MAC-based VLAN Pass-thru

Hello everyone,

A while back ago I posted asking for help to get the Guest Wifi working on my TP-Link EAP615 AP. Got it working (thanks to @psherman), but now I'm looking for a slightly different configuration and I'm hoping that someone with better knowledge can help me out.

Here is the setup....
Arris Modem —> (WAN) pfSense SG2100 (LAN port 2) —> (port 20, VLAN1:u, VLAN20:t, VLAN21:t) Netgear GS728TPv2 (port 19, VLAN1:u, VLAN20:t, VLAN21:t) —> TP-Link EAP615-WALLv1 (port lan0, being used as an AP only).

VLAN1 (LAN/Wired) = 192.168.10.0/24
VLAN20 (WIreless) = 192.168.20.0/24
VLAN21 (Guest Wireless) = 192.168.21.0/24

Here is the output of the following commands

ubus call system board
cat /etc/config/network
cat /etc/config/wireless

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "TP-Link EAP615-Wall v1",
	"board_name": "tplink,eap615-wall-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd54:9be4:0da5::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan0:u*'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'

config device
	option name 'br-lan.1'
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.10.201'
	option netmask '255.255.255.0'
	option gateway '192.168.10.1'
	list dns '192.168.10.1'
	list dns_search 'id3.lan'
	option delegate '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan0:t'

config device
	option name 'br-lan.20'
	option type '8021q'
	option ifname 'br-lan'
	option vid '20'
	option ipv6 '0'

config interface 'WLAN_20'
	option device 'br-lan.20'
	option proto 'none'
	option type 'bridge'

config bridge-vlan
	option device 'br-lan'
	option vlan '21'
	list ports 'lan0:t'

config device
	option name 'br-lan.21'
	option type '8021q'
	option ifname 'br-lan'
	option vid '21'
	option ipv6 '0'

config interface 'WLANGuest_21'
	option device 'br-lan.21'
	option proto 'none'
	option type 'bridge'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT40'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan WLAN_20'
	option mode 'ap'
	option ssid 'WiFi'
	option encryption 'sae-mixed'
	option key '**********'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'WiFi_Guest'
	option encryption 'sae-mixed'
	option key '************'
	option network 'WLANGuest_21'

So I can access the AP on the LAN subnet, as I want to keep all devices that are hardwired on the default VLAN for management purposes. WiFi and WiFi_Guest are working (tested on my iPhone and was assigned the proper IP based on the subnet). I would like to have my laptop be a part of the LAN subnet by passing its MAC address to VLAN1. I already have the MAC address of my laptop added to my switch and set it to pass that MAC address to VLAN1. However I can't get it to work with this AP. I keep getting an IP from the WiFi subnet (192.168.20.0/24).

I know the settings for MAC-based VLAN work, as I currently have an R7800 running OpenWRT, and my laptop gets an IP from the LAN subnet. So the settings on the switch are correct and working, it just has to be something on the EAP-615 that I'm missing.

Hopefully someone can help me out. Let me know if you need any other info and I will gladly provide it. TIA

Hi @simon_lefisch

why don't you use password based wifi vlan?
dynamic PSK?
as described here

Hi @NPeca75, thanks for the reply.

I would gladly like to try that configuration, however I'm sure how I would implement that I my setup. Can you give me some guidance to set that up, since I ma unfamiliar with that type of implementation.

Hi @NPeca75, so I looked over the feature you were saying to use and I can't get it installed. Apparently one of the library files won't install on my device. If you're able to provide some insight into getting that f]feature working, I am more than willing to try.

Otherwise, if you or anyone else has any suggestions to get my issue resolved, please let me know. TIA

Looks like I was able to get the password-based VLAN package installed. The OP of this thread confirmed that the SSL package that already comes with the current OpenWRT installer (wpad-basic-mbedtls) is the one to use. I just needed to remove the basic package and install the full package (wpad-mbedtls). Going to try and get it working based on the thread @NPeca75 referenced.

Ok, Iwas able to get this issue resolved. Installed the correct packages and configuration is done. Going to mark this resolved.

hi
sorry @simon_lefisch
i was busy these days so could not reply to you
glad that you solved your problem

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.