How to create guest WLAN with VLAN-trunking

I own a TP-Link EAP225 v3 (1 x ethernet, 2 x radio, OpenWrt SNAPSHOT r16906-f36990eae7 / LuCI Master git-21.154.28269-e35041e) and I'm trying to migrate my setup from an existing TP-Link TL-WA901N/ND v3 with a rather old firmware (OpenWrt Barrier Breaker r41181 / LuCI Trunk (svn-r10459)).

My goal is to have the following setup on a "dumbap" (no service, just bridging):

• administration via VLAN 1 (eth0.1)
• guest network (VLAN 5) by creating a bridge br-guest with eth0.5 + "guest wlan 5G" + "guest wlan 2G"
• trusted network (VLAN 3) by creating a bridge br-trusted with eth0.3 + "guest wlan 5G" + "guest wlan 2G"

The administrative access is working fine but I have problem with the bridges.

In the old web-ui I just had to create an interface, select "Create a bridge over multiple interfaces" and select the members from a checkbox list (e.g. eth0.5 and Wireless Network: Master "my guest wlan") from the "Physical Settings" tab.

In the current web-ui I can no longer create a bridge interface directly. But I can create a bridge-device. Doing so, I can specify the ports of that bridge, but the wlan aren't listed there. I just guessed their names and hit "save" until the edit view presented a wifi icon next to those entries.

Next I created an "interface" and selected the bridge as device.

Finally I edited the wlans and selected the "interface" as "network". I do not understand this particular step, as this is redundant in my opinion. The wlan already had been added to the bridge.

The outcome is a weird mixture: the "trusted" networks seems to work fine (but it looks like it takes very long for my device to get an IP address from the external DHCP server). The icons in the interface view don't look like a properly configured bridge but a single lonely adapter.

The guest-network is non-functional. The attached devices (eth0.5, wlan0.1, wlan1-1) are greyed out. eth0.5 is labeled as "Device not present" in the list and "Absent Interface" in the bridge's port list. In the "Interfaces" tab the network look fine icon-wise (bridge with members).

image501×550 34.9 KB

All documentation I found so far is either describing a different scenario or refers to an outdated UI.

My main questions after spending several hours on that issue:

1 Why could I create eth0.1, eth0.3 but eth0.5 fails?
2 Why aren't the wlans not listed in the bridge's port dropdown?
3 How can I tell which wlan-interface belongs to which SSID?
4 Why do I have to specify a network for the wlan and why can there be multiple of them?
5 Where's the difference between br-guest and br-trusted - configuration-wise I cannot see a difference in the UI.

Thanks a lot for any help!

edit: some relevant config files:

/etc/config/network

config interface 'lan'
	option proto 'dhcp'
	option ip6assign '60'
	option device 'eth0.1'
	option delegate '0'

config device
	option name 'eth0.1'
	option ipv6 '0'

config device
	option name 'wlan0'
	option ipv6 '0'

config device
	option name 'wlan1'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'wlan0'
	list ports 'wlan1'
	list ports 'eth0.5'

config interface 'guest'
	option proto 'none'
	option device 'br-guest'
	option type 'bridge'

config interface 'trusted'
	option proto 'none'
	option device 'br-trusted'

config device
	option name 'eth0.3'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-trusted'
	list ports 'eth0.3'
	list ports 'wlan0-1'
	list ports 'wlan1-1'

config device
	option name 'eth0.5'
	option ipv6 '0'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option encryption 'sae-mixed'
	option key '*****'
	option ieee80211w '1'
	option ssid 'radio0-5.2g-guest'
	option network 'guest'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option band '2g'
	option htmode 'HT20'
	option hwmode '11g'
	option cell_density '0'
	option channel 'auto'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'radio1-2.4g-guest'
	option encryption 'sae-mixed'
	option key '*****'
	option ieee80211w '1'
	option network 'guest'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option network 'trusted'
	option ssid 'radio0-5.2g-trusted'
	option encryption 'sae-mixed'
	option key '*****'
	option ieee80211w '1'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'radio1-2.4g-trusted'
	option network 'trusted'
	option encryption 'sae-mixed'
	option key '*****'
	option ieee80211w '1'

Don't select any wireless in the bridge configuration. Only the Ethernet port. Then on the wifi page attach the AP to a network (Create the network first). When you go back to the network page it should show wifis there but not because you checked them. The names of the wifi interfaces are automatically assigned. In the config network file bridge sections there won't be any wifi interfaces, but it will still work.

Try deleting br-guest and starting over. There should be no difference between br-trusted (which does have eth0.3) and br-guest.

Thanks - that looks … different.
I removed the wlans from the bridge and re-built the guest network from scratch. The eth0.5 can successfully be created when this happens during the creation of an "interface" and not as a "device". After the successful creation I switch the interface back to the bridge device.

Now the guest network works fine but the trusted network doesn't. I'll start all over to see if I can reach something deterministic.

1 removed all interfaces and devices (except for the management stuff)
2 assigned wlans to (implicitly created) networks (guest and trusted)
3 created bridge-devices br-guest/br-trusted with (implicitly created) eth0.5/eth0.3 as their only port
4 switch the device of the interfaces from the pre-assigned wlans to the bridge devices.
(nothing works)
5 reboot (just to make sure)
(everything works! Makes me wonder how often success was just one reboot away)

Thanks a lot for your help. Now I can finally unpack another two of those access points!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.