Issue getting WiFi VLAN working on Archer AC1750v5

Hi all, I tried following the tutorial posted here (Basic VLAN setup for router / managed switch / access point), but in the end when trying to connect to the SSIDs, there is no IP issued by DHCP on the main router. Planning on using VLAN 111 as an empty VLAN, 286 for LAN, 531 for Media, and 754 for IoT.

Port 1 is the router, Port 2 is the AP, and Port 4 is what my desktop is connected to on the switch.

I just reset the AP config before making this thread after the failed attempt so that's why there's nothing regarding VLANs on it.

Switch setup

Router ubus call system board

        "kernel": "5.15.150",
        "hostname": "Lenovo",
        "system": "Intel(R) Core(TM) i5-6500T CPU @ 2.50GHz",
        "model": "LENOVO 10MUS17L00",
        "board_name": "lenovo-10mus17l00",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "x86/64",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"

Router network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdcc:38e1:a48e::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan.286'
        option proto 'static'
        option ipaddr '192.168.1.11'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '8.8.8.8'
        list dns '9.9.9.9'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns 'xxxx:xxxx:xxxx::xxxx'
        list dns 'xxxx:xx::xx'

config interface 'cjdns'
        option device 'tuncjdns'
        option proto 'none'

config bridge-vlan
        option device 'br-lan'
        option vlan '531'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '286'
        list ports 'eth0:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '111'
        option local '0'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '754'
        list ports 'eth0:t'

config interface 'IoT'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option device 'br-lan.754'

Router dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '0'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option noresolv '0'
        option port '54'
        list server '192.168.1.11'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,192.168.1.11'
        list dhcp_option '3,192.168.1.11'
        list dns 'fdcc:38e1:a48e::1'
        list dns '2601:58a:8200:1df0::1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'GS1900'
        option ip '192.168.1.156'
        option mac 'xx:xx:xx:xx:xx:xx'

config dhcp 'IoT'
        option interface 'IoT'
        option start '100'
        option limit '150'
        option leasetime '12h'

Router firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'cjdns'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option conntrack '1'
        option family 'ipv6'
        list network 'cjdns'

config rule
        option name 'Allow-ICMPv6-cjdns'
        option src 'cjdns'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option enabled '0'
        option name 'Allow-SSH-cjdns'
        option src 'cjdns'
        option proto 'tcp'
        option dest_port '22'
        option target 'ACCEPT'

config rule
        option enabled '0'
        option name 'Allow-HTTP-cjdns'
        option src 'cjdns'
        option proto 'tcp'
        option dest_port '80'
        option target 'ACCEPT'

config rule
        option name 'Allow-cjdns-wan'
        option src 'wan'
        option proto 'udp'
        option dest_port '12376'
        option target 'ACCEPT'

config zone
        option name 'IoT'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IoT'

config forwarding
        option src 'IoT'
        option dest 'wan'

config rule
        option name 'Allow-IoT-DNS'
        option src 'IoT'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-IoT-DHCP'
        list proto 'udp'
        option src 'IoT'
        option dest_port '67 68'
        option target 'ACCEPT'

AP ubus call system board

        "kernel": "5.15.137",
        "hostname": "AC1750v5",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer C7 v5",
        "board_name": "tplink,archer-c7-v5",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"

AP network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd26:7096:79af::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.12'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.11'
        list dns '192.168.1.11'

config device
        option name 'eth0.2'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

AP wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'network'
        option encryption 'psk2'
        option key 'password'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'network'
        option encryption 'psk2'
        option key 'password'

This is, exactly, how a post should be presented:
You explained what is not working and you, preemptively, posted the board and cat calls.

I'm not qualified to detangle your situation but I'm sure @psherman, when his timezone is right, will interact with you and get this solved.

I wish everyone would post the board and cat calls in their OP.
It is such of waste time to find out, ~7 replies in, someone is using an EOL version,

We're going to approach this in multiple steps:

  1. Fix the main router configuration
  2. Verify the switch configuration and use the switch to validate the router config via ethernet
  3. Configure the AP and test with wifi

So, starting with step 1:

Change the lan to use device br-lan

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.11'
        option netmask '255.255.255.0'
        option ip6assign '60'

Not related, but any reason you are using .11 as the router's address on this network? It is customary (but not required) to use the .1 or sometimes .254 address when using /24 networks.

Delete all of this:

Edit The IoT network to use device eth0.754

config interface 'IoT'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option device 'eth0.754'

The last 4 lines can be deleted here:

Delete this:

It is possible you'll have issues with the IoT DNS because it appears you're using AGH or some other DNS related system, but we'll get there in a bit if it is a problem.

Once this is done, reboot your router.

Next, on the switch, configure port 1 such that it carries VLAN 286 as untagged + PVID and VLAN 754 tagged.

Then, on some other ports (maybe 7-8) create access ports for those VLANS...

  • port 7 VLAN 286 untagged + PVID
  • port 8 VLAN 754 untagged + PVID

Now plug your computer into:

  • port 7. make sure it obtains an address in the 192.168.1.0/24 network and that it has internet connectivity. If all is good there...
  • change to port 8 and test the same, but check for 192.168.3.0/24 network. If internet connectivity doesn't appear to work, try pinging 8.8.8.8.

Report back with the results. If anything isn't working, post the updated configurations form the main router.

Hey, I'm posting from my phone because it seems that DNS isn't getting resolved. I can ping 8.8.8.8 successfully from ports 4, 7, and 8. The IP my desktop was assigned on port 7 was 192.168.1.218 and on port 8 it was 192.168.3.218 according to Windows.

As for choosing the .11 address: there's no specific reason for it, I just picked it at random.

1000000172


1000000174

Is this correct for the switch config?

Here's the updated router configs.

Network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdcc:38e1:a48e::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.11'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '8.8.8.8'
	list dns '9.9.9.9'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns 'xxxx:xxxx:xxxx::xxxx'
	list dns 'xx:xx::xx'

config interface 'IoT'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option device 'eth0.754'


DHCP


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '0'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'
	option noresolv '0'
	option port '54'
	list server '192.168.1.11'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'GS1900'
	option ip '192.168.1.156'
	option mac 'xx:xx:xx:xx:xx:xx'

config dhcp 'IoT'
	option interface 'IoT'
	option start '100'
	option limit '150'
	option leasetime '12h'


Firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'IoT'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IoT'

config forwarding
	option src 'IoT'
	option dest 'wan'

config rule
	option name 'Allow-IoT-DNS'
	option src 'IoT'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow-IoT-DHCP'
	list proto 'udp'
	option src 'IoT'
	option dest_port '67 68'
	option target 'ACCEPT'

It's good that you're getting connectivity to the network and the internet in general, but obviously the DNS issue is not insignificant.

What exactly had you done with DNS prior to getting started?

Try restoring the default DNS configuration... delete the entire config dnsmasq section from /etc/config/dhcp and then add this (the default DNS config instead):

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

Then restart and test again.

I followed the AdGuard Home install guide from the OpenWrt wiki (https://openwrt.org/docs/guide-user/services/dns/adguard-home), that's the only thing I can think of.

I'll test the default and report back.

Edit:

I changed it to the default and DNS is getting resolved now.

great.... now we can move on to the AP.

Create a new bridge on the AP for VLAN 754

config device
        option name 'br-iot'
        option type 'bridge'
        list ports 'eth0.754'

And add an unmanged network interface:

config interface 'IoT'
        option proto 'none'
        option device 'br-iot'

Finally create a new SSID for the IoT network and associate it with the network IoT.

Make sure that port 2 on the switch is configured for VLAN 286 as untagged + PVID and VLAN 754 is tagged.

Restart the AP and test.

I added those lines to the network file on the AP and linked the IoT SSID to the IoT interface, but it's not issuing IP addresses to users. The default network I had works fine though.

oh...my mistake. I forgot to mention we need to add the VLAN to the switch.

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '754'
        option ports '5t 0t'

I don't know what physical port corresponds to logical port 5, but after making this change (and restarting the AP), take a look at Network > Switch in LuCI and you should see tagged for VLAN 754 under one of the ports. Connect the cable to that port and then test again. We can change the port easily if this isn't the one you want to use.

Sorry for the disappearance, my power went out and somehow the switch reset its VLANs (namely the management VLAN I was using) so I had to fix that.

I did as was written (port 5 on my AP corresponds to LAN 4) and it seems to be working! Thanks a lot for your help so far.

Besides trying to ping addresses that are assigned for a specific VLAN, is there a more surefire way of making sure they are actually working?

Also about AdGuard Home's DNS trickery: is that fixable or do I just have to abandon it (or switch to the Adblock plugin)?

Some switches change the config only in RAM until you explicitly save it to nonvolatile memory (I have a TP-Link managed switch that does this). This is presumably a feature to help with recovery -- if you lock yourself out or do other bad things by accident, simply restart the device and it will boot into the last saved configuration (which is presumably a known good state).

Great, and my pleasure.

What you've already done is sufficient to prove the VLANs are functioning -- you're getting addresses and connectivity based on the SSID or ethernet port you use. The rest comes down to verifying that the firewall does what you want (isolation or persmissive routing between VLANs, whatever of fine-grained control you might want of allow/deny rules, etc). But that might be a different thread if you need help there.

I don't use AGH, so this is not my wheelhouse. However, make a backup of your configs -- you can always restore to the known good backup should things go south. Then, try following the AGH tutorial again and see what happens. If it fails, open up a new thread about the problems you're having there.

Alright. Thank you so very much for your help!

Which part should I mark as the solution?

Glad I could help!

Whichever you think is the most useful for future readers.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.