Dumb ap with vlan stopped working

Hi,
I'm trying to revert to my old setup of x86 router + dumb AP.
a few months back, I started this thread: VLAN setup with dumb AP and x86 and with the help of @psherman got it to work.
when I try to restore that old setup, with (seemingly) "no changes" to the configuration, the devices that should connect wirelessly, don't get IP addresses (I see them in the AP luci page with MAC addresses, associated to the relevant stations).
I can't seem to point on the problem, and need help understanding what went wrong.

here are my configurations.

router:
/etc/config/network:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth0'

config interface 'iot_online'
	option device 'eth1.10'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option proto 'static'

config interface 'iot_offline'
	option device 'eth1.11'
	option ipaddr '192.168.11.1'
	option netmask '255.255.255.0'
	option proto 'static'

/etc/config/firewall:

config zone
	option name 'iot_online'
	option network 'iot_online'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'

config zone
	option name 'iot_offline'
	option network 'iot_offline'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'

config forwarding
	option src 'iot_online'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'iot_online'

config forwarding
	option src 'lan'
	option dest 'iot_offline'

config rule
	option name 'Allow-iot-offline-DHCP'
	list proto 'udp'
	option dest_port '67-68'
	option target 'ACCEPT'
	option src 'iot_offline'

config rule
	option name 'Allow-iot-online-DNS'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	option src 'iot_online'

config rule
	option name 'Allow-iot-online-DHCP'
	list proto 'udp'
	option dest_port '67-68'
	option target 'ACCEPT'
	option src 'iot_online'

/etc/config/dhcp:

config dhcp 'iot_online'
	option interface 'iot_online'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,8.8.8.8'

config dhcp 'iot_offline'
	option interface 'iot_offline'
	option start '100'
	option limit '150'
	option leasetime '12h'

dumb ap:

/etc/config/wireless:

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option band '2g'
	option htmode 'HT40'
	option channel '6'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'myap'
	option encryption 'psk2'
	option key '***'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'IoT Online'
	option encryption 'psk2'
	option network 'iotonline'
	option key '***'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'IoT Offline'
	option encryption 'psk2'
	option network 'iotoffline'
	option key '***'

/etc/config/network:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.2'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 3 4 5 1'
	option vid '1'

config device
	option name 'br-iotonline'
	option type 'bridge'
	list ports 'eth1.10'

config device
	option name 'br-iotoffline'
	option type 'bridge'
	list ports 'eth1.11'

config interface 'iotonline'
	option device 'br-iotonline'
	option proto 'none'

config interface 'iotoffline'
	option device 'br-iotoffline'
	option proto 'none'


config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 1t'
	option vid '10'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '11'
	option ports '0t 1t'

any help is very appreciated!

Are these the complete configs, or just part of them?

well, they are what I thought was relevant, but these are the full configs:

router:
/etc/config/network:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd85:c145:3d1a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'

config interface 'lan'
	option device 'br-lan'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option proto 'static'
	list dns '192.168.1.1'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth0'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'eth0'
	option reqaddress 'try'
	option reqprefix 'auto'
	option auto '0'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

config device
	option type 'bridge'
	option name 'docker0'

config interface 'iot_online'
	option device 'eth1.10'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option proto 'static'

config interface 'iot_offline'
	option device 'eth1.11'
	option ipaddr '192.168.11.1'
	option netmask '255.255.255.0'
	option proto 'static'

config interface 'macvlan'
	option proto 'static'
	option device 'br-lan.15'
	option ipaddr '192.168.15.1'
	option netmask '255.255.0.0'

config device
	option type 'macvlan'
	option ifname 'br-lan'
	option mode 'bridge'
	option name 'br-lan.15'
	option acceptlocal '1'
	option promisc '1'

/etc/config/firewall:


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone 'docker'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'docker'
	list network 'docker'

config zone
	option name 'iot_online'
	option network 'iot_online'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'

config zone
	option name 'iot_offline'
	option network 'iot_offline'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'

config forwarding
	option src 'iot_online'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'iot_online'

config forwarding
	option src 'lan'
	option dest 'iot_offline'


config rule
	option name 'Allow-iot-offline-DHCP'
	list proto 'udp'
	option dest_port '67-68'
	option target 'ACCEPT'
	option src 'iot_offline'

config rule
	option name 'Allow-iot-online-DNS'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	option src 'iot_online'

config rule
	option name 'Allow-iot-online-DHCP'
	list proto 'udp'
	option dest_port '67-68'
	option target 'ACCEPT'
	option src 'iot_online'

config rule
	option name 'Allow-iot-HA'
	list proto 'udp'
	list proto 'tcp'
	option dest_port '80 8123'
	option target 'ACCEPT'
	option src 'iot_offline'
	option dest 'lan'
	list dest_ip '192.168.1.179'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config zone
	option name 'macvlan'
	list network 'macvlan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'macvlan'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'macvlan'

/etc/config/dhcp:


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option noresolv '1'
	option cachesize '1000'
	option rebind_protection '0'
	option port '54'
	list server '192.168.1.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,192.168.1.1'
	list dhcp_option '3,192.168.1.1'
	list dns '2a0d:6fc2:4820:3d00::1'
	list dns 'fd85:c145:3d1a::1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'iot_online'
	option interface 'iot_online'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,8.8.8.8'

config dhcp 'iot_offline'
	option interface 'iot_offline'
	option start '100'
	option limit '150'
	option leasetime '12h'
...
a bunch of configured static hosts

AP:
/etc/config/network:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdfd:6015:6230::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.2'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 3 4 5 1'
	option vid '1'

config device
	option name 'br-iotonline'
	option type 'bridge'
	list ports 'eth1.10'

config device
	option name 'br-iotoffline'
	option type 'bridge'
	list ports 'eth1.11'

config interface 'iotonline'
	option device 'br-iotonline'
	option proto 'none'

config interface 'iotoffline'
	option device 'br-iotoffline'
	option proto 'none'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 1t'
	option vid '10'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '11'
	option ports '0t 1t'

/etc/config/wireless:


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option band '5g'
	option htmode 'VHT80'
	option channel 'auto'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'myap 5G'
	option encryption 'psk2'
	option key '***'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option band '2g'
	option htmode 'HT40'
	option channel '6'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'myap'
	option encryption 'psk2'
	option key '***'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'IoT Online'
	option encryption 'psk2'
	option network 'iotonline'
	option key '***'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'IoT Offline'
	option encryption 'psk2'
	option network 'iotoffline'
	option key '***'

The subnet mask here is likely the problem. You have. /16 which conflicts with your other networks. Make it a /24 and then try again.

In fact, remove all of this. I think this whole thing looks like it may be invalid.

it's for a docker network I created.
anyway, I removed it (the whole section quoted), but the problem remains

Do all networks have issues, or just one or two of them? Which network(s) exhibit the issue?

the two networks with the VLANS have this issue.
the LAN is working fine

What port is used on each device to make the connection?

on the router it's eth1, on the AP (archer c7 v2) - any of the "LAN" ports

Only one port is setup for the VLANs. Logical port 1, specifically. That may or may not be lan 1. Try each in succession.

huge facepalm here. it's the WAN port that's configured for the VLANS.
the setup I'm replacing only had 4 ports in total so it confused me.

thanks for saving the day!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.