Made a mess: Using as AP, multiple VLAN's, trunked

I had OpenWRT for several years as a firewall, router and AP, running on a LinkSys WRT1900ACS, but put in a real firewall and decided to use this as simply an access point.

So I reset it to defaults and installed 21.02.3.

I thought the setup would be simple, but apparently the way VLAN's work has changed, and there's no switch panel but you do it in config files (right?).

Note there is no WLAN port usage, one cable trunks vlans 131, 132, 134, 136, 137 plus native/pvid VLAN 1 to the OpenWRT system, where they should get connected to different SSID's. VLAN 1 is 192.168.130.x, 131 is 192.168.131, etc. (except VLAN 132 is two class C's).

I have a bridged LAN put together, and from the command line can ping the gateway on each of the VLAN's, and from their to the internet, so the trunking to one of the LAN ports is working, though how I did it is... odd (conf below).

What I cannot make work is linking a AP SSID to the VLAN's. I use the network name in the wireless setup, but it does not seem to work. I can associate, but have no connectivity.

Note I've turned off the firewall. I also have two other AP's that were in place before, and still work, same VLAN's (they are running Engenius' OS not OpenWRT). So the underlying switch VLAN infrastructure is fine.

I am going around in circles now, and would really appreciate a pointer - how do I connect the wlan devices to the VLAN's?

I think these are the two relevant files (wireless and network):

root@OpenWrt:/etc/config# cat wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option macaddr '24:f5:a2:bf:1f:0d'
        option encryption 'sae-mixed'
        option key 'redacted'
        option ieee80211r '1'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'
        option ssid 'Reboot2'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option macaddr '24:f5:a2:bf:1f:0c'
        option encryption 'sae-mixed'
        option key 'redacted'
        option ieee80211r '1'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'
        option ssid 'Reboot2'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'RebootAutomation'
        option key 'redacted'
        option ieee80211r '1'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'
        option encryption 'sae'
        option network 'Automation'
        option ifname 'wlan5-132'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'RebootAutomation'
        option key 'redacted'
        option ieee80211r '1'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'
        option network 'Automation'
        option encryption 'sae'
        option ifname 'wlan2-132'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'RebootGuest'
        option network 'Guest'
        option key 'redacted'
        option ieee80211r '1'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'
        option encryption 'sae'

config wifi-iface 'wifinet5'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Redacted'
        option network 'Guest'
        option encryption 'sae-mixed'
        option key 'redacted'

config wifi-iface 'wifinet6'
        option device 'radio0'
        option mode 'ap'
        option ssid 'LinkAP'
        option encryption 'sae-mixed'
        option key 'Redacted'
        option network 'TelescopeAP'

root@OpenWrt:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fddd:9df1:a2ed::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.130.88'
        option gateway '192.168.130.1'
        list dns '192.168.130.1'
        list dns_search 'redacted'

config switch_vlan
        option device 'br-lan'
        option vlan '132'
        option ports '0t 1t 2t 3t 4t 5t 6t'

config interface 'Automation'
        option proto 'static'
        option ipaddr '192.168.132.88'
        option gateway '192.168.132.1'
        option netmask '255.255.254.0'
        option device 'br-lan.132'

config switch_vlan
        option device 'br-lan'
        option vlan '134'
        option ports '0t 1t 2t 3t 4t 5t 6t'

config interface 'Guest'
        option proto 'static'
        option ipaddr '192.168.134.88'
        option gateway '192.168.134.1'
        option netmask '255.255.255.0'
        option device 'br-lan.134'

config switch_vlan
        option device 'br-lan'
        option vlan '136'
        option ports '0t 1t 2t 3t 4t 5t 6t'

config interface 'TelescopeAP'
        option proto 'static'
        option ipaddr '192.168.136.88'
        option gateway '192.168.136.1'
        option netmask '255.255.255.0'
        option device 'br-lan.136'

config switch_vlan
        option device 'br-lan'
        option vlan '137'
        option ports '0t 1t 2t 3t 4t 5t 6t'

config interface 'TelescopeWire'
        option proto 'static'
        option ipaddr '192.168.137.88'
        option gateway '192.168.137.1'
        option netmask '255.255.255.0'
        option device 'br-lan.137'

config device
        option name 'wan'
        option macaddr '26:f5:a2:bf:1f:0b'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'


You need to read through the DSA documents. The syntax of network is updated between 19 and 21. Here is a sample of my network:

        option type 'bridge'
        option name 'br-wifi'
        option bridge_empty '1'
        list ports 'eth0'
        list ports 'eth2'
        list ports 'eth3'

config bridge-vlan
        option device 'br-wifi'
        option vlan '200'
        list ports 'eth0:t'
        list ports 'eth2:u*'
        list ports 'eth3:u*'

config interface 'LAN200'
        option proto 'static'
        option device 'br-wifi.200'
        option netmask '255.255.255.0'
        option gateway '10.0.200.1'
        option ipaddr '10.0.200.2'
        list dns '10.0.200.1'

and the related wireless conf:

config wifi-iface 'wifinet8'
        option device 'radio1'
        option mode 'ap'
        option ssid 'audio'
        option encryption 'psk-mixed'
        option key 'password'
        option network 'LAN200'
        option ifname 'audio'

I've tried to sort out the new format, and it is tough as documentation is not very specific. As an example at least one place it says that ifname is now device (contrary to your usage), and the vast majority of the documentation and especially tutorials and forum posts are not version specific.

Is there a version 21 specific document? For example, while this (https://openwrt.org/docs/guide-user/base-system/basic-networking mentions the change, the examples in it look old? And the mini-tutorial didn't get me there. The release notes mentioned the changes but doesn't seem to lead to a new document with the full syntax.

I'm definitely willing to read and learn, but finding relevant documentation has been tough.

I tried rearranging using syntax similar to yours and lost the router, so waiting for it to reset.

Is there a "validate" option somewhere? I found reference to a uci validate but couldn't find the package, and restarting the service seems final, I wish it was like netplan where you could test to see if you had syntax errors.

Anyway... the connection of the wifi-iface to the vlan is made solely with "option network ''"?

And is it correct that the "switch" option vanished? In version 19 (I think it was, now gone) I never edited the config files, there was a switch pane in the GUI and I just set up from there. That does not appear on a reset-to-default now at all, so from my perspective it's not that I need to change syntax, I need to learn the syntax from scratch.

OK, it's back and reset, I put the lan port back on the native VLAN and have connectivity, will start over and try again.

But if anyone has a complete example with a couple VLAN's it would be helpful.

I have a mostly working config now though i remain a bit confused as to syntax. For example, most in the wireless file show:

config wifi-iface 'wifinet5'
        option device 'radio1'
        option mode 'ap'
        option ssid 'RebootGuest'
        option encryption 'psk2'
        option key 'redacted'
        option network 'guest'

Note the last line, and compare to the doubled (except for case) name here:

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'RebootAutomation'
        option key 'redacted'
        option ieee80211r '1'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'
        option encryption 'sae'
        option network 'Automation automation'

This was generated as best I can tell by the gui. In fact I changed it to another and back and it still doubled. The interface name in the network file is lower case.

It works, but I don't understand it.

I also cannot find what the asterisk means on the "u" for untagged. I used it, but don't understand it. PVID? (But isn't that sort of the definition of the untagged vlan)

But I'm closer. Thank you.

The asterisk indicates the native vlan of that port.

Put all the physical Ethernet ports into one bridge. Basically add wan to the existing br-lan, and possibly rename it something like br-eth to reflect that it is no longer just lan. Refer to the external physical ports by their defined names, which for a 4+1 consumer router are usually "wan", "lan1", "lan2" etc. There is no such thing as eth0 any more (unless the model has defined that name on an external port). DSA abstracts away the reality that the multiple external ports are switched into a single CPU port. You don't have to think about it that way any more.

Create a bridge-vlan for each VLAN. List the physical ports as name:t for a trunk port and name:u for an access port. These are the only two options you need. Trunk ports can be listed in more than one bridge-vlan but access ports must be in only one.

IF you have internal connections that are not tagged externally (the most common example of that is keeping the WAN link separate, while hardware switching it out untagged to an ISP-provided TV box), those still need a bridge-vlan with a unique VLAN number. The number is your choice as long as it is not used for another VLAN.

Having done this you will obtain proper hardware switching and VLAN tagging/untagging between the different ports. Configuring multiple bridges instead of bridge-vlans inside a single bridge does not work.

Software link a config interface to a bridge-vlan with the notation option device bridgename.vlannumber, e.g. br-eth.320. In this setup of DSA this is the only place where a dotted VLAN number would be used. Network interfaces that are only links from wired to wireless should be proto none. It is still necessary to have a proto none dummy interface for the bridge to properly instantiate and have a name to refer to it in /etc/config/wireless.

Bridge-vlans that are only used as hardware switching between external ports may still also need an interface of type none to fully instantiate. I have not tested that lately.

Thanks @mk24, I think I did those things.

I think everything now works. I also removed the double "automation automation" from the wireless and it still works.

Here's the (current) final config in case anyone sees issues, or it helps anyone else. The intent is only the vlan 1 has an IP address, the other interfaces are just layer 2. wan, lan1 and lan2 are trunked with pvid 1, lan3 and lan4 are vlan 132 access.

root@OpenWrt:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd2:f76c:2a0e::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'wan:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '132'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:u*'
        list ports 'lan4:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '134'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '136'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '137'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'wan:t'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.130.88'
        option gateway '192.168.130.1'
        list dns '192.168.130.1'
        list dns_search 'redacted'

config interface 'automation'
        option device 'br-lan.132'
        option proto 'none'

config interface 'guest'
        option device 'br-lan.134'
        option proto 'none'

config interface 'TelescopeAP'
        option device 'br-lan.136'
        option proto 'none'

config interface 'TelescopeWired'
        option device 'br-lan.137'
        option proto 'none'


1 Like

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.