Can someone try to help me out understand how to configure VLAN on ACCESS POINTS?
What i want:
3 wifi vlans conected to the same vlan over lan, all of them in the same cable uplink over LAN interface (access point).
I tried almost everything already and what i get is that the wifi network is not able to get ip over dhcp, because the dhcp is on the designated vlan over cable on lan.
The best way for us to help will be based on the text config. Please provide the information requested below.
We also need to know the port-VLAN membership and the management network:
What port is used for the uplink?
What VLAN IDs are tagged on the uplink?
Are all networks tagged, or is there one untagged?
Which VLAN is used to manage the device?
What is the address that this AP should use on the management network (if static; if it is DHCP client, please indicate that).
What is the VLAN membership for the other ports? Are they all access ports? Are there any trunk ports? Which VLANs on which ports?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
There are a bunch of issues present in the current config. I think the best way to move forward is to reset to defaults. Once done, please post the default network config file.
I think you may have misunderstood this question:
What VLAN IDs are being used? For example: VLAN IDs: 24, 33, and 63.
Yes @psherman that`s it.. one untagged vlan and a vlan 10 to start with. if possible to do more, i will replicate more 2 vlans but i like to start small to learn the concepts.
Start by creating bridge-vlans (we'll set port lan1 as the uplink, then ports 2-3 as VLAN 1 (the untagged network on the uplink) and port 4 as VLAN 10):
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:t'
list ports 'lan4:t'
And now create an unmanged network interface for VLAN10:
config interface 'vlan10'
option device 'br-lan.10'
option proto 'none'
Now you can create your SSIDs, associated with lan for one SSID and vlan10 for the other (this is in the SSID config section of the wireless file).
Restart and test again. You should be able to also connect to lan2 and lan3 and get an address in VLAN 1 (192.168.1.0/24) and on port lan4 you should get 192.168.10.0/24 (VLAN 10).
[EDIT: removed lan4 from the bridge-VLAN for VLAN 1 (that was a copy paste error on my part), thanks to @flygarn12 for catching that].
It's not really a bug, per-se, but rather a sequencing thing. You need to create the bridge-vlans, then edit the lan interface to use the new bridge-vlan. This is tricky to do in LuCI because of the way it applies the changes. I think it is possible to get LuCI to queue the changes and apply them in bulk, but I always just directly edit the text files so that I can ensure everything gets applied at the same time.
Meanwhile, glad it is working!
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!
What is lan1 uplink to, and how do they communicate?
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:t'
list ports 'lan2:u'
list ports 'lan3:u'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:t'
list ports 'lan4:t'
Well this is what you described in text.
The * isn’t really needed unless doing unsymmetrical networks for the outgoing vlan, we have a post about that here in the forum somewhere.
Lan4 isn’t supposed to be in vlan1 settings if it doesn’t belong there.
But for vlan setups in general.
It is allowed to use ONE untagged vlan and unlimited (at least as many as the hardware allow) tagged vlans on a port. But it isn’t recommended. If you really want to use vlan network, then use trunk ports that only have tagged vlans and nothing else. But you need tagged vlan set up on both sides of the ethernet cable to use trunk ports.
Usually the ports are called connection ports where the vlan is untagged and clients without vlan capability are connected, one vlan and one client per untagged port.
But once you start having tagged vlan, both clients of the ethernet cable ends must use tagged vlan and then one untagged vlan makes no sense on that port.
Luci can fix this kind of complex setups, you only push the save button on each setting and make all changes on all pages (while only using save).
Once finished, scroll up to the top and click the box with cued changes and choose to “roll the dice” and apply all changes or choose to revert changes.
Per the OP, any port would be acceptable for uplink, so I defined lan1 as the uplink to the main router (which has VLANs working already).
I personally always suggest that the * is used in all normal untagged situations. It prevents ambiguity. In fact, I'd argue that the only reason to omit the * would be if your goal was the asymmetric VLAN behaviors (which is quite rare and niche).
Good catch. Copy/paste error on my part.
This is a topic of debate in most cases, although there are some (rare) hardware examples where the mixed untagged+tagged situation will cause problems. In all other cases where hardware doesn't have this limitation, it becomes a matter of personal/professional opinion. The 802.1q standard allows it, so as long as the hardware supports the standard properly, there is no technical reason that this is a problem. However, there are arguments to be made as to why untagged networks shouldn't being included in a trunk when it comes to the risk of human error or other undesirable connectivity considerations.
That said, the OP already had the upstream connection setup with an untagged network, so the advice I provided was in-line with what they already had.
I think the more common term is "access port," but this could just be the specific sources from which I learned about VLANs. That said, there is no need to limit to "one client per untagged port" insofar as it's possible to have another switch downstream that could allow multiple clients per untagged port on any upstream switch.
That's actually not entirely true. Again, the 802.1q standard allows the use of an untagged network on a trunk. Suppose you set the untagged network for the regular lan -- you can plug a computer into that and it'll join the lan network. If the computer is not VLAN aware, it will just ignore any ethernet frames that contain 802.1q tags. If its s VLAN aware (and configured appropriately), it can also join VLANs with tags. Again, the argument comes down to style in many cases, but there are some legitimate use-cases where there may be an untagged network on a trunk.
@psherman i have here some GL inet untruncked routers with old source code that does not use DSA. There was this time, that i used to believe in Santa, that they would add the router to openwrt trunk.
So they are lying around here.
Do you know how can i configure them in the old way of vlan before DSA mode?
the simple untagged vlan 1, just like you did here with dsa?
@leopucci - if the devices are running official openwrt, yes (if they have the vendor firmware, you need to ask on their support channels). Please start a new thread for this and feel free to tag me in.
