Hello! I've been following some guides to configure a router-on-a-stick using a Raspberry Pi and a managed switch that seem to work. Now I'd like to add an access point to this network, but I haven't found a way to do it yet. I've tried to replicate the steps written on this and on this guides without success.
This is what I have:
Raspberry Pi 5
Zyxel GS1200-5
Ubiquiti U6 Plus
VLAN configuration:
PVID 10 20 20 20 1
Port 1 2 3 4 5
VLAN ID
1 _ _ _ _ U Default
10 U (modem) _ _ _ T (RPi) WAN
20 _ U (PC) U (U6+) U T (RPi) LAN
Using LuCI, the following configuration/changes have been done:
# /etc/config/dhcp (section removed)
uci del dhcp.lan.ra_slaac
# /etc/config/network (section added)
uci add network bridge-vlan # =cfg05a1b0
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='10'
uci add_list network.@bridge-vlan[-1].ports='eth0:t'
uci add network bridge-vlan # =cfg06a1b0
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='20'
uci add_list network.@bridge-vlan[-1].ports='eth0:t'
uci set network.wan=interface
uci set network.wan.proto='dhcp'
uci set network.wan.device='br-lan.10'
uci set network.globals.packet_steering='1'
uci set network.lan.device='br-lan.20'
These settings seem to be enough to provide Internet connection to a PC and I am able to access the RPi and the switch using their local IP addresses as well, but I am still unable to connect to the AP for its initial setup. What would the next step be?
Is this device running OpenWrt, or the vendor firmware?
I'm assuming that the Pi connects to port 5.
What port does the U6 Plus connect to?
Could you repost this as shown below -- it's much easier to read and verify in plain text (vs the UCI commands).
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
Since you're using a Pi with a single ethernet port, I recommend using direct dotted notation rather than bridge-VLANs. Both approaches are valid, but in this case, I would argue that there is no need for the bridges and it's cleaner/more compact to do it with dotted notation.
Similarly, with the wan, change its device to eth0.10:
config interface 'wan'
option proto 'dhcp'
option device 'eth0.10'
You can then delete these:
Meanwhile, as far as the U6+ is concerned, since you're using the vendor firmware, the specifics to setup and configure that is out of scope here. But the big picture is as follows:
The AP (with Unifi firmware) will default to use DHCP to get an address on your network.
if it can't reach a DHCP server, it has a fallback address of 192.168.1.20
You'll use the Unifi mobile app to setup the AP as 'standalone' or you can use the Unifi Network Application (free, but you need to install UNA on a machine on your network if you don't have a dedicated host for it; it doesn't need to be running 24/7 unless you want to collect statatiscis, otherwise just launch it when you need to make changes).
Plug the AP into port 3 of your switch (you need a PoE injector, of course).
I think the app / UNA will auto-detect the AP, but if not, you can find the IP address in your DHCP leases within OpenWrt.
I was under the impression that my OpenWRT settings missed something because I couldn't connect to the AP using the mobile app, but I did notice earlier that I was able to connect to it using ssh. So I decided to install the app on an Android phone instead and it worked.
Thanks for your tips! Is there anything else you recommend for general use?
Yeah, nothing in your OpenWrt config was incorrect (aside from the suggestions I made, but those were all valid as they were, just not necessarily as clean as they could have been). But if you tried to connect to a web interface on the AP, that wouldn't work (there is only an SSH server). That is where the app (or UNA) comes in.
Great!
Seems like you've got everything working, and no, seems good.
You can always setup additional VLANs for things like guest and iot networks and the like. Your AP supports VLANs, but I've never configured a Unifi AP using the app in standalone mode (I'm used to the UNA), so I'm not exactly sure how intuitive the interface/flow will be for that functionality will be. Pro-tip for setting up additional networks -- configure your switch so that you have access ports (just the single network, untagged + PVID) for each of the new networks to prove out its functionality; then add them to the AP after that is done so you can be confident in the base configs.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!
