How do I manage routers in Batman Mesh?

hi,

on the third time of trying I think I have a Batman Adv mesh working. I have a "smart" router with no Wifi connected to the first of 4 Wifi "dumb" routers. Given the mess I made the first two times I set the old LAN interface static so I could always get in (I'd removed the WAN to get an extra ethernet port). Looking at the DHCP leases from the "smart" router they've been given by batman adv IPs: 2 in the new LAN and one each for IoT and Guest. I can plug a wire into an old LAN interface and another into my laptop and control them via the static IP. Can't figure out how to access them normally though. Both my old and New LAN can go to any zone, but I still can't access them. If I connect to each wireless network with my phone the IP V4 changes appropriately. My desktop computer is connected by ethernet to the "smart" router and as I did nothing to any ports except the 1 ethernet cable I think it is the old LAN zone. How do I get from it to the "dumb" routers in other firewall zones and VLANs? I've realised I have no idea how the "dumb" routers get IP V4 addresses at all.

Let's just call it router and access point, ok?
A router moves traffic from network to network. An access points well, is a access point and it's just a switch.

To your question:
You setup a vlan to be used for network device management and either via dynamic address allocation or via static config you reach your network devices.

m happy to call it whatever you want. Before flashing 4/5 on my routers had an AP node that involved NAT, DNS and DHCP serving. And then I’ve had several routers before than used AP mode to differentiate them from an “extender” mode.

I’ve given up on words like “Liberal”, “Zion” or “decimate” and accepted they’re all going to be misused and confuse me. Decimate is particularly stupid because it starts with “Dec”. Anyway…quite happy to use Router and AP.

I have a router on the old LAN, 2 AP on bat0.10(new LAN),1 on bat0.20 (guest), 1 on bat0.30 (IoT). If they were all on the same lan or VLAn it’d be easy as I could just put my computer on it. Are you suggesting creating a new management interface and bridging bat0.10, bat 0.20 and bat0.30 each to to the Ethernet cable port going into the computer on the router?

Can you post your /etc/config/network?

You introduce another vlan just and exclusively for network management. All your ap, switches, and routers will use an interface on that vlan.

When you configure this network management vlan on all your non router devices you either set an static address or use dhcp and dhcpv6. Simple as that.
You could even use an extra cable just for this management network but at home this hardly makes sense...

Thanks. The IoT network has a combination of management things, such as switches, and non-management things like camera. It’d probably take ages to move somethings to a new network as most don’t have a change wifi option, so I could probably just repurpose the IoT VLAN (bat0.30). Not many things on that network can’t do management anyway. I have some thermometers but they are almost all Zigbee.

If I settle on repurposing the existing IoT VLAN how do I tell the routers to join it? Only 1 AP is on the IoT VLAN currently. And how do I tell my desktop computer which is connected by an ethernet cable to the router to join bat0.30?

I take it that is just a file in that location?

Realised when you said ‘switches’ you did not mean normal switches but just managed Ethernet switches on the local network and I was just using the other meaning of the word and though you meant all types of switch?

That makes it easier. Say I make a new management interface and link it to bat0.60 how do I put the router, APs, my Computer and my one managed Ethernet switch on it? The computer (W11 currently) and managed Ethernet switch are probably easy as they’re both attached to an Ethernet cable that goes to the main router where the Batman network starts. I assume I can somehow assign ports to a new Batman interface (connected to bat0) or something.

Create a network bridge in devices (say br0) and put all other devices in it including bat0. Then turn on vlan filtering and configure vlans.

I'm not sure I get your question...

How do you setup the management VLAN interface on an AP with batman-adv?
Example: 1 VLAN with an address; 1 VLAN without

# SWconfig (not DSA!)
#######################################################################
# VLAN 16/0x10: net.mgmt
config switch_vlan
    option  device          'switch0'
    option  vlan            '16'
    option  ports           '0t 1t'

config device
    option  name            'br-vlan16'
    option  type            'bridge'
    list    ports           'bat0.16'
    list    ports           'eth0.16'
    option  macaddr         '02:00:12:01:00:10'

config interface            'vlan16'
    option  device          'br-vlan16'
    option  bridge_empty    '1'
    option  igmp_snooping   '1'
    option  proto           'dhcp'

config interface
    option  device          '@vlan16'
    option  proto           'dhcpv6'
    option  reqprefix       'no'


#######################################################################
# VLAN 17/0x11: srv.mgmt
config switch_vlan
    option  device          'switch0'
    option  vlan            '17'
    option  ports           '0t 1t'

config device
    option  name            'br-vlan17'
    option  type            'bridge'
    list    ports           'bat0.17'
    list    ports           'eth0.17'
    option  macaddr         '02:00:12:01:00:11'

config interface            'vlan17'
    option  device          'br-vlan17'
    option  bridge_empty    '1'
    option  igmp_snooping   '1'
    option  proto           'none'

Then you allow access from "LAN" to "MGMT" or however you have called your firewall zones.

Just to check: when you say other devices do you mean the bat0 device and the Ethernet devices with my computer on it?

Apologies, obviously bad question making. I have 2 problems:

1. my computer is connected to the main Router by Ethernet and is not part of the Batman mesh. How do I add it?
2. if I create a new management interface and bridge how do I force the Router GUI/SSH addresses onto and AP GUI/SSH onto it?

Yes, you need to put all devices associated with layer 2 into the bridge. On the upstream router you then do vlan terminations into layer 3.

In addition to what @Darin755 said.

I.e your router has your home lan as a vlan, and the network management vlan. You add a firewall rule which allows all traffic from lan to MGMT, in the simplest of all cases.

My guess is that VLAN filtering is all tagged on the bat0 tunnel but untagged only where I want my computer to be and off elsewhere?

Thanks. I think I have it in reverse but will log in now and check my rules.

Oddly now I can manage my APs from my laptop. Not sure I actually did anything other than reboot the router for it to start working. Haven’t attached them to my new management VLAN yet or anything but atleast I now have access to them remotely without having to go to them with an Ethernet cable. It was odd how both my new and old LAN had firewall access to all zones and yet I couldn’t manage them.

I’d still like to put them all together on their own VLAN as suggested but the main problem I have today is my Home Assistant OS (on a Raspberry Pi 4) and iHost (a simplified version of Home Assistant) both have Ethernet ports and are on my LAN with static IPs but need to see the IoT zone. I’ve put them both on a switch. Is it possible with just Firewall rules for them to see the IoT zone (lan old and new should go to IoT anyway) or do I need to put the switch in the IoT VLAN?

Replicating or relaying or forwarding local discovery shizzle is possible but is an other pair of shoes.

The topic is somehow frequent here, try the forum search first. If you struggle with the config it's best to open up a new topic with the specific issue.