Guest VLAN tagging on dumb AP

I thought this would be easy but it doesn't quite work yet

I have a br-lan which groups all the ethernet ports on my device including wan.

And a br-lan.1003 which I have set to unmanaged so it doesn't have an IP address

And a Guest interface on br-lan.1003.

Wifi Guest then maps to use this Guest interface.

What I was hoping is that the packets all get tagged and it just works with the existing VLAN configuration on my main router (which is already dealing with VLAN 1003 from some apple devices). What is happening is I am getting an IP on the main lan, so I suspect tagging is not working on egress from the dumb AP.

I suspect therefore I just need to enable packet filtering on br-lan but I am unclear on the right configuration for that, I am still reading around. The videos I have seen so far have tagging for everything and so have a pre defined list of VLANs in their setup whereas my main lan is not tagged at all. So do I need something that says if it's already tagged for 1003, preserve it, else leave it alone?

Maybe I am barking up the wrong tree.

Do your device support switch config or DSA? See the videos linked here: https://openwrt.org/docs/guide-user/network/wifi/dumbap

You need to keep br-lan and delete br-lan.1003 and use DSA or swconfig instead.

Also, do you have VLANs correctly setup on your router? Do you have your uplink port trunked?

I had followed instructions many moons ago on the main router; its working fine for the Apple devices that are in dumb AP mode, they all tag their guest egress with VLAN 1003 and anything joining guest wifi on those devices (all in bridge mode, with multiple SSIDs) correctly gets a guest IP address on a different subnet, served dhcp from the main router etc. and cannot communicate with the main lan only internet.

Edit: supports DSA, it's a DL-WRX36 running latest stable, but on the DSA page you do not see the Wifi as a device/port on the bridge. The page you linked is a page I did use when setting up the dumb AP. WAN interface is removed, the wan port is in the LAN bridge.

This router is "in the lab" ... it's a candidate to replace airport extremes. Subject to stability and a few other considerations. It's quite a lot larger in the flesh but has very similar connectivity.

Deleted the device, from the videos I watched it looks like DSA creates a virtual device (greyed out ? ) when it works.

If I do this, I end up reverting as the router becomes unpingable - am I missing something here

See: Trouble with vlans - #4 by darksky

Thanks

Been experimenting

As soon as I turn on any form of VLAN filtering, e.g. add a VLAN which is not even used, the router becomes unpingable. I will paste my network config shortly.

Maybe this is an issue with DL-WRX36 and I need to take a snapshot build.

I soft bricked it and had to make use of reset, so the setup is very simple at the moment.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '..removed..'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'

Edit: Moved to today's snapshot build ; no change. Am I doing this right ? Should just the following on top of the above cause loss of network :

I think the DL-WRX36 doesn't work with DSA... in which case how do I do this.

OK seems I have the same issues as this post. But it's not clear what Luci does that I won't be doing in the config files!

What is your goal in terms of the port-VLAN membership? From your picture, it seems that you want to have VLAN 1 untagged on all ports and VLAN 1003 tagged on all ports. Typically, you only need the guest network tagged on the port(s) that are trunk (i.e. carrying multiple networks). Trunks typically go between routers and switches/APs, but not to end devices (most end devices are not VLAN aware).

For ethernet:

  • What port is used as the uplink to your main router?
  • What port(s) do you want to be the regular lan?
  • What port(s) do you want to be the guest network?
  • Are there any downstream trunks needed (i.e. to other APs or managed switches)?

And are you trying to setup this dumb AP to also broadcast the guest wifi SSID?

Thanks yes, I only need 1003 to be tagged on the wan port and have just been trying different vlan configs to see if there's one that works and if there's a difference across the ports. I thought I had just misunderstood everything but..

I now have found the forum thread on dl-wrx36 which is about a 3 hour read, it's a dl-wrx36 issue when you switch on vlan filtering from luci .. it breaks. Apparently I just need to use the config files and not luci (don't know why yet / I don't know what the difference is in how the config is generated) - issue without luci might be more how can I avoid soft bricking if the config doesn't work and has the same impact.

Although tbh if I tag on all ports that would replicate exactly the way the apple devices work... on two of these the wan port died in a lightning storm but their lan ports work just the same. Difference is I have no fine grained control over those (openWRT not available yet, they are Kirkwood devices) - openWRT might extend their useful life a bit, as it is I will likely just keep one online (with a few in a cupboard as replacements !) for its journalled file share... ( I read that we can share HFS on openWRT but not journalled / journalled is unreliable )

I think before I go any further I probably need to set the device up for USB image recovery to minimise the risk I need to get a serial cable out.

If I could edit the title of this I would now make it clear this is DL-WRX36 so others can find it. I had initially assumed that because I was new to DSA that I was missing something. There was one thing in that I didn't know DSA automatically creates the vlan devices and know that now.

Update

I was able to get it working seamlessly using config files, based on a share from another forum user and extrapolating a bit.

I had DHCPOFFER issues (not being received reliably) with Guest until I moved the device directly onto my star network. I can now bind wifi to the Guest network and it works. Hope this helps someone else thinking of taking out an AirPort Extreme and swapping in a DL-WRX36 or indeed another router where DSA isn't working.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'wan:u'
	list ports 'lan1:u'
	list ports 'lan2:u'
	list ports 'lan3:u'
	list ports 'lan4:u'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	option delegate '0'
	list dns '192.168.1.1'

config bridge-vlan
	option device 'br-lan'
	option vlan '1003'
	list ports 'wan:t'

config device
	option name 'br-lan.1003'
	option type '8021q'
	option ifname 'br-lan'
	option vid '1003'

config interface 'Guest'
	option proto 'none'
	option device 'br-lan.1003'