Hey All,

Hoping someone can assist me with a weird issue, I'm having with the MT6000.

The config I'm going for is:

• Device used in 'Dumb-AP' mode.
• Uplink(trunked) via the WAN port
• Use of LAN1-5 as regular ports that can be trunked or access ports.
• Information on how to (if NEEDED/ Required) disable the firewall, as it's not needed with this config - I've seen some posts suggesting that leaving the fwall enable will not post an issue.

Current Config:

Layout

• VLAN 254: MGMT (privileged VLAN for adminstration)
• VLAN 253: (swMGMT; uplink, PVID; for switches).
• VLAN 5,50,55: VLANs used for assorted purposes.
• DHCP is upstream (via relay), via OPNSense, works as expected.

The WAN port is uplink to a Layer 3 switch, this L3 Switch in turn connects to a core switch, and then uplinked to an OPNSense Firewall.

Note: The other portions of the network work as expected and have been configured as such, for years.

Note++: Additionally, the MT6000, is replacing an MR16 (also running OpenWRT)... replacing as in: the MT6000 is now connected to the same uplink (with the identical PVID, tagging, etc)

Works:

• Dumb AP mode (appears to be configured correctly)
• Uplink config works as expected.
  • dhcp relay, vlan tagging (at least for WiFi vlan)
• WiFi works as expected.
• DHCP Relay works as expected.

Issues:

• local DNS(via forwarding) not working as expected.
• unable to ping or resolve local hostnames that are known by upstream dns server

# ping hostname.mt6k
ping: bad address 'hostname.mt6k'

• Routing issue...? with respect to opkg updates, install, etc
• opkg update will fail, even though I'm able to ping downloads.openwrt.org successfully.

# opkg update
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org ....

I've tried a couple of configs., all to no avail.

• I've also looked around the forums, but haven't seen anyone with a similar issue.

The current config (see below) is what is intended, but I'd also previously whittled it down to the basics to see if the more complicated config. could be what was causing the issue, but still no go.

Reference Info +Files

1. # ubus call system board

{
	"kernel": "6.6.73",
	"hostname": "MT6000",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.0",
		"revision": "r28427-6df0e3d02a",
		"target": "mediatek/filogic",
		"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
		"builddate": "1738624177"
	}
}

2. file: /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd19:e4f2:60c9::/48'
	option packet_steering '2'
	option steering_flows '128'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	option bridge_empty '1'
	option ipv6 '0'

config interface 'swMGMT'
	option device 'br-lan.253'
	option proto 'static'
	option ipaddr 'X.X.253.246'
	option netmask '255.255.255.240'
	option delegate '0'
	option gateway 'X.X.253.254'
	list dns_search 'v253.mt6k'
	list dns_search 'v253'
	list dns_search 'mt6k'
	list dns 'X.X.253.254'
	list dns 'X.X.254.254'

config bridge-vlan
	option device 'br-lan'
	option vlan '253'
	list ports 'eth1:u*'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4:t'
	list ports 'lan5:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '254'
	list ports 'eth1:t'
	list ports 'lan4:u*'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'eth1:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '8'
	list ports 'eth1:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '50'
	list ports 'eth1:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '55'
	list ports 'eth1:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config interface 'I0T'
	option proto 'static'
	option device 'br-lan.5'
	option ipaddr 'X.X.5.246'
	option netmask '255.255.255.0'
	option gateway 'X.X.5.254'
	option delegate '0'
	list dns 'X.X.5.254'
	list dns 'X.X.254.254'
	list dns_search 'v5.mt6k'
	list dns_search 'mt6k'

config interface 'WLAN'
	option proto 'static'
	option device 'br-lan.8'
	option ipaddr 'X.X.8.246'
	option netmask '255.255.255.0'
	option gateway 'X.X.8.254'
	option delegate '0'
	list dns_search 'v8.mt6k'
	list dns_search 'v8'
	list dns_search 'mt6k'
	list dns 'X.X.4.240'
	list dns 'X.X.8.254'

config interface 'Guest'
	option proto 'none'
	option device 'br-lan.50'
	option delegate '0'
	option force_link '1'
	list dns '1.1.1.2'
	list dns '1.0.0.2'

config interface 'i5mart'
	option proto 'static'
	option device 'br-lan.55'
	option ipaddr 'X.X.55.246'
	option netmask '255.255.255.0'
	option gateway 'X.X.55.254'
	list dns_search 'v55.mt6k'
	option delegate '0'
	list dns 'X.X.55.254'
	list dns 'X.X.254.254'

config interface 'MGMT'
	option proto 'none'
	option device 'br-lan.254'
	option force_link '1'
	option delegate '0'
	list dns 'X.X.254.250'
	list dns 'X.X.254.254'

config device
	option name 'br-lan.253'
	option type '8021q'
	option ifname 'br-lan'
	option vid '253'
	option ipv6 '0'

config device
	option name 'br-lan.254'
	option type '8021q'
	option ifname 'br-lan'
	option vid '254'
	option ipv6 '0'

config device
	option name 'br-lan.55'
	option type '8021q'
	option ifname 'br-lan'
	option vid '55'
	option ipv6 '0'

config device
	option name 'br-lan.50'
	option type '8021q'
	option ifname 'br-lan'
	option vid '50'
	option ipv6 '0'

config device
	option name 'br-lan.5'
	option type '8021q'
	option ifname 'br-lan'
	option vid '5'
	option ipv6 '0'

config device
	option name 'br-lan.8'
	option type '8021q'
	option ifname 'br-lan'
	option vid '8'
	option ipv6 '0'

4. file: /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/mt6k/'
	option domain 'mt6k'
	option expandhosts '1'
	option cachesize '1000'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '1'
	option logqueries '1'
	option quietdhcp '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option dynamicdhcp '0'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config relay
	option local_addr 'X.X.8.246'
	option server_addr 'X.X.8.254'

config relay
	option local_addr 'X.X.55.246'
	option server_addr 'X.X.55.254'

config relay
	option local_addr 'X.X.253.246'
	option server_addr 'X.X.253.254'

config relay
	option local_addr 'X.X.254.246'
	option server_addr 'X.X.254.254'

config relay
	option local_addr 'X.X.5.246'
	option server_addr 'X.X.5.254'

5. file: /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

6. Basic Network Diagram
   
   

   MT60002519×1484 509 KB

There's a lot going on here... but I think we can simplify...

Assuming that this is the network used for managing this device, keep this one setup in general. It's going to be hard, though, to provide full advice because it is over-redacted. There is no need to redact the IP addresses here -- RFC1918 addresses do not reveal anything sensitive about your network.

From the above, remove the dns search lines.

For your bridge-vlans, be sure to be explicit about the untagged ports. So in this case, if lan1, lan2, and lan3 are all untagged, be sure to include :u* on each of those ports.

Next, make all of the other networks unmanaged... so for example, the I0T network will become:

config interface 'I0T'
	option proto 'none'
	option device 'br-lan.5'

Repeat for all of networks except for the one that is used to manage this device.

Delete all of the 802.1q stanzas:

This device should not be involved in DHCP.... it should transparently pass them to your L3 switch and router. So remove all the relay lines:

Finally, this is quite dangerous:

If the firewall is inadvertently re-enabled (which may happen during a sysupgrade), you will be locked out of the device.

Create a zone that includes the network used for device management. Make sure that zone has output = ACCEPT and input = ACCEPT.

Finally, make sure that dnsmasq is enabled.

Reboot and test again. If it doesn't work, please post the updated config (and this time, please don't over-redact).

@psherman; thanks for the prompt reply.
Read & re-read what you suggested.

So it seems that even though I'm attempting to operate the device in Dumb-AP mode, my config options were applying unwanted complexities?

** Applying and testing now.

Yes, exactly. Bridged (dumb) APs are essentially transparent devices. So they only need an address on a single network (the one used to manage the device) and everything else just flows through.... you can think of it like a media converter doing nothing more than translating signals between wired and wireless connections. For the AP itself, usually there is no need to even install any additional packages and thus it may not even really need DNS or a gateway. However, if you do want to install anything, you would obviously need those things populated (in the management network stanza).

That said, just to make sure you're aware...

Upgrading packages (via the CLI opkg upgrade command or the LuCI Upgrade... button) can result in major problems. It is generally highly discouraged, unless you know what you are doing or if there is specific instruction to do so.

@psherman ;

Re: REDACTION

I'll endeavour to lighten the shade... my default M.O. is security oriented.

For the AP itself, usually there is no need to even install any additional packages and thus it may not even really need DNS or a gateway. However, if you do want to install anything, you would obviously need those things populated (in the management network stanza).

^^ Ok; figured as much.
For some of the networking that I do; I definitely need accessible IP endpoints; which is why I had configured them as such... but where not needed, I can definitely trim the config.

Re:

That said, just to make sure you're aware...
Upgrading packages (via the CLI opkg upgrade command or the LuCI Upgrade... button) can result in major problems. It is generally highly discouraged, unless you know what you are doing or if there is specific instruction to do so.

^^ Thanks for the warning... I'm pretty fastidious with services, packages and backups... I only run services that I need.

Ok --

• Connectivity is still stable: i.e.: WiFi, WAN DNS resolution works

• ping & general ip (curl, opkg processes) access (outside of the vlans) are non-functioning, same as before.

• I've updated the firewall rules - thanks for the clarification on how it works (I normally use my oWRT devices in Dumb-AP mode, and basically never configure the fwall)

• I'll post the new (stripped down) configs shortly.

• I'll also take a look upstream and see if maybe there's some config, blocking certain traffic... (doubtful, but better to clear up that end, before blaming it on oWRT)

This is likely an issue related to the upstream (L3 switch and/or router). Please create an access port on your switch for each of the VLANs, then test with a computer via ethernet (and make sure that computer's wifi is off so that you have only one route to the internet).

@psherman

My Upstream is copacetic.

I have an MR16 running OpenWRT 24.10; with identical tagging (via the same switch) upstream... and that device is working as expected.

• identical tagging = trunk port, MGMT vlan, same vlans as tagged/ trunked on the MT600 link.

The only difference... appears to be use the use of DSA in the MT6000 and swconfig in the MR16.

Just for grins... can you swap the MR16 and the MT6000 (i.e. so the MT6000 uses the switch port currently in use by the MR16 and vise versa)?

If the problem follows the port, the switch is implicated. If the problem follows the device, we'll need to review the MT6000 again. And for that matter, let's see the complete configs from both devices so we can compare.

just for

Sure thing... Heath (Ledger).
Will do and report back.

caveat: the (immediate) upstream switch is a Cisco SG-250: the Cisco VLAN tagging has that weird: trunk vs. general config, that always seems to work with some vendors and then not with others...

We'll see.

@psherman ;

Finally got around to doing & testing this properly... (I couldn't handle the ire of a connectivity constrained household).

So a simple switch of ports (no config changes needed on upstream, as the ports are configured IDENTICALLY)... yields the same results.

• I'll post the updated configs (full), from the previous changes that you'd mentioned as well.

Question: is there a "Dumb AP" config that supports putting IP endpoints on the vlans/devices?
Or is that strictly verboten?