I'm turning a number of MIR4A (G) (running openwrt-21.02-snapshot-r15870-e4d061cd1a) into "dumb" APs for use in a network which contains a number of VLANs for specific traffic:
vlan1 - LAN
vlan2 - guest network
vlan3 - IP cameras
vlan4 - "internet of things" which should not connect to the internet
The MIR4A has 3 physical ethernet ports, the plan is to use the WAN port as uplink to the switch, LAN2 will connect to a "dumb" POE switch for the cameras, LAN1 can be used for IoT experiments. The APs will also host a number of WiFi SSIDs for lan, guest (WPA-protected) and open (but limited) access. The APs are connected to trunk ports on a switch which connects to a virtual router (OpenWrt x86_64 on an LXC container on Proxmox) where the vlans are terminated and routed according to their purpose. Here is what WORKS:
LAN access over wifi (vlan 1)
Guest network over wifi (vlan 2)
Here is what DOES NOT work:
IP camera access from the router to the AP (vlan 3)
Some relevant configuration info:
network.lan=interface
network.lan.type='bridge'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ipaddr='192.168.1.253'
network.lan.gateway='192.168.1.1'
network.lan.dns='192.168.1.1'
network.lan.ifname='wan.1'
network.ipcam=interface
network.ipcam.type='bridge'
network.ipcam.proto='none'
network.ipcam.ifname='lan2 wan.3'
An IP camera with static address 192.168.5.10, MAC 9c:a3:aa:25:12:2c is attached to lan2 through a "dumb" POE switch:
# brctl showmacs br-ipcam
port no mac addr is local? ageing timer
1 9c:9d:7e:11:4a:5d yes 0.00
1 9c:9d:7e:11:4a:5d yes 0.00
2 9c:9d:7e:11:4a:5e yes 0.00
2 9c:9d:7e:11:4a:5e yes 0.00
1 9c:a3:aa:25:12:2c no 0.90 <--- IP camera
With "does not work" I mean the following: From the router I can not ping a network camera which is attached to the ("dumb") POE switch connected to lan2 on the AP. I see ARP requests on the br-ipcam bridge and the (bridged) wan.3 interface but NOT on the (supposedly also bridged) lan2 interface. Meanwhile I see ARP probes from the camera on the lan2 interface which do not show on the br-ipcam bridge or the (bridged) wan.3 interface. On the AP I can ping the camera if I give the bridge a static address (which it normally does not have, given that this is meant to be an AP) or by using arping (arping -I br-ipcam 192.168.5.10) but it can not be reached through the bridge over the network. In short, the bridge does not seem to work, at least not for my purpose. Connectivity to the router works, I can ping all addresses on all vlans and can ping addresses on the AP from the router. Am I missing something or does bridging an untagged physical lan port to a tagged wan port not work (on this device, which seems to have a single ethernet interface (eth0) from which all others are derived)?.
Some more diagnostics:
ARPinging the camera on the AP, no static address on br-ipcam:
# arping -I br-ipcam 192.168.5.10
ARPING 192.168.5.10 from 192.168.1.253 br-ipcam
Unicast reply from 192.168.5.10 [9C:A3:AA:25:12:2C] 1.106ms
The ARP table on br-ipcam does NOT show the camera, but shows failed probes for it on wan.1 and wan.3:
# ip neigh show
192.168.5.10 dev wan.1 used 2136/2185/2136 probes 6 FAILED
...
192.168.5.10 dev wan.3 used 2130/2205/2129 probes 6 FAILED
...
...
************************
* Cause and workaround *
************************
These problems do not exist in "stable" builds running the 4.x kernel (before the switch to the DSA switch driver), things work as expected there. A workaround is to use one of these builds while DSA support is not yet complete on this hardware.