Failed to Create VLAN in Switch Format for Dumb AP

qaisar · September 1, 2023, 2:33pm

Hello! This is my first post here.

To keep it short, let me get straight to the point.

I have 1 main router and 1 dumb AP with 2 SSIDs, 2 VLANs, and 2 subnets. Both devices are running OpenWRT and using the DSA format, and they have been working well for several months. SSID A is for general use, and SSID B is for IoT devices.

I want to add 1 more dumb AP, so there will be a total of 1 main router and 2 APs. Unfortunately, this second AP, the Airtight C-75, does not use the DSA format but instead uses the old Switch format.

Here are the default settings for the Airtight C-75 OpenWRT after a reset:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxx:yyy'

config interface 'wan'
        option device 'eth0.1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.1'
        option proto 'dhcpv6'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '3 6t'

Here are my settings:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxx:yyy'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.10'
	list ports 'eth1.20'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'
	option ipaddr '192.168.10.200'
	option gateway '192.168.2.1'
	list dns '192.168.2.1'
	option device 'eth0.10'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '10'
	option description 'lan'
	option ports '0t 2 3 6'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '20'
	option description 'iot'
	option ports '0t 2t 3t 6t'

config interface 'iot'
	option proto 'static'
	option ipaddr '192.168.20.200'
	option netmask '255.255.255.0'
	option gateway '192.168.2.1'
	option delegate '0'
	option type 'bridge'
	list dns '192.168.2.1'

Would anyone be willing to provide assistance and corrections? I've been struggling for a few days to set up VLANs in the Switch format, it seems that Switch is more complex than DSA.

If possible, I would like to connect an ethernet cable to a PoE-supported WAN port.

Thank you very much in advance!

psherman · September 1, 2023, 3:29pm

Let's start with the request for using your PoE powered wan port...

This section shows that the wan inerface uses eth0.1

From here, we can eth0 (CPU) is logical port 0 and your physical wan port is logical port 2. We also know that the other CPU connection (eth1) is logical port 6, and there is a lan port on logical port 3.

Your config (which has several errors) appears to show that you have 2 VLANs, VLAN 10 (your trusted lan 192.168.10.0/24 with this device at 192.168.10.200) and VLAN 20 (your IoT).

So... using your non-working config as a starting point:

I am assuming that VLAN10 is untagged on your trunk port, and that VLAN20 is tagged -- if both are tagged, the VLAN10 port 2 would need to be 2t)... but this is what the switch config should look like:

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '10'
	option description 'lan'
	option ports '0t 2 3'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '20'
	option description 'iot'
	option ports '0t 2t'

Edit br-lan so that it looks like this:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.10'

edit your lan interface to use br-lan as its device, and also remove the IPv6 stuff. I'm also changing the gateay and dns to 192.168.10.1 instead of 192.168.2.1... if this is not how your network is setup, we need more info:

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.10.200'
	option gateway '192.168.10.1'
	list dns '192.168.10.1'
	option device 'br-lan'

add a new bridge:

config device
	option name 'br-iot'
	option type 'bridge'
	list ports 'eth0.20'

And finally, set your iot network to use the new bridge. Also, set the iot network interface to proto none -- it should not have an address since it's a dumb AP and already has an address on your trusted lan.

config interface 'iot'
	option proto 'none'
	option device 'br-iot'

Restart and test.

qaisar · September 1, 2023, 4:59pm

@psherman Thank you very much for the very detailed response. Amazing!

I followed 100% of your instructions step by step. After the reboot and testing, I could only connect to SSID A for general use. But when trying SSID B for IoT, I failed to obtain an IP.

Then, I took the initiative to modify your last configuration.

Your configuration:

config interface 'iot'
	option proto 'none'
	option device 'br-iot'

My edited configuration:

config interface 'iot'          
        option netmask '255.255.255.0'
        option ipaddr '192.168.20.200'
        option gateway '192.168.20.1'
        option type 'bridge'   
        option device 'br-iot'  
        option proto 'static'         
        list dns '192.168.20.1'

After rebooting and testing, it finally worked. Testing with a PC connected to the WAN port worked fine. Both SSID A and SSID B are functioning normally. I can now obtain IP addresses with different subnets between SSID A and SSID B.

Please provide feedback again, was my initiative correct?

Thanks again.

psherman · September 1, 2023, 5:09pm

that doesn't look quite right... let's take a look at the complete configuration of the dumb AP.

Also, can you provide additional info on the following:

what is the AP's upstream device? Is it directly connected to a router or a switch?
If a switch, it managed?
What is the expected trunk configuration of the upstream connection? Are both networks tagged? or is one untagged (if so, which one)?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

qaisar · September 1, 2023, 10:57pm

@psherman I apologize for the previous misunderstanding.

I have reverted back to the previous configuration as per your suggestion, and then tested by directly connecting the second AP to the main router. Yes, it worked perfectly as expected. Two APs with two SSIDs, two VLANs, and two subnets are functioning smoothly.

With the configuration you provided, I have been testing it for several hours before composing this reply.

Thank you. You are my hero!

system · September 11, 2023, 10:58pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.