Meraki MR52 add WiFi interface with VLAN

Trying to setup the following configuration - the AP receives tagged packets on eth0 and routes them to a separate wifi device with untagging. There's no Switch configuration in LuCI for this AP.

I've tried bridge vlan add vid 4 dev wlan2 untagged and got RTNETLINK answers: Not supported.

This is not the case for bridge vlan add vid 4 dev wlan0 untagged, this command doesn't generate any error.

What's the difference? HW doens't support this setup?

If there's no longer a swconfig page, you have a DSA build and will need to set it up as such. DSA is supported in the UCI system, do not call bridge directly. The external ports are usually called 'lanX' or 'lan' and 'wan'. You may also see 'eth' ports in LuCI's lists, but these are not usable for configuration.

so I tried a simple setup as follows

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '4'
        option name 'br-lan.4'

config interface 'iot'
        option proto 'dhcp'
        option device 'br-lan.4'

and

config zone
        option name 'iot'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot'

config forwarding
        option src 'iot'
        option dest 'lan'

Am I wrong adding the software VLAN to the brigde?

The Ethernet port must be in plain old bridge to be a "parent" to the whole process. It is best to place all the device's Ethernet ports into the same bridge so that hardware switching will work.

Then define a bridge-vlan:

config bridge-vlan
   option device 'br-lan'
   option vlan 4
   list ports 'lan1:t'

Next define an interface that a wifi AP can hook to.

config interface 'iot'
    option device 'br-lan.4'
    option proto 'dhcp'
    option defaultroute '0'
    option peerdns '0'

Here I've set the proto to dhcp which is good for troubleshooting to see if the AP can communicate with the main router on VLAN 4. In a real application you probably don't want the OpenWrt kernel to do anything on the IOT network other than bridge packets to wifi, so you should use proto none.

In /etc/config/wireless, the IOT's AP will have an option network iot. Note that wifi APs are always untagged. However the bridge-vlan will apply tags as the packets enter and leave the Ethernet port, since the port specified :t.
The 8021q block appears to be a LuCI thing, I've never needed to define them when configuring by CLI.

Adding the following effectively kills the interface, no LuCI, no nothing

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'eth0:t'

config interface 'iot'
        option device 'br-lan.4'
        option proto 'dhcp'
        option defaultroute '0'
        option peerdns '0'

Here's my bridge config, just in case

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.3'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'

I tried list ports 'lan:t' - the same result. I don't have lan1, that you mentioned in your example

let's see the complete network config file.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '------------'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.3'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'eth0:t'

#config interface 'iot'
#        option device 'br-lan.4'
#        option proto 'dhcp'

The bridge dies as soon as config bridge-vlan is added

ok... try this instead.

remove this:

add this:

config device
        option name 'br-iot'
        option type 'bridge'
        list ports 'eth0.4'

config interface 'iot'
        option device 'br-iot'
        option proto 'none'

And then create an SSID for the iot network and connect it with network iot.

1 Like

LuCI is available in this case, but it doesn't look like the packets are going up to the VLAN from the WiFi network. Do I need to setup a firewall rule in this case?

No firewall rules should be necessary.

Have you verified the upstream connection?

  • is the router properly configured for vlan4?
  • if you have a switch (or multiple) are the ports configured correctly as trunk ports to carry vlan 4 from the router to your ap?

Pro-tip: verify using an Ethernet connection. Set one port on your switch as an access port for vlan 4 and then plug in a device - does it get an ip address and the expected connectivity?

1 Like

Thanks for the tip, I apparently connected the AP to a wrong port after many runs back and forth to my PC where I could unbrick the AP from console :slight_smile:

So the configuration with a second bridge totally works, but now I see Bridge VLAN filtering tab with unchecked Enable VLAN filtering checkbox. Should I use the option vlan_filtering '1' like this?

config device
        option name 'br-iot'
        option type 'bridge'
        list ports 'eth0.13'
        option vlan_filtering '1'

config interface 'iot'
        option device 'br-iot'
        option proto 'none'

Great! Yes, plugging into the wrong port or having an incorrect configuration on the switches is a common situation that gets all of us at one point or another. That's why I always recommend looking there when there are unexplained isues -- it's back to first principles.

The vlan filtering option is not required. I don't think it causes any issues, though.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.