Help with VLANs on AP

First of all I'm sorry if this has been answered here a million times but I have searched far and wide and watched all of OneMarcFifty's videos 10 times trying to figure this out.

I have an Extreme Networks AP3935i with OpenWrt SNAPSHOT r23453+1-5af7d47cd7 / LuCI Master git-23.177.71278-92a7d8e installed and I'm trying to use VLANs to separate my network

I followed this guide https://github.com/dmascord/openwrt/commit/356e98db7cac873dcd1a9c89d6c9360c436f094e for the AP

My router is a virtualized PFsense running on unraid and the two are connected with a vlan aware switch

Router is on 10.10.10.1 with a VLAN on 192.168.40.1 switch is on 10.10.10.2 and AP is on 10.10.10.3

I would like my trusted devices to use the 10.10.10.1 subnet range and IOT devices to use the 192.168.40.1

The AP is connected on eth1 and I currently have eth1 bridged and DHCP client interface using the br-lan to act as an AP.
I have tried adding the VLAN in devices with eth1 as the base device, adding a DHCP client with eth1.10 and it actually gets a 192.168.40.xx IP address but after assigning that to a wireless network, it doesn't serve addresses out so nothing is able to connect.

I also tried bridge VLAN filtering on br-lan device with
VLAN 1 untagged PVID on eth1
VLAN 10 tagged eth1
But when I change the dhcp client to br-lan.1 the wifi disconnects and Luci doesn't reload until the rollback after 90 seconds

I realise that the AP isn't exactly standard hardware so I'm not sure if that's the problem

Sorry for the wall of text. Any help appreciated.

Are you sure this is the model number? I don't see it in the currently supported devices (I see a 3915i as well as two in the 38 series).

It may be a good idea to upgrade to 23.05.0-RC3.

Have you verified that the router + trunk is working as expected? My advice is always to use the managed switch to setup an access port (i.e. a physical port with just one network, untagged), for each network to make sure that these upstream devices are working as expected.

Let's take a look at your configuration -- we just need the following files:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/lan/'
	option domain 'Local'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'hybrid'
	option ra 'hybrid'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'Nostromos'
	option ip '10.10.10.104'
	option mac 'A8:5E:45:3E:69:7B'

etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd16:e039:44d7::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	option macaddr 'D8:84:66:E2:EB:1E'
	list ports 'eth1'

config device
	option name 'eth1'
	option macaddr 'd8:84:66:e2:eb:1e'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config device
	option name 'eth0'
	option macaddr 'd8:84:66:e2:eb:1d'

etc/config/wireless


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '1'
	option country 'AU'
	option channel '161'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'The Academy '
	option encryption 'sae-mixed'
	option key '********'
	option ieee80211w '1'
	option wpa_disable_eapol_key_retries '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
	option channel '13'
	option band '2g'
	option htmode 'HT20'
	option country 'AU'
	option cell_density '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'The Academy '
	option encryption 'sae-mixed'
	option key '********'
	option ieee80211w '1'

config wifi-iface 'wifinet6'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Iot-Net'
	option encryption 'sae-mixed'
	option key '********'
	option wpa_disable_eapol_key_retries '1'

Based on the config you shared, I would expect this to work in one of two ways...

The first way is based on simple dotted notation:

config device
	option name 'br-vlan10'
	option type 'bridge'
	list ports 'eth1.10'

config interface 'vlan10'
	option device 'br-vlan10'
	option proto 'none'

or... the second way would be based on bridge-VLAN syntax (note the minor edit to the lan network interface where br-lan becomes br-lan.1):

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth1:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth1:t'

config interface 'vlan10'
	option device 'br-lan.10'
	option proto 'none'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'dhcp'

Then connect one of your SSIDs with network vlan10 and see if it works.

This is predicated on the rest of the system working... there were several questions I asked earlier that were not answered -- please take a look at those and let me know once you've confirmed everything.

That's the switch VLAN config. I hope that answers your question. It's a cheap TP-Link TL-SG105E smart switch.

These are terrible switches. But it should work for your needs.

But your config looks like it should have:

VLAN 1 untaged on all ports
VLAN 10 tagged on ports 1 and 3.

I'm guessing your router is port 1 and your AP is on port 3.

I'd recommend setting VLAN 10 untagged (instead of VLAN 1) on one of the ports -- maybe port 5 if it is available (don't forget to set the PVID on that port to VLAN 10, as well). Then plug a computer into port 5 and make sure that it gets an IP and expected connectivity on VLAN 10.

1 Like

Yes you are correct that router is on port 1 and AP is on port 3.

Did as you suggested with port 5 to test the VLAN and it worked fine with my laptop getting 192.168.40.101

Great. That means that one or both of the two methods I described above should work... I personally prefer dotted notation in cases where it works... I'd recommend giving that a shot.

Forgive me if it's a stupid question (still learning)

But can I add that dotted notation to my etc/config/network file?

Yes, add exactly what I provided previously (feel free to rename br-vlan10 and/or vlan10 as desired, as long as the desired names don't conflict with other names or reserved words):

1 Like

That worked!

You're a life saver. Thanks for the help, I understand it a bit better now

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.