesn't help. Connecting to the 'main' SSID which is linked to 'lan' works fine.

My router is configured to give DHCP leases on the relevant VLAN subnets, eg 192.168.1.x for VLAN1 and 192.168.30.x for VLAN30.

Config as below.

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd6b:e2f1:2863::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.11'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.254'
	list dns '192.168.1.254'

config device
	option name 'br-management'
	option type 'bridge'
	list ports 'eth0.100'

config interface 'VLAN100'
	option device 'br-management'
	option proto 'none'

config device
	option name 'br-iot'
	option type 'bridge'
	list ports 'eth0.30'

config interface 'VLAN30'
	option device 'br-iot'
	option proto 'none'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'ffe0a000.pcie/pcia000:02/a000:02:00.0/a000:03:00.0'
	option channel '48'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'main'
	option encryption 'sae-mixed'
	option key ''

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'ffe09000.pcie/pci9000:00/9000:00:00.0/9000:01:00.0'
	option channel '11'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'main'
	option encryption 'sae-mixed'
	option key ''

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'IOT'
	option encryption 'psk2+ccmp'
	option key ''
	option network 'VLAN30'

Add option network 'VLAN30' to this section, reboot and try again.

EDIT:

Sorry, I saw this a little late.

How do you expect to access the AP through the management interface if the protocol is set to 'none', meaning no IP address?

Thanks for your reply.

I went to add the option network 'VLAN30' and realised that I already have this exact line at the bottom of my /etc/config/wireless file, I must have missed it off when I copied the file into the forum. So unfortunately that hasn't solved the issue. I will edit my original post to capture the missing line on the wireless config file.

I acknowledge this is a little confusing. For now I'm managing the device through the main VLAN1 interface (192.168.1.x), for which the AP has an IP address. My intention is to migrate all my management interfaces onto VLAN100 once I figure out how to get my VLANs working through one VLAN per wifi SSID. At the moment the VLAN100 is trunked through the switches and configured on the router, but it's effectively dormant.

I use that all the time.

$ ping -I enp14s0f3u1 ff02::1
ping: Warning: IPv6 link-local address on ICMP datagram socket may require ifname or scope-id => use: address%<ifname|scope-id>
ping: Warning: source address might be selected on device other than: enp14s0f3u1
PING ff02::1 (ff02::1) from :: enp14s0f3u1: 56 data bytes
64 bytes from fe80::1337%enp14s0f3u1: icmp_seq=1 ttl=64 time=0.033 ms
64 bytes from fe80::ffff:fe01:ffe%enp14s0f3u1: icmp_seq=1 ttl=64 time=86.3 ms
64 bytes from fe80::1337%enp14s0f3u1: icmp_seq=2 ttl=64 time=0.059 ms
64 bytes from fe80::ffff:fe01:ffe%enp14s0f3u1: icmp_seq=2 ttl=64 time=1.48 ms
^C
--- ff02::1 ping statistics ---
2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.033/21.961/86.273/37.134 ms


$ ssh root@fe80::ffff:fe01:ffe%enp14s0f3u1 "cat /etc/banner"
Warning: Permanently added 'fe80::ffff:fe01:ffe%enp14s0f3u1' (ED25519) to the list of known hosts.
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.5, r24106-10cc5fcd00
 -----------------------------------------------------

And I just add this VLAN to every device...

config interface            'vlan4094'
    option  device          'br-vlan.4094'
    option  macaddr         '02:00:ff:01:0f:fe'
    option  proto           'static'
    option  ip6class        'local'
    option  ip6assign       '64'

proto none together with auto 1 does the same as proto static without explicit configure it then; regarding to the wiki...

Please post the output of brctl show.

Also, temporarily set the interface protocol to dhcp.

config interface 'VLAN100'
	option device 'br-management'
	option proto 'dhcp'
	option metric '10'

config interface 'VLAN30'
	option device 'br-iot'
	option proto 'dhcp'
	option metric '30'

If the interfaces are not getting IP addresses, check the vlan settings on the upstream device.

Hi

brctl show output:

bridge name	bridge id		STP enabled	interfaces
br-iot		7fff.d88466305015	no		eth0.30
							phy1-ap1
br-management		7fff.d88466305015	no		eth0.100
br-lan		7fff.d88466305015	no		phy0-ap0
							phy1-ap0
							eth0.1

I changed the VLAN interfaces to DHCP and I'm not getting a lease on either which suggests an upstream issue. The switch is set to trunk VLANs on the port connected to the AP and the port connected to the router, so it should flow through fine. It feels like I'm going to need to sniff packets at each node to find out where they are being dropped.

Thanks for your help, I'll post back if I can make any progress.

Ok so I decided to install tcpdump on the AP and review the frames in Wireshark to check whether VLAN tags are properly set up. It turns out they are indeed, main packets are VLAN 1 and br-iot is producing packets tagged with VLAN 30.

I'm very confused by the fact that when trying to ping the router from br-iot either on the router's VLAN 1 IP (192.168.1.254) or the router's VLAN 30 interface (192.168.30.254) ping reports 100% packet loss, unlike when I ping the router with br-lan.

root@AP2:~# ping -I br-iot 192.168.1.254
PING 192.168.1.254 (192.168.1.254): 56 data bytes
^C
--- 192.168.1.254 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
root@AP2:~# ping -I br-iot 192.168.30.254
PING 192.168.30.254 (192.168.30.254): 56 data bytes
^C
--- 192.168.30.254 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
root@AP2:~# ping -I br-iot 192.168.30.254
PING 192.168.30.254 (192.168.30.254): 56 data bytes
^C
--- 192.168.30.254 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
root@AP2:~# ping -I br-iot 192.168.1.254
PING 192.168.1.254 (192.168.1.254): 56 data bytes
^C
--- 192.168.1.254 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

root@AP2:~# ping -I br-lan 192.168.1.254
PING 192.168.1.254 (192.168.1.254): 56 data bytes
64 bytes from 192.168.1.254: seq=0 ttl=64 time=0.725 ms
64 bytes from 192.168.1.254: seq=1 ttl=64 time=0.603 ms
64 bytes from 192.168.1.254: seq=2 ttl=64 time=0.605 ms
^C
--- 192.168.1.254 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss

This initially made me think that something upstream was wrong with the VLAN setup leading to packets being dropped. However reviewing the packet dump shows the ping going out on VLAN 30 and a reply being received (on eth0), so it looks like something with in the AP itself isn't properly handling the VLAN 30 packets. I'm somewhat stumped so any ideas are greatly appreciated.

The below shows the ping going out and reply coming back from the router.

30	3.090124	192.168.1.11	192.168.30.254	ICMP	102	Echo (ping) request  id=0x4944, seq=1/256, ttl=64 (reply in 31)

31	3.090526	192.168.30.254	192.168.1.11	ICMP	102	Echo (ping) reply    id=0x4944, seq=1/256, ttl=64 (request in 30)

Below shows the outgoing packet with VLAN ID 30, and reply with VLAN 1.

802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 30

802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 1

What I need to figure out is why are replies to my pings being received on eth0 not showing up in the ssh terminal?

Some good news and hubris on my side! I spent a while sniffing and reviewing packets between the AP, switch and router, expecting to find a VLAN issue resulting in dropped packets. The problem turned out to be much simpler: I'd configured the VLAN tagging and firewall correctly, but failed to enable the router's DHCP server on the VLAN30 interface.

A basic error, but it has been a useful journey in exploring packet sniffing and observing packets traverse the network that I'm sure I will use again.

Thanks again for your help in ensuring that my AP was configured correctly.