Issue with dumb AP and VLAN

Hi all,

I'm experiencing a weird issue with an update of my current setup. Here are the details:

  • :white_check_mark: Current setup, working fine so far:

    • nanopi r5s (rockchip) with openwrt 23.05.03 (snapshot build) as the main router, several VLANS are configured here.
    • xiaomi 4a Gigabit (MT7621) with 23.05.02 as dumb AP and several SSIDs.
  • :x: Updated setup, with issues found.

    • same main router
    • replacing the 4a with a glinet b1300 (ipq40xx) with a 23.05.03 now that it supports DSA :smiley: (and I'll relocate the xiaomi)

I'd expect that doing the AP switch it'd be an easy task given that the config of the 4a would be easily transferred the b1300 as it now supports DSA, but after doing the initial bits of configuration in noticed that there were some issues in the b1300 when I started testing clients access:

  • The interface using the VLAN in the AP would only provide IP to some devices. This happens either via SSID association or via cable. I have no idea of what's going on, as for example an android device would be just fine, but then the macbook, a chromecast and another openwrt-based router would fail to get IP upon association. I did enable extra logging in the main router and I did verify that there is DHCP entries related to these, and yes, there are relevant DHCPOFFER(br-lan.10) <expected IP> <MAC> entries.
  • The clients that do not get the IP, like the macbook, cannot ping the gateway even if manual IP is set.
  • The clients that connect fine behave just as expected with all connectivity checks passing.
  • This only happens if the connectivity from the main router -> AP is done via tagged traffic. If I set the traffic to be untagged, the AP shows no issues on providing connectivity and then it works as expected.
  • This only happens with the r5s + b1300. For sanity I set up an additional interface with DHCP and VLAN in the Xiaomi for testing it acting as a main router, and then the b1300 acting as AP for this interface was just fine.
  • An interesting side effect I noticed is that after attempting a connection to the AP's SSID with the macbook, observing the IP connectivity failure, and associating back to a 3rd AP that I'm using for the trusted lan, there's no connectivity at all to the b1300 gateway for a brief period of time, and eventually it'd be accessible again. The error I'm getting from an nc port check is 192.168.10.2 port 80 (tcp) failed: Host is down. Interestingly, other devices will be able to access this gateway with no issues for all this time.

I have no idea of what's going on here. There may be an obscure issue on either the r5s, the b1300 or in the combination or both, or I may be missing something obvious in the configuration. Either way, I'm finding really confusing the fact that:

  • the same config on the xiaomi 4a has no issues
  • the issues on the b1300 only manifest on some devices.

Can anybody help me to further debug this as I'm now out of ideas?

I'm happy to include the config of the main router an AP in a follow up post if needed.

Thanks!

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Config files:

Main router

root@router-squashfs:~# ubus call system board
{
	"kernel": "6.1.82",
	"hostname": "router",
	"system": "ARMv8 Processor rev 0",
	"model": "FriendlyElec NanoPi R5S",
	"board_name": "friendlyarm,nanopi-r5s",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r25676-2feedab805",
		"target": "rockchip/armv8",
		"description": "OpenWrt SNAPSHOT r25676-2feedab805"
	}
}
$ cat /etc/config/firewall
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option fullcone '1'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'

config rule
	option name 'Reject-IPv6'
	option family 'ipv6'
	option src 'wan'
	option dest '*'
	option target 'REJECT'
	option enabled '0'

config zone
	option name 'lan'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option input 'ACCEPT'
	list network 'lan'
	list network 'vpn'
	list network 'dmz'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option fullcone4 '1'
	option fullcone6 '1'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config zone
	option name 'iot'
	option output 'ACCEPT'
	list network 'iot'
	option input 'REJECT'
	option forward 'REJECT'

config zone 'docker'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option name 'docker'
	list network 'docker'

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'iot'
	option dest 'wan'

config rule
	option name 'IOT DHCP and DNS'
	option src 'iot'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'wireguard'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '192.168.10.1'
	option dest_port '51820'

config rule
	option name 'guest DHCP & DNS'
	option src 'guest'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option output 'ACCEPT'
	list network 'guest'
	list network 'caseta'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'guest'

config rule
	option src_port '5353'
	list dest_ip '224.0.0.251'
	option dest_port '5353'
	option target 'ACCEPT'
	option name 'mDNS-iot'
	list proto 'udp'
	option src '*'

config zone
	option name 'cam'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'cam'
	option input 'REJECT'

config forwarding
	option src 'lan'
	option dest 'cam'

config rule
	option src 'cam'
	option target 'ACCEPT'
	option name 'cam NTP'
	list proto 'udp'
	list dest_ip '192.168.10.1'
	option dest_port '123'

config rule
	option name 'cam DHCP & DNS'
	option src 'cam'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'mqtt IOT'
	list proto 'tcp'
	option src 'iot'
	option dest 'lan'
	list dest_ip '192.168.10.226'
	option dest_port '1883'
	option target 'ACCEPT'

config rule
	option name 'mqtt CAM'
	option src 'cam'
	option dest 'lan'
	list dest_ip '192.168.10.226'
	option dest_port '1883'
	option target 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

config redirect 'adblock_guest53'
	option name 'Adblock DNS (guest, 53)'
	option src 'guest'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_iot53'
	option name 'Adblock DNS (iot, 53)'
	option src 'iot'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option family 'any'

config redirect 'adblock_lan53'
	option name 'Adblock DNS (lan, 53)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option family 'any'
$ cat /etc/config/dhcp
config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	option port '53'
    option logdhcp '1'
    #option quietdhcp '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

config domain
	option name 'ap'
	option ip '192.168.10.2'

config dhcp 'caseta'
	option interface 'caseta'
	option limit '150'
	option leasetime '12h'
	option start '0'

config dhcp 'dmz'
	option interface 'dmz'
	option leasetime '12h'
	option start '0'
	option limit '100'

config dhcp 'cam'
	option interface 'cam'
	option start '100'
	option limit '150'
	option leasetime '12h'

config domain
	option name 'router'
	option ip '192.168.10.1'
$ cat /etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd00:ab:cd::/48'
	option packet_steering '1'

config device
	option name 'eth0'
	option macaddr REDACTED

config interface 'wan'
	option proto 'pppoe'
	option device 'eth0.100'
	option username REDACTED
	option password REDACTED
	option ipv6 'auto'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option delegate '0'
	option mtu '1436'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	option ipv6 '0'

config device
	option name 'eth1'
	option macaddr REDACTED
	option ipv6 '0'

config device
	option name 'eth2'
	option macaddr REDACTED
	option ipv6 '0'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.10.1'
	option device 'br-lan.10'
	option delegate '0'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

config device
	option type 'bridge'
	option name 'docker0'

config interface 'iot'
	option proto 'static'
	option netmask '255.255.255.0'
	option device 'br-lan.20'
	option ipaddr '192.168.20.1'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth1'
	list ports 'eth2:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'eth2:t'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'

config device
	option name 'br-lan.20'
	option type '8021q'
	option ifname 'br-lan'
	option vid '20'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '30'
	option name 'br-lan.30'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.30'
	option ipaddr '192.168.30.1'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'eth2:t'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '60'
	option name 'br-lan.60'
	option ipv6 '0'

config interface 'caseta'
	option proto 'static'
	option device 'br-lan.60'
	option ipaddr '192.168.60.1'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option netmask '255.255.255.247'

config bridge-vlan
	option device 'br-lan'
	list ports 'eth2:t'
	option vlan '40'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '40'
	option name 'br-lan.40'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '50'
	option name 'br-lan.50'
	option ipv6 '0'

config interface 'dmz'
	option proto 'static'
	option device 'br-lan.40'
	option ipaddr '192.168.40.1'
	option netmask '255.255.255.248'

config interface 'cam'
	option proto 'static'
	option device 'br-lan.50'
	option ipaddr '192.168.50.1'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-lan'
	option vlan '50'
	list ports 'eth2:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '60'
	list ports 'eth2:t'

b1300 AP

$ ubus call system board
{
	"kernel": "5.15.150",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "GL.iNet GL-B1300",
	"board_name": "glinet,gl-b1300",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}
$ cat /etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fda1:db0a:380b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-eth'
	option proto 'static'
	option ipaddr '192.168.10.2'
	option netmask '255.255.255.0'
	option type 'bridge'

config device
	option type 'bridge'
	option name 'br-eth'
	list ports 'eth0'
	list ports 'wan.10'
$ cat /etc/config/wireless
config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'psk2'
	option key REDACTED

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'test'
	option encryption 'psk2'
	option key REDACTED
	option network 'lan'
$ cat /etc/config/dhcp
config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'hybrid'
	option ra 'hybrid'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
$ cat /etc/config/firewall
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'

Your B1300 has a bunch of issues. I'd recommend resetting to defaults and then configuring from scratch. It shouldn't be hard. Post the default /etc/config/network file (feel free to adjust the lan address, but don't make any other changes).

1 Like

Thanks for taking a look!

Here's the B1300's default /etc/config/network file with just the lan IP change:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdba:5bf2:0d8e::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.10.2'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

I'd be interested anyways in knowing what bits of my existing config have issues. Could you share your thoughts?

It's probably easiest to simply show the correct syntax for what you are trying to achieve as compared to explaining the things that were wrong in the previous config.

That said:

  • What port (lan1, lan2, or wan) is used as the uplink on the B1300
  • What is the expected VLAN-port membership
    • presumably all VLANs are present on the uplink, are they all tagged or is one untagged? If one is untagged, which one?
    • what VLAN IDs are in use (it looks like VLAN 10, 20, 30, 40, 50)?
  • What should the other port(s) have for their VLAN membership?

wan. It's using tagged traffic (VLAN 10), in the network config I noted above I use wan.10 for it.

VLANs 10 to 50 are present on the uplink, with nothing being untagged. 4 out of 5 these VLANs are in use in the Xiaomi AP I have currently in service. I'm planning to do the same with the b1300, but I started started with VLAN 10 for validating it first.
It's worth mentioning that my b1300 setup attempt was successful with an untagged VLAN 10 in the uplink, and using wan for it (as opposed to wan.10)

I have no requirements for the time being for having any device using these ports in the AP. I may just use an untagged VLAN 10 in the future.

I hope this fully answers your questions!

Delete these:

Add wan to br-lan:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'wan'

Create bridge-VLANs:

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '50'
	list ports 'wan:t'

Then edit the lan to use br-lan.10:

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '192.168.10.2'
	option netmask '255.255.255.0'
	option ip6assign '60'

and create unmanaged interfaces for the rest of the VLANs:

config interface 'vlan20'
	option device 'br-lan.20'
	option proto 'none'

config interface 'vlan30'
	option device 'br-lan.30'
	option proto 'none'

config interface 'vlan40'
	option device 'br-lan.40'
	option proto 'none'

config interface 'vlan50'
	option device 'br-lan.50'
	option proto 'none'

Now you can create wifi SSIDs for each of your VLANs and connected them to the respective network interface.

Don't forget to restart your AP to ensure everything gets reloaded.

Thanks. It works as expected now, I really appreciate your help and the proposed approach.

After doing the AP switch, I've seen some weird temporary lack of internet connectivity to lan from just two of my devices, this persisted router and AP reboots, but somehow went away past a few minutes :confused:

Weirdly enough the connectivity was lost from both the SSID from the AP, and from a non-openwrt AP I have hooked to the router

Are there still problems? If so, we can tackle them... possibly in a new thread.

In principle no more issues as of yet, the lack of no connectivity from these two particular devices (macbook and android phone) I mentioned is now fine. I'll monitor the setup for a few days and open a new thread if I see it occurring again.

It'd be very interesting to know what happened as I don't see what kind of effect can have new dumb AP made in the router!

Thanks again!

Just adding one note of what I think could've happened.

The lan interface had the same IP range as the uplink's, and this AP interface had the DHCP server enabled. The lack of connectivity I mentioned had some short windows where the devices would be able get network connectivity.

At some point I noticed about the DHCP server thing and I disabled it, I have had no issues since.