I want a "dumb" Vlan capable L2 accespoint - EDUP AX1800

Hello "Gurus"

I'm a super newbie with OpenWRT, but not with networks.

I have (for a week) an EDUP 2660/AX1800 running latest OpenWRT 24.10.1
My goal is to make a "dumb" Vlan capable AP , that i can just "plop into" my existing pfSense setup.

For starters:
I have disabled dnsmasq & odhcpd in System --> Startup , that's handled by Bind & ISC-DHCPD on my server ... (Yes i know ... KEA ... later)

I have been playing a bit around, and got Vlan to work today ....
After fighting for some time (even wireshark ...) , and finally discovering that i missed to map the "Device" under the Vlan-IF that i had mapped the SSID to ... dooh.

Right now i have br-lan mapped to Lan1, Lan2 and my 5GHz 'OWRT-50' SSID.

Vlan steps:
I have removed Lan3 from the br-lan mapping
I have made a new bridge called br-trunk (guess where i was taught networking)
Mapped it to Lan3
I have made a Vlan50 interface on that br-trunk , and a Vlan 999 PVID (I hope)

In order to map a WiFi SSID , it seems like i need to make interfaces. WiFi won't map to a device.
So i made :
interface Trunk , made it unmanaged (hope no ip makes it L2'ish) , mapped it to br-trunk
interface Trunk_VL50 , made it unmanaged as above , mapped it to br-trunk.50

Is this the (correct/best) way to setup DSA Vlans on my box ?
Could i get a "Guru" to do a "small peer review" ...
The setup is still in the "Play state" , but i know that if i don't make it Vlan capable now.
I might never get the chance (with 20+ IOT thingys on it) ....

Relevant sections below.

TIA
/Bingo

# ubus call system board
{
	"kernel": "6.6.86",
	"hostname": "sv-owrt-01",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "SIM SIMAX1800T",
	"board_name": "sim,simax1800t",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.1",
		"revision": "r28597-0425664679",
		"target": "ramips/mt7621",
		"description": "OpenWrt 24.10.1 r28597-0425664679",
		"builddate": "1744562312"
	}
}

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd27:ef90:e0d7::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option macaddr 'x:x:x:7B:C2:A7'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'
	option delegate '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option name 'lan3'

config device
	option type 'bridge'
	option name 'br-trunk'
	list ports 'lan3'
	option mtu '1500'
	option txqueuelen '1000'
	option macaddr 'x:x:x:7B:C2:AC'

config bridge-vlan
	option device 'br-trunk'
	option vlan '50'
	list ports 'lan3:t'

config bridge-vlan
	option device 'br-trunk'
	option vlan '999'
	option local '0'
	list ports 'lan3:u*'

config device
	option name 'br-trunk.50'
	option type '8021q'
	option ifname 'br-trunk'
	option vid '50'
	option mtu '1500'
	option txqueuelen '1000'
	option ipv6 '1'
	option mtu6 '1500'
	option acceptlocal '1'

config interface 'Trunk'
	option proto 'none'
	option device 'br-trunk'

config interface 'Trunk_VL50'
	option proto 'none'
	option device 'br-trunk.50'
	option defaultroute '0'

config device
	option name 'lan1'

config device
	option name 'lan2'

wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option cell_density '0'
	option txpower '18'


config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'Trunk_VL50'
	option mode 'ap'
	option ssid 'OWRT-24'
	option encryption 'psk2'
	option key 'Secret-wifi-pwd'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'
	option txpower '18'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OWRT-50'
	option encryption 'psk2'
	option key 'Secret-wifi-pwd'

Ps:
The EDUP apparently grabs a random MAC for lanxx & br-lan on boot.
It drowe me crazy, because i like to use MAC locked dhcp for mgmt (makes it easy to move to another segment/site.

So i had to assign a Static MAC to the br-lan , in order to match my MAC reservation.
I did the same for my new br-trunk even if it's just used for L2 ...

No. You need to use bridge-vlans on a single bridge (all ports will be a member of the same bridge).

Do not do this. Leave these services running, but explicitly disable the servers via the config files. This is because when you eventually run a sysupgrade, the services may become re-enabled which will cause problems if your method of disabling the servers was simply stopping the services. The config files will always be respected, though.

I'll do what you say ... Thanx
But why not two bridges - leak risks or lousy performance or ???

Thank you for that important tip ....
I'm quite sure i found the place to disable DHCP (listening)

image916×279 22.8 KB

But where do i disable dnsmasq in the config ??

Thank you for taking your time

/Bingo

As far as DSA's configurations, it generally only supports a single bridge per switch chip, based on the way the DSA subsystem is built. I don't know if there is a performance reason for the way it is built, but there is no penalty for using it with a single bridge.

Yes, that's it.

The rest of dnsmasq will simply sit there idle. The ignore interface disables the DHCP server. The other thing you should do is remove/disable the IPv6 settings in the DHCP server.

Well i have now "just" enabled Vlans on br-lan
But i had to pull Lan3 out of the bridge , and make a dedicated MGMT IF on that interface.

Whenever i enabled Vlans on the bridge, I lost my management access.

This is my interfaces now

image991×574 79.5 KB

And my devices

image993×614 77.9 KB

I do hope it's OK to pull Lan3 out and make it a "normal/untagges" lan mgmt if ...

It's generally unnecessary, but yes, as long as it's used individually (and not added to a different bridge) it is fine.

Is everything working as expected now? If not, please post the text based configs again.

I suppose so ...
I have MGMT (Lan3)
I have an IOT SSID both 2.4 & 5G on br-lan.50

I get the correct DHCP IP on both SSID's when connecting via wifi.

Re:

My mgmt vlan is VL20.
I currently have no idea how2 set the br-lan IF to "pull a dhcp ip from VL20" , and "use VL20 as mgmt Vlan.

Can you enlighten me there ??

Then i suppose i can put Lan3 back in the br-lan , and save a switch-port

Well here is my new network in case i have done something crazy.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd27:ef90:e0d7::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option macaddr 'x:x:x:7B:C2:A7'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'none'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option name 'lan3'
	option mtu '1500'
	option macaddr 'x:x:x:7B:C2:AB'

config device
	option name 'lan1'

config device
	option name 'lan2'

config interface 'MGMT_LAN3'
	option proto 'dhcp'
	option device 'lan3'
	option delegate '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '50'
	list ports 'lan2:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'lan2:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '999'
	option local '0'
	list ports 'lan1:u*'
	list ports 'lan2:u*'

config interface 'br_lan_VL50'
	option proto 'none'
	option device 'br-lan.50'
	option defaultroute '0'

Add port lan3 back to the bridge:

config device
	option name 'br-lan'
	option type 'bridge'
	option macaddr 'x:x:x:7B:C2:A7'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

Create a bridge-vlan for VLAN 20 (here I'm assuming it is tagged on the same trunk that is connected to port lan2):

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan2:t'

Now edit your management interface to use br-lan.20:

config interface 'MGMT_LAN3'
	option proto 'dhcp'
	option device 'br-lan.20'
	option delegate '0'

That should be all that is necessary.

In the meantime, some other cleanup:
Delete these:

Remove the local line below:

And remove the default route line below:

Thank you again for all the hints

I'll do the bridge stuff

Re:
Option local '0' - on VL999
VL999 is my trunk dummy/sinkhole PVID , not used for anything bit to prevent vlan hopping (VL1)
I think i read that local 0 - would not even enable an interface , and could be used for this "sinkhole".

Do you still recommend that i remove it ??

Re:
defaultroute '0' on br_lan_VL50
That IF is "Unmanaged" , doesn't have an IP do i still need a defaultroute ?
I am trying to get the IF to be "pure L2"
Do i still need to remove that defaultroute '0' ?

Appreciate your suggestions very much

VLAN hopping isn't an issue with bridge-VLANs on OpenWrt.

Yes. The "blackhole" element here is that there is no network interface, so the untagged network connection will appear to be dead/inoperative.

Because it's unmanaged, there is no address and no routing. The data passes transparently through the AP to the upstream switch/router. Since no routing occurs on this device, the default route option is meaningless. But it should be removed for hygiene reasons.

It is already.

yes, you should.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.