Dumb AP with vlans

badsmoke · May 30, 2023, 3:09pm

hi,

i have been trying for days to set up my openwrt as AP ... without success

as router I use an opnsense system

vlan 99 mgmt -> ui
vlan 40 home
vlan 41 guest

the openwrt should only act as AP, firewall ist aus

device "trunk" -> bridge LAN1

802.1q device from "trunk
trunk.99 -> mgmt
trunk.40 -> home
trunk.41 -> guest

interface mgmt from device mgmt: dhcp client
interface home from device home: unmanaged
interface guest from device guest: unamanged

and after a reboot i can't access the system anymore

after the restart you can see the wifi endpoints but I can no longer get to UI and pinging it is also no longer possible

what am i doing wrong?

psherman · May 30, 2023, 3:33pm

let's see your config...

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless

R00 · May 30, 2023, 3:33pm

It sounds like the vlan setup is causing however you are connected to the openwrt device to no longer be able to see the web ui.. It may help if you describe what link you are trying to use to connect to the web ui.

My setup is different than you as I'm using another openwrt router as the main gateway/firewall - but you may glean some useful help out of reading https://lowtek.ca/roo/2023/openwrt-vlans-for-guest-and-iot-networks/

badsmoke · May 30, 2023, 5:35pm

ubus call system board:

i will not be back on site until tomorrow.
the openwrt device is the "Belkin RT3200 (aka. Linksys E8450 )". with openwrt 22.03.5

network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd77::1acc::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option type 'bridge'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'trunk'
	list ports 'lan1'
	list ports 'lan2'

config device
	option type '8021q'
	option ifname 'trunk'
	option vid '40'
	option name 'trunk.40'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'trunk'
	option vid '41'
	option name 'trunk.41'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'trunk'
	option vid '99'
	option name 'trunk.99'
	option ipv6 '0'

config interface 'mgmt'
	option proto 'dhcp'
	option device 'trunk.99'

config interface 'guest'
	option proto 'none'
	option device 'trunk.41'

config interface 'office'
	option proto 'none'
	option device 'trunk.40'

wireless: I am not that far yet

badsmoke · May 30, 2023, 5:37pm

thanks

the only real difference, apart from the fact that dsa is already used in my version, is that you drag an untagged over with it.

but i try to make the ui accessible via an extra vlan 99. Until the reboot that works too

psherman · May 30, 2023, 6:04pm

Remove all of these:

badsmoke:

config device
	option type '8021q'
	option ifname 'trunk'
	option vid '40'
	option name 'trunk.40'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'trunk'
	option vid '41'
	option name 'trunk.41'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'trunk'
	option vid '99'
	option name 'trunk.99'
	option ipv6 '0'

Add this:

config bridge-vlan
	option device 'trunk'
	option vlan '40'
	list ports 'lan1:t'
	list ports 'lan2:t'

config bridge-vlan
	option device 'trunk'
	option vlan '41'
	list ports 'lan1:t'
	list ports 'lan2:t'

config bridge-vlan
	option device 'trunk'
	option vlan '99'
	list ports 'lan1:t'
	list ports 'lan2:t'

The above assumes that all three VLANs are tagged on the the trunk port.

EDIT: fixed some minor typos.

badsmoke · June 1, 2023, 6:24am

thanks for the feedback, but unfortunately the same behavior exists.

if I set it and restart the network service, I remain hanging on the device and everything works.
when i restart, it only works when i really take the power away.

if i don't change anything and then restart again, i can't get back on the device.

psherman · June 1, 2023, 6:31am

Have you verified that the OpenSense system has:

all of the networks functioning properly (often the best way to test is to connect a computer via ethernet and test that it gets an IP address and the expected connectivity)
The tagging properly configured for so that your trunk port is indeed set with vlans 40, 41, and 99 all tagged?

Is there anything between your OpenSense router and your dumb AP (such as a switch)? If so, what is it and is it properly configured?

Finally, let's take a look at the latest config file.

badsmoke · June 1, 2023, 6:42am

on the opnsense side everything should be correct, we have over 50 switches that are also connected via vlan.

after setting and after a reboot (with power off) the mgmt interface with the vlan id 99 gets an ip assigned.
if i set the other interfaces to dhcp client, they also get an ip assigned and you can reach them through it.

I have also tried it with a fixed ip, but that does not work either.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd77::1acc::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option type 'bridge'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'trunk'
	list ports 'lan1'
	list ports 'lan2'

config bridge-vlan
	option device 'trunk'
	option vlan '40'
	list ports 'lan1:t'
	list ports 'lan2:t'

config bridge-vlan
	option device 'trunk'
	option vlan '41'
	list ports 'lan1:t'
	list ports 'lan2:t'

config bridge-vlan
	option device 'trunk'
	option vlan '99'
	list ports 'lan1:t'
	list ports 'lan2:t'

config interface 'mgmt'
	option proto 'dhcp'
	option device 'trunk.99'

config interface 'guest'
	option proto 'none'
	option device 'trunk.41'

config interface 'office'
	option proto 'none'
	option device 'trunk.40'

psherman · June 1, 2023, 6:45am

Ok. Let’s take a look at the wireless file.

badsmoke · June 1, 2023, 6:51am

i can connect and get an ip, on the right network

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option channel '1'
	option band '2g'
	option cell_density '0'
	option htmode 'HT40'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option cell_density '0'
	option htmode 'VHT20'
	option disabled '1'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'test'
	option encryption 'sae-mixed'
	option key 'sectret'
	option network 'guest'

psherman · June 1, 2023, 6:54am

You should set your country code.

Also, many devices don’t work well south sae-mixed. You should try wpa2 or wpa3 instead of mixed mode operation.

Does this mean it is working?

badsmoke · June 1, 2023, 6:58am

yes it works until i restart the device

psherman · June 1, 2023, 7:04am

After you restart, what do you need to do to make it work again?

badsmoke · June 1, 2023, 7:05am

I need to reset the whole device to factory settings

psherman · June 1, 2023, 7:07am

Have you tried using wpa2 encryption instead of sae-mixed?

badsmoke · June 1, 2023, 7:08am

i had actually try it without wifi until just now

psherman · June 1, 2023, 7:09am

I don’t understand. How were you connecting?

badsmoke · June 1, 2023, 7:11am

after a factory reset, directly via cable

after configuring everything with vlan, via network over the vlan 99 as I would like.

up to the point wlan I have not yet come further.

psherman · June 1, 2023, 7:12am

To which port?