I have a Linksys E8450 (UBI) that I use as a bridged access point with multiple VLANs and SSIDs: I have the WAN port configured as a trunk that goes into my router.
The configuration works, but long lasting connections to the device itself - for example SSH or uploading a new firmware image for sysupgrade - get interrupted after a few seconds, preventing it from working. The only way I can actually run a sysupgrade is by resetting settings to default, upgrading and then restoring the previous config.
Here are screenshots of the relevant sections in the config: have I done something wrong?
Does it matter to this behavior how you're connecting to it? Does it behave the same whether you're connecting via the router-trunk path vs via its own wifi or via one of its other switch ports?
(I do something very similar, but haven't upgraded from 21.x so it's using the old switch config rather than DSA. Works fine, though I did take the "WAN" port out of the bridge because for some obscure reason I didn't bother to chase down, mDNS broadcasts wouldn't cross between the "LAN" and "WAN" ports. But that's an aside. IPQ4018-based device, known for some switch weirdness.)
I usually connect via the trunk even for directly connected devices: I have my devices on the main VLAN (tag 10) and the WebUI listening on the Mgmt one (tag 5), so the traffic needs to go through the trunk to the main router and back.
I tried having the WebUI listening on an IP in the main VLAN and connecting directly to it via WiFi, so traffic does not go through the trunk and sysupgrade worked.
Double checked the firewall rules on the main router and don't see anything wrong there either.
I tried what your recommended and I immediately lost connectivity to the device.
Pinging the MGMT IP address kept failing until the configuration reverted due to the failsafe.
It's really weird since if I do a tracert to the MGMT IP address (when connectivity works and MAIN also has an IP) I can see the main router as the first hop, as I would expect.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
My basic approach is, if you plug any downlink device into any ethernet port on the network, you get access to the main network, without any extra configuration - as long as your device can auto configure DHCP (which should be the default for most ethernet-enabled devices), you're good to go.
The rest of the network is tagged, and I break them out on every AP, so that I can attach them to appropriate WLANs.
I've just tested a larger (1GB) scp transfer to my router (to an attached USB dongle), and I saw no interruptions whatsoever.
Are you accessing the device from a host in the mgmt or main network?
The device has a default gateway from main network, so the change in the configuration can be affecting the packets and experience the interruption when saving.
Isn't the point of a trunk to have everything tagged? I don't understand the purpose of having untagged traffic on trunk ports: yes, the router is meant to resolve VLAN tags.
I have some ports on different VLANs than the main as a way to sanity check the config by just plugging stuff in. And I'd like the access point to only have an IP on the MGMT VLAN and be completely transparent everywhere else.
I went into interfaces and set MGMT's IP config to have the gateway as metric value 1 and after that setting the MAIN interface as unmanaged didn't break connectivity.
Isn't the point of a trunk to have everything tagged? I don't understand the purpose of having untagged traffic on trunk ports: yes, the router is meant to resolve VLAN tags.
You're right, I misread your config.
In my setup, there's no dedicated "trunk" port. Every port can be trunk, and I rely on STP to avoid loops (not that my setup is complex enough for loops unless I plug the same cable on both ends into the same device). And since I have flatmates, I found it best to leave VLAN 1 untagged throughout the network, so any LAN client can plug-and-play access it, while the other networks are resolved via the tags, where needed (gateway and APs that act as ethernet-wlan bridge).
I have some ports on different VLANs than the main as a way to sanity check the config by just plugging stuff in.
Ah okay, I see.
And I'd like the access point to only have an IP on the MGMT VLAN and be completely transparent everywhere else.
My setup could be transparent on the non-mgmt networks as well - just need to set those networks as Unmanaged and donezo.