How to setup 2 APs, multiple SSIDs with VLANs

Hi

I am trying to setup 2 devices with OpenWrt 21.02.0 as 2 APs with multiple wireless networks, each connected to its own VLAN.

The network looks roughly like this:

Internet <--> AP1 <--> AP2

I want AP1 and AP2 to advertise same wireless networks. Each wireless network has a corresponding VLAN. As an example "Guest" network has VLAN 43.

On AP1 I have:

LAN1 is connected to external switch (irrelevant to the problem here) and LAN3 is connected to AP2.

On AP2:

LAN1 on AP2 is connected to LAN3 on AP1.

"Guest" wireless network on AP2 is connected to "guest" interface. Guest interface is using "unmanaged" protocol and is br-guest device. br-guest bridge device has one port, i.e. Switch VLAN: eth0.43.

The problem: when I connect with a device to the guest wireless network on AP2, DHCP does not work. DHCP server is on AP1, and when connecting to the Guest wireless network on AP1 then everything works. I tried every combination of VLAN filtering for br-guest on AP2 without success. One thing that looks suspicious is that eth0.43 in VLAN filtering shows "no link":

I am not sure how to debug or proceed. Would anybody have a suggestion what I am doing wrong?

hi @gozdal

maybe i am wrong, but if you have "switch" menu, then it is old style swconfig device
in this case, vlan filtering is wrong, it is for new style DSA config
maybe start from scratch
forget AP2 for now
reset AP1
make changes only in switch menu
test AP1 / wifi's with corresponding vlans
when everything is OK then connect two trunk ports
on AP2 turn off firewall,dhcp and other unused services
and yes, AP2 is same swconfig device, so no messing with vlan filtering

Thanks @NPeca75.
I have no idea if I have DSA hardware or not (AP1 is AVM Fritzbox 4040 and AP2 is Netgear WNDR3700v2).
I tried tinkering with VLAN bridge filtering because it didn't work without it and after trying to read the docs/forum I learned about this and it seemed related to the problem (bridge & VLANs not working together).

Also maybe I wasn't clear: wired switch works fine.
It's only the wireless guest network which I try to bridge with the guest VLAN does not work.
My mobile phone connects to the wireless network but fails to receive DHCP lease from the server run on AP1. AP2 has no DHCP server configured (dnsmasq is stopped and disabled)

Ok @gozdal

that is a reason why i told you to leave AP2 alone for now
one AP is enough for debugging

so, please try from scratch
AP1, reset
make your vlans in switch menu and test it with managed switch
no wifi this time, no AP2
if it work, then post your /etc/config/network here

When I use AP1 only everything works fine. I can connect to wireless. Each wireless network has corresponding network and devices connected to wired LAN work fine.

I've simplified a little bit in the first post, indeed I have a managed switch:

Internet -- AP1 -- AP2
               \--switch 

I haven't configured any VLAN bridge filtering on AP1, although I have the tab but "Enable VLAN filtering" is not checked.

Here is my /etc/config/network from AP1:

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fd3f:ba88:e212::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '172.31.42.1'
	option ip6ifaceid '::1'
	option delegate '0'
	list dns '127.0.0.1'
	option device 'br-lan'

config interface 'wan'
	option proto 'dhcp'
	option hostname 'xxx'
	option broadcast '1'
	option peerdns '0'
	option device 'eth1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config interface 'Guest'
	option proto 'static'
	option delegate '0'
	option force_link '0'
	option type 'bridge'
	list ipaddr '172.31.45.1/24'
	option device 'br-guest'

config interface 'media'
	option proto 'static'
	option delegate '0'
	option ipaddr '172.31.49.1'
	option netmask '255.255.255.0'
	option device 'br-media'

config switch_vlan
	option device 'switch0'
	option vlan '41'
	option vid '41'
	option description 'lan'
	option ports '0t 1t 2 3t'

config switch_vlan
	option device 'switch0'
	option vlan '42'
	option vid '42'
	option description 'media'
	option ports '0t 1t 3t'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.41'

config device
	option name 'br-media'
	option type 'bridge'
	list ports 'eth0.42'

config switch_vlan
	option device 'switch0'
	option vlan '43'
	option vid '43'
	option description 'guest'
	option ports '0t 1t 3t'

config switch_vlan
	option device 'switch0'
	option vlan '44'
	option vid '44'
	option description 'mgmt'
	option ports '0t 1t 3t'

config device
	option name 'eth0'
	option mtu '9000'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'eth0.43'

config device
	option type 'bridge'
	option name 'br-mgmt'
	list ports 'eth0.44'

config interface 'mgmt'
	option proto 'static'
	option device 'br-mgmt'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr '172.31.48.1'

AP1 has 4 ports (LAN1-4). LAN1 is connected to the switch, LAN3 is connected to AP2:

On the switch (tp link TL-SG108E):

obraz
obraz

When port 3 on the switch is set to VLAN 42 the connected device receives IP from the "media" DHCP pool (172.31.49.5). When I change port 3 on the switch to VLAN 43 the device connected received 172.31.45.102 IP, from the "guest" pool.

I hope this shows that AP1 switching/bridging configuration is correct?

hi @gozdal

yes, according to pictures and your tests, looks like it is OK
and your config is OK

so, only thing what i can imagine is one more test
to be certain, try to connect managed switch in LAN3 port, it is also trunk port like LAN1
after that, make again client tests on tp-link switch with pvid 42/43

and if everything is OK, then your config on AP1 is correct

Not sure what I did but it seems that my setup now works!
Thanks for your time @NPeca75

Hi @gozdal
i am glad you make it work
many times start from scratch is best option :slight_smile: