Mixed AP deployment vlan handling

Installing and Using OpenWrt
1

I have an upstream openwrt router (a nanopi r6s) connected to a dumb switch. The dumb switch is connected to 3 openwrt machines all running as Dumb APs.

I am trying to have all network machines, (and maybe a printer, and a server or 2) running on my infra vlan, vlan 3, (also, my lan running on vlan 6, guest on vlan 7, iot on vlan 8, and some other things for vlan 9 and 10, but I think vlan 3 is the relevant part here).

I hope to be able to use vlan 3 interface to communicate usteer stuff and to allow cross machine communication.

One of the AP is a WR3000 v1 and uses DSA and vlan filtering to set up the different vlans. The 2 other APs are EAP225s and don't have an internal switch, so as described here, I set them up using swconfig.

Untitled drawing(1)
Untitled drawing(1)314×180 8.04 KB

Each EAP can ping the upstream router, and the 2 EAP225s can ping eachother, but the WR3000 isn't able to ping the other EAPs, and I think it is because of the vlan issue, where the packets coming from the EAPs are not tagged as vlan3.

Here is /etc/config/network for the upstream router:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_duid '<snip>'
	option ula_prefix '<snip>'
	option packet_steering '2'
	option steering_flows '128'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth2'

config interface 'lan'
	option device 'br-lan.6'
	option proto 'static'
	option multipath 'off'
	option delegate '0'
	list ipaddr '10.0.6.1/24'

config device
	option name 'eth0'
	option macaddr '<snip>'

config device
	option name 'eth2'
	option macaddr '<snip>'

config device
	option name 'eth1'
	option macaddr '<snip>'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	option multipath 'off'
	list dns '<snip>'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth0:t'
	list ports 'eth2:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '6'
	list ports 'eth0:u*'
	list ports 'eth2:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '7'
	list ports 'eth0:t'
	list ports 'eth2:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '8'
	list ports 'eth0:t'
	list ports 'eth2:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '9'
	list ports 'eth0:t'
	list ports 'eth2:t'

config interface 'infra'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '10.0.3.1'
	option netmask '255.255.255.0'
	option multipath 'off'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.7'
	option ipaddr '10.0.7.1'
	option netmask '255.255.255.0'
	option multipath 'off'

config interface 'iot'
	option proto 'static'
	option device 'br-lan.8'
	option ipaddr '10.0.8.1'
	option netmask '255.255.255.0'
	option multipath 'off'

config interface 'work'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '10.0.10.1'
	option netmask '255.255.255.0'
	option multipath 'off'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth0:t'
	list ports 'eth2:t'

config interface 'streaming'
	option proto 'static'
	option device 'br-lan.9'
	option ipaddr '10.0.9.1'
	option netmask '255.255.255.0'
	option multipath 'off'

Here is the /etc/config/network of my wr3000:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '<snip>'
	option packet_steering '2'
	option steering_flows '128'

config device
	option name 'br-lan'
	option type 'bridge'
	option acceptlocal '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan.6'
	option proto 'none'

config bridge-vlan
	option device 'br-lan'
	option vlan '7'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '6'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '8'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '9'
	list ports 'wan:t'

config interface 'guest'
	option proto 'none'
	option device 'br-lan.7'
	option type 'bridge'

config interface 'iot'
	option proto 'none'
	option device 'br-lan.8'

config interface 'streaming'
	option proto 'none'
	option device 'br-lan.9'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'wan:t*'

config interface 'infra'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '10.0.3.2'
	option netmask '255.255.255.0'
	option gateway '10.0.3.1'
	list dns '10.0.3.1'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'wan:t'

config interface 'work'
	option proto 'none'
	option device 'br-lan.10'

And the /etc/config/network for one of my EAP225s:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '<snip>'
	option packet_steering '2'
	option steering_flows '128'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.6'

config device
	option name 'br-infra'
	option type 'bridge'
	option ipv6 '0'
	list ports 'eth0'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.7'

config device
	option name 'br-iot'
	option type 'bridge'
	list ports 'eth0.8'

config device
	option name 'br-work'
	option type 'bridge'
	list ports 'eth0.10'

config interface 'lan'
	option device 'br-lan'
	option proto 'none'

config interface 'infra'
	option device 'br-infra'
	option proto 'static'
	option ipaddr '10.0.3.3'
	option netmask '255.255.255.0'
	option gateway '10.0.3.1'
	list dns '10.0.3.1'

config interface 'iot'
	option device 'br-iot'
	option proto 'none'

config interface 'guest'
	option device 'br-guest'
	option proto 'none'

config interface 'work'
	option device 'br-work'
	option proto 'none'
2

Stop here. Get a managed switch.

VLANs cannot be used relaibly with unmanaged switches.

1 Like
3

Thank you. I had an old EdgeRouterX which I repurposed as a managed switch and I was able to ping each AP from the other ones.

One thing that has happened though is, I assigned Tagged vlans 6-10 on all the ports of the ER-X, at which point that WR3000's VLAN 9 would stop being able to reach the router. Only when I removed vlan 9 from all ports except WR3000's (the other APs don't provide the wireless interface for vlan9) was I able to connect to the router through the vlan9 interface on WR3000. I'd love to learn why that is, but I haven't found anything. Anyways. Thank you for your help!

4

I thought I had it but I don't. There is something more going on here. I have decreased the size of my network in terms of APs and VLANs to be just my r6s (router) and my WR3000 (dumb AP). The router and AP have vlans 3 , 6,7,8,10 set on br-lan which includes eth0 and eth2 on the router and all the eth ports on the AP. I have a wireless ssid for each vlan on the wr3000 except for vlan3.

When I plug in the AP from the AP's WAN port into the routers eth0 I can't get an ip address assigned for vlans 8 or 10 but I can for 6 and 7. When I plug into the routers eth2 I can get an ip address assigned for all of them. DHCP on the router is dnsmasq.

Router

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_duid '000424c23cc6645a4ea2b6ab42c9dc6c2cd8'
	option ula_prefix 'fdb7:6e8c:e916::/48'
	option packet_steering '2'
	option steering_flows '128'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth2'

config interface 'lan'
	option device 'br-lan.6'
	option proto 'static'
	option multipath 'off'
	option delegate '0'
	list ipaddr '10.0.6.1/24'

config device
	option name 'eth0'
	option macaddr 'a6:ce:1d:42:85:f9'

config device
	option name 'eth2'
	option macaddr 'a6:ce:1d:42:85:f9'

config device
	option name 'eth1'
	option macaddr 'a6:ce:1d:42:85:f8'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	option multipath 'off'
	list dns '94.140.14.14'
	list dns '94.140.15.15'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth0:u*'
	list ports 'eth2:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '6'
	list ports 'eth0:t'
	list ports 'eth2:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '7'
	list ports 'eth0:t'
	list ports 'eth2:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '8'
	list ports 'eth0:t'
	list ports 'eth2:t'

config interface 'infra'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '10.0.3.1'
	option netmask '255.255.255.0'
	option multipath 'off'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.7'
	option ipaddr '10.0.7.1'
	option netmask '255.255.255.0'
	option multipath 'off'

config interface 'iot'
	option proto 'static'
	option device 'br-lan.8'
	option ipaddr '10.0.8.1'
	option netmask '255.255.255.0'
	option multipath 'off'

config interface 'work'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '10.0.10.1'
	option netmask '255.255.255.0'
	option multipath 'off'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '<snip>'
	option listen_port '51820'
	list addresses '10.1.0.1/32'
	option multipath 'off'


config wireguard_wg0
	option description '<snip>'
	option public_key '<snip>'
	option route_allowed_ips '1'
	list allowed_ips '10.1.4.1/32'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth0:t'
	list ports 'eth2:t'

/etc/config/dhcp minus the "config host" stanzas.

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option sequential_ip '1'
	option dhcpleasemax '150'
	option port '5353'
	list interface 'guest'
	list interface 'infra'
	list interface 'iot'
	list interface 'lan'
	list interface 'work'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'infra'
	option interface 'infra'
	option start '100'
	option limit '150'
	option leasetime '1h'
	option dhcpv4 'server'
	list dhcp_option '6,10.0.3.1,94.140.14.14'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '1h'
	option dhcpv4 'server'
	list dhcp_option '6,10.0.6.1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '1h'
	option dhcpv4 'server'
	list dhcp_option '6,10.0.7.1'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '140'
	option leasetime '1h'
	option dhcpv4 'server'
	list dhcp_option '6,10.0.8.1'

config dhcp 'work'
	option interface 'work'
	option start '100'
	option limit '150'
	option leasetime '1h'
	option dhcpv4 'server'
	list dhcp_option '6,10.0.10.1'

config odhcpd 'odhcpd'
	option leasefile '/tmp/odhcpd.leases'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piodir '/tmp/odhcpd-piodir'
	option hostsdir '/tmp/hosts'

Access Point

/etc/config/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd61:5422:1376::/48'
	option packet_steering '2'
	option steering_flows '128'
	option dhcp_default_duid '0004bdba40b183e7434d99897c583c3c0713'

config device
	option name 'br-lan'
	option type 'bridge'
	option acceptlocal '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan.6'
	option proto 'none'

config bridge-vlan
	option device 'br-lan'
	option vlan '7'
	list ports 'lan3:t'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '6'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:t'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '8'
	list ports 'lan3:t'
	list ports 'wan:t'

config interface 'guest'
	option proto 'none'
	option device 'br-lan.7'
	option multipath 'off'

config interface 'iot'
	option proto 'none'
	option device 'br-lan.8'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan3:t*'
	list ports 'wan:t*'

config interface 'infra'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '10.0.3.2'
	option netmask '255.255.255.0'
	option gateway '10.0.3.1'
	list dns '10.0.3.1'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan3:t'
	list ports 'wan:t'

config interface 'work'
	option proto 'none'
	option device 'br-lan.10'
	option multipath 'off'

I have been hitting my head against the wall here. I have rebooted all my network with these configs in place and things are as described. What can I do to troubleshoot this further?

5

It's only t.
Also just use :u. No need for pvid shizzle. Just use tagged and untagged frames.

6

I have made the changes you suggested. I am still unable to see any traffic from my access point to the router on vlan 10 when I try to connect over the access point.

Here is the new /etc/config/network for both, and the tcpdumps from ap and router during the process of trying to connect a wireless client to the ap.

/etc/config/network

Router

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        list ipaddr '127.0.0.1/8'

config globals 'globals'
        option dhcp_default_duid '000424c23cc6645a4ea2b6ab42c9dc6c2cd8'
        option ula_prefix 'fdb7:6e8c:e916::/48'
        option packet_steering '2'
        option steering_flows '128'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth2'

config interface 'lan'
        option device 'br-lan.6'
        option proto 'static'
        option multipath 'off'
        option delegate '0'
        list ipaddr '10.0.6.1/24'

config device
        option name 'eth0'
        option macaddr 'a6:ce:1d:42:85:f9'

config device
        option name 'eth2'
        option macaddr 'a6:ce:1d:42:85:f9'

config device
        option name 'eth1'
        option macaddr 'a6:ce:1d:42:85:f8'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option peerdns '0'
        option multipath 'off'
        list dns '94.140.14.14'
        list dns '94.140.15.15'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'eth0:t'
        list ports 'eth2:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '6'
        list ports 'eth0:t'
        list ports 'eth2:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '7'
        list ports 'eth0:t'
        list ports 'eth2:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '8'
        list ports 'eth0:t'
        list ports 'eth2:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'eth0:t'
        list ports 'eth2:t'

config interface 'infra'
        option proto 'static'
        option device 'br-lan.3'
        option ipaddr '10.0.3.1'
        option netmask '255.255.255.0'
        option multipath 'off'

config interface 'guest'
        option proto 'static'
        option device 'br-lan.7'
        option ipaddr '10.0.7.1'
        option netmask '255.255.255.0'
        option multipath 'off'

config interface 'iot'
        option proto 'static'
        option device 'br-lan.8'
        option ipaddr '10.0.8.1'
        option netmask '255.255.255.0'
        option multipath 'off'

config interface 'work'
        option proto 'static'
        option device 'br-lan.10'
        option ipaddr '10.0.10.1'
        option netmask '255.255.255.0'
        option multipath 'off'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '<snip>'
        option listen_port '51820'
        list addresses '10.1.0.1/32'
        option multipath 'off'

config wireguard_wg0
        option description '<snip>'
        option public_key '<snip>'
        option route_allowed_ips '1'
        list allowed_ips '10.1.4.1/32'

AP

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd61:5422:1376::/48'
        option packet_steering '2'
        option steering_flows '128'
        option dhcp_default_duid '0004bdba40b183e7434d99897c583c3c0713'

config device
        option name 'br-lan'
        option type 'bridge'
        option acceptlocal '1'
        option ipv6 '0'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'wan'

config interface 'lan'
        option device 'br-lan.6'
        option proto 'none'

config bridge-vlan
        option device 'br-lan'
        option vlan '7'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '6'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '8'
        list ports 'wan:t'

config interface 'guest'
        option proto 'none'
        option device 'br-lan.7'
        option multipath 'off'

config interface 'iot'
        option proto 'none'
        option device 'br-lan.8'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'wan:t'

config interface 'infra'
        option proto 'static'
        option device 'br-lan.3'
        option ipaddr '10.0.3.2'
        option netmask '255.255.255.0'
        option gateway '10.0.3.1'
        list dns '10.0.3.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'wan:t'

config interface 'work'
        option proto 'none'
        option device 'br-lan.10'
        option multipath 'off'

config interface 'infra_backup'
        option proto 'static'
        option device 'lan3'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.0'
        option multipath 'off'

TCPDUMP for vlan 10 interface.

Router

# tcpdump -i br-lan.10
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-lan.10, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

AP

# tcpdump -i br-lan.10
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-lan.10, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:16:04.166547 6e:ee:2c:18:94:4f (oui Unknown) > Broadcast Null Unnumbered, xid, Flags [Response], length 6: 01 00
09:16:04.734483 IP6 :: > ff02::1:ff18:944f: ICMP6, neighbor solicitation, who has fe80::6cee:2cff:fe18:944f, length 32
09:16:04.741112 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 3 group record(s), length 68
09:16:04.784619 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 3 group record(s), length 68
09:16:04.984543 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 6e:ee:2c:18:94:4f (oui Unknown), length 290
09:16:05.489311 IP6 fe80::6cee:2cff:fe18:944f > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
09:16:05.489395 IP6 fe80::6cee:2cff:fe18:944f > ip6-allrouters: ICMP6, router solicitation, length 16
09:16:05.938332 IP6 fe80::6cee:2cff:fe18:944f > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
09:16:05.983525 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 6e:ee:2c:18:94:4f (oui Unknown), length 290
09:16:07.189611 IP6 fe80::6cee:2cff:fe18:944f.42378 > ff12::8384.21027: UDP, length 472
09:16:07.889135 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 6e:ee:2c:18:94:4f (oui Unknown), length 290
09:16:09.777138 IP6 fe80::6cee:2cff:fe18:944f > ip6-allrouters: ICMP6, router solicitation, length 16
09:16:12.156883 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 6e:ee:2c:18:94:4f (oui Unknown), length 288
09:16:18.019196 IP6 fe80::6cee:2cff:fe18:944f > ip6-allrouters: ICMP6, router solicitation, length 16
09:16:19.557955 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 6e:ee:2c:18:94:4f (oui Unknown), length 288
^C
15 packets captured
15 packets received by filter
0 packets dropped by kernel
7

I think this might be a result of the eth0 port on the r6s. I'm going to start a different post for this. I think the original question was answered. Thank you!

8

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.