Hello Team,
I would like to ask for assistance in adding ethernet vlans to an existing batman vlan mesh network.
Existing batman vlans are
bat0.10 the LAN network
bat0.20 the IOT network
bat0.99 the Guest network
Batman network uses a 802.11s mesh wireless backhaul. This node is my gateway connecting to other two APs.
I seem to understand that my openwrt device uses DSA. I was somehow able to configure vlan filtering but failed miserably trying to combine with batman vlans.
root@OpenWrt-Main:~# ubus call system board
{
"kernel": "6.12.66",
"hostname": "OpenWrt-Main",
"system": "ARMv8 Processor rev 4",
"model": "Zbtlink 3000M(WiFi6) ZBT-Z8103AX-C",
"board_name": "zbtlink,zbt-z8103ax-c",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "25.12.0-rc4",
"firmware_url": "https://downloads.openwrt.org/",
"revision": "r32534-12374d88b9",
"target": "mediatek/filogic",
"description": "OpenWrt 25.12.0-rc4 r32534-12374d88b9",
"builddate": "1769726182"
}
}
root@OpenWrt-Main:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'
config globals 'globals'
option ula_prefix 'fdxx:xxxx:xxxx::/48'
option packet_steering '1'
option dhcp_default_duid '0004e3c01df541bc478b8041fcd3d2aa41ee'
config device 'device_lan'
option mtu '1500'
option name 'br-lan'
option stp '1'
option type 'bridge'
list ports 'bat0.10'
list ports 'lan1'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '64'
list ipaddr '192.168.xx.1/24'
option metric '10'
option ip6weight '10'
option dns_metric '20'
option ip6ifaceid 'eui64'
list dns_search 'my.domain'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option metric '1'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
option metric '1'
config interface 'bat0'
option proto 'batadv'
option routing_algo 'BATMAN_IV'
option aggregated_ogms '1'
option gw_mode 'server'
option hop_penalty '30'
option defaultroute '0'
option delegate '0'
option bridge_loop_avoidance '1'
option bonding '1'
config interface 'batmesh5'
option proto 'batadv_hardif'
option master 'bat0'
option mtu '1500'
option defaultroute '0'
option delegate '0'
option device 'br-m5'
config device 'device_iot'
option bridge_empty '1'
option mtu '1536'
option mtu6 '1536'
option name 'br-iot'
option stp '1'
option type 'bridge'
list ports 'bat0.20'
list ports 'lan2'
config interface 'IOT'
option proto 'static'
option device 'br-iot'
option ipaddr '192.168.yy.1'
option netmask '255.255.255.0'
option defaultroute '0'
option metric '20'
option ip6assign '64'
option ip6ifaceid '::20'
list dns '192.168.xx.1'
config device 'device_m5'
option bridge_empty '1'
option igmp_snooping '1'
option name 'br-m5'
option stp '1'
option type 'bridge'
option mtu '1500'
config interface 'wt0'
option proto 'external'
option device 'wt0'
config device
option type 'bridge'
option name 'br-guest'
list ports 'bat0.99'
option stp '1'
option igmp_snooping '1'
option mtu '1536'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.zz.1'
option netmask '255.255.255.0'
option defaultroute '0'
list dns '192.168.xx.1'
list dns_search 'my.domain'
option ip6assign '64'
option ip6ifaceid '::99'
root@OpenWrt-Main:~# cat /etc/config/dhcp
config dnsmasq 'dnsmasq1'
option authoritative '1'
option cachesize '1000'
option domain 'my.domain'
option domainneeded '1'
option ednspacket_max '1232'
option expandhosts '1'
option leasefile '/tmp/dhcp.leases'
option local '/my.domain/'
option localise_queries '1'
option localservice '1'
option readethers '1'
option rebind_localhost '1'
option rebind_protection '1'
option sequential_ip '1'
list server '/mask.icloud.com/'
list server '/mask-h2.icloud.com/'
list server '/use-application-dns.net/'
list server '127.0.0.1#5053'
list server '127.0.0.1#5054'
list server '127.0.0.1#5055'
list notinterface 'bat0'
list notinterface 'batmesh5'
list notinterface 'wt0'
option doh_backup_noresolv '-1'
option noresolv '1'
list doh_backup_server '/mask.icloud.com/'
list doh_backup_server '/mask-h2.icloud.com/'
list doh_backup_server '/use-application-dns.net/'
list doh_backup_server '127.0.0.1#5053'
list doh_backup_server '127.0.0.1#5054'
list doh_server '127.0.0.1#5053'
list doh_server '127.0.0.1#5054'
list doh_server '127.0.0.1#5055'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '20m'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list dhcp_option '42,192.168.xx.1'
list dhcp_option '252,"\n"'
list dhcp_option '44,192.168.xx.1/24'
option ndp 'relay'
option ra_preference 'medium'
list domain 'my.domain'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option dhcpv6_pd '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option leasefile '/tmp/odhcpd.leases'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option hostsdir '/tmp/hosts'
option piodir '/tmp/odhcpd-piodir'
config dhcp 'IOT'
option interface 'IOT'
option start '100'
option limit '150'
option leasetime '20m'
list dhcp_option '42,192.168.yy.1'
list dhcp_option '252,"\n"'
option ndp 'hybrid'
option ra 'hybrid'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option dhcpv6 'hybrid'
list domain 'my.domain'
root@OpenWrt-Main:~# cat /etc/config/firewall
config defaults 'defaults'
option forward 'REJECT'
option input 'REJECT'
option output 'ACCEPT'
option synflood_protect '1'
config zone 'zone1'
option forward 'ACCEPT'
option input 'ACCEPT'
option name 'lan'
option output 'ACCEPT'
list network 'lan'
list network 'bat0'
list network 'batmesh5'
list network 'wt0'
config zone 'zone2'
option forward 'REJECT'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
option name 'wan'
option output 'ACCEPT'
list network 'wan'
list network 'wan6'
config forwarding 'forwarding1'
option dest 'wan'
option src 'lan'
config rule 'rule1'
option dest_port '68'
option family 'ipv4'
option name 'Allow-DHCP-Renew'
option proto 'udp'
option src 'wan'
option target 'ACCEPT'
config rule 'rule2'
option family 'ipv4'
option icmp_type 'echo-request'
option name 'Allow-Ping'
option proto 'icmp'
option src 'wan'
option target 'ACCEPT'
config rule 'rule3'
option family 'ipv4'
option name 'Allow-IGMP'
option proto 'igmp'
option src 'wan'
option target 'ACCEPT'
config rule 'rule4'
option dest_port '546'
option family 'ipv6'
option name 'Allow-DHCPv6'
option proto 'udp'
option src 'wan'
option target 'ACCEPT'
config rule 'rule5'
option family 'ipv6'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option name 'Allow-MLD'
option proto 'icmp'
option src 'wan'
option src_ip 'fe80::/10'
option target 'ACCEPT'
config rule 'rule6'
option family 'ipv6'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option name 'Allow-ICMPv6-Input'
option proto 'icmp'
option src 'wan'
option target 'ACCEPT'
config rule 'rule7'
option dest '*'
option family 'ipv6'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option name 'Allow-ICMPv6-Forward'
option proto 'icmp'
option src 'wan'
option target 'ACCEPT'
config rule 'rule8'
option dest 'lan'
option name 'Allow-IPSec-ESP'
option proto 'esp'
option src 'wan'
option target 'ACCEPT'
config rule 'rule9'
option dest 'lan'
option dest_port '500'
option name 'Allow-ISAKMP'
option proto 'udp'
option src 'wan'
option target 'ACCEPT'
config zone 'zone3'
option forward 'ACCEPT'
option input 'ACCEPT'
option name 'iot'
option output 'ACCEPT'
list network 'IOT'
config forwarding 'forwarding2'
option dest 'lan'
option src 'iot'
config forwarding 'forwarding4'
option dest 'wan'
option src 'iot'
config rule
option src 'wan'
option dest '*'
option name 'Allow MQTT'
list proto 'tcp'
option dest_port '1883'
option target 'ACCEPT'
list dest_ip '192.168.xx.30'
list dest_ip '192.168.yy.30'
config rule
option src 'wan'
option dest '*'
option name 'Allow secure MQTT'
list proto 'tcp'
option dest_port '8883'
option target 'ACCEPT'
list dest_ip '192.168.xx.30'
list dest_ip '192.168.yy.30'
config rule
option src 'wan'
option name 'Allow secure LUCI'
list proto 'tcp'
option dest_port '443'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'Allow LUCI'
list proto 'tcp'
option dest_port '80'
option target 'ACCEPT'
option log '1'
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'iot'
mk24
February 17, 2026, 4:51pm
4
In DSA there is one bridge, then bridge-vlans within that bridge. Add bat0 to the bridge device itself, and bat0:t to the bridge-vlans. (This means the Ethernet and BATMAN VLAN tag numbers for each network must be the same).
To attach a bridge-vlan to an Interface, use the notation bridgename.N. This is the only place where the dot and vlan number syntax is used in a DSA system.
1 Like
Add bat0 to the bridge device itself
This piece of information may turn out to be the missing link. Never did that during my failing attempts. Will do and report.
It turned out that network configuration can’t be completed by Luci. It takes to add bat0.10 together with bat0:t to vlan bridge.
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'bat0:t'
list ports 'lan1'
list ports 'lan2'
list ports 'bat0.10'
Otherwise batman_adv would spell out errors for missing VLAN information.