Multiple VLAN / WLan Problem

Hi

Im currently trying to configure 2 access points with OpenWRT with a PFSense to achieve the following:

VLANs:
Internal VLAN (5)
IOT VLAN (10)
Guest VLAN (12)

WLANs:
Internal WLan
IOT WLan
Guest WLan

DHCP an management should all run on PFSense. The connection should be from PFSense > AP1 > AP2. So AP 1 should forward the traffic from AP 2 to PFSense.

I managed to create the VLans on PFSense and to get the VLANs woking on the LAN ports of AP1. The internal WLan is also woking. Unfortunately everything else isn't working right now as I want it to ..

The Guest & IOT WLan don't get any IP from PFSense (over LAN its working properly). I have access to AP2 but only on the internal LAN.

Switch Configuration AP1:

AP1966×456 21 KB

Configuration:

package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9d:27ec:db1f::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipaddr '192.168.66.2'
        option gateway '192.168.66.1'
        option ifname 'eth1.1 eth1.5'

config interface 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '3 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '10'
        option ports '3t 4t 6t'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '12'
        option ports '3t 4t 6t'

config interface 'IOT'
        option proto 'none'
        option type 'bridge'
        option delegate '0'
        option ifname 'eth0.10'

config interface 'Guest'
        option ifname 'eth0.12'
        option type 'bridge'
        option delegate '0'
        option proto 'none'

config interface 'Backup'
        option proto 'static'
        option ipaddr '192.168.33.1'
        option netmask '255.255.255.0'
        option ifname 'eth1.6'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '5'
        option ports '2 3t 4t 5 6t'

config switch_vlan
        option device 'switch0'
        option vlan '6'
        option ports '1 6t'
        option vid '6'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        list interface 'GUEST'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'Backup'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'Backup'

config dhcp 'Guest'
        option interface 'Guest'
        option ignore '1'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'VHT80'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option key '5c@3vV2DkRsLC~BYj:CUCiz=EEZS4pd~ZuxkDH6tG\0+s|n2iv'
        option ssid 'Quokka'
        option encryption 'psk-mixed'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'
        option ieee80211r '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
        option htmode 'HT20'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ft_over_ds '1'
        option ssid 'Koala'
        option encryption 'psk-mixed'
        option ft_psk_generate_local '1'
        option key '5c@3vV2DkRsLC~BYj:CUCiz=EEZS4pd~ZuxkDH6tG\0+s|n2iv'
        option ieee80211r '1'

config wifi-iface 'wifinet3'
        option ssid 'Skynet'
        option encryption 'psk-mixed'
        option device 'radio1'
        option ieee80211r '1'
        option ft_over_ds '1'
        option key 'rWaG27YwxpQzSV2E'
        option mode 'ap'
        option network 'IOT'
        option ft_psk_generate_local '1'

config wifi-iface 'wifinet4'
        option ssid 'Test'
        option encryption 'psk-mixed'
        option device 'radio1'
        option mode 'ap'
        option network 'Guest'
        option key 'test1234'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan Guest'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option name 'Guest'
        option output 'ACCEPT'

I tried so many things the last few days but can't seem to get it working. Maybe I'm also trying something that isn't even possible like this. I'm thankful for any help

Cheers
Symon

Switch config of AP 2:

AP2964×536 23 KB

Why are you using eth0.10 and eth0.12 in your config when VLAN 10 and 12 are off on eth0 in the switch?

Thank you!!! I searched for such a long time and it was such a "little" thing.. I feel pretty stupid now I've read somewhere that i should only use CPU eth 1 for all the connection and forgot that I have to change these connections too ..

You should be getting a error message also if you in LuCI set a LAN port to both untagged and tagged VLAN output data.
Because this is not allowed on VLAN and it makes no sense.
The receiver then needs to dump all untagged data in some PVID function that you hopefully has configured or else it will most likely put everything in VLAN1 or drop the data in the “black hole”.
Alternative if the receiver on that LAN is not a managed switch or access point or something without VLAN function it doesn’t have a clue what the VLAN tagging means and put everything in the same bucket or stop doing anything at all.

The config will probably work more or less but the data integrity is lost and sooner or later you will find small indications on this.

The general rules when using VLAN is that everything inside the network core (router, switches, AP, devices/computers that can handle VLAN) is tagged all the way from CPU to the last port on the chassi.

Only at the last connection point (LAN port or WiFi transciever) you untag the VLAN data because after that connector the client is connected with WiFi SSID or ethernet cable.

But then you also need to handle data that comes in through a port to the network core and there you need to set a PVID (PortVlanID) so the unknown data that comes in through the ethernet port (or WiFi) is tagged to the VLAN that sent out untagged data on that port. Or some other receiving PVID if you so want to.
OpenWRT 19.07.7 doesn’t have LuCI support for PVID so you need manually to write in the network config file to get PVID.

But the user manual for Switches are good on the PVID function.

Thank you for your help. Most of the things I wanted work right now but I'm still a bit unsure about certain things:

• To keep access to the management GUI, I had to bridge the main VLAN 1 (eth1.1) with VLAN 5 (which is my internal VLAN). If I don't do this I will lock myself out. My thoughts are that I'm not on the right VLan when I connect to the switch (directly) and therefore can't reach the VLAN 5 interface.

• I now added an additional managment interface (192.168.66.47) for VLAN 5 and after I bridged this one with eth1 and added the following changes for PVID to port 3 I can now reach it:

config switch_port
option device 'eth1'
option port '2'
option pvid '5'

Is it now save to remove the bridge between VLAN 1 and VLAN 5? (I try to avoid using VLAN 1 in the Network)

Should I activate the firewall and make different zones for each VLAN or is it okay as it is?

Whole config of AP1:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9d:27ec:db1f::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipaddr '192.168.66.2'
        option gateway '192.168.66.1'
        option ifname 'eth1.1 eth1.5'

config interface 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '10'
        option ports '3t 4t 6t'


config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '12'
        option ports '3t 4t 6t'

config interface 'IOT'
        option proto 'none'
        option type 'bridge'
        option delegate '0'
        option ifname 'eth1.10'

config interface 'Guest'
        option type 'bridge'
        option delegate '0'
        option proto 'none'
        option ifname 'eth1.12'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '5'
        option ports '2 3t 4t 5 6t'

config interface 'INT_LAN'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.66.47'
        option gateway '192.168.66.1'
        option type 'bridge'
        option ifname 'eth1 eth1.5'

config switch_port
        option device 'eth1'
        option port '2'
        option pvid '5'

https://openwrt.org/docs/guide-user/services/webserver/uhttpd
Can you reach anything (internet or other devices) when you are connected to VLAN5 without bridge?
The bridge means you in practical terms are on VLAN1.
Have the DHCP server given you a IP?

In general, the connection to OpenWRT system control is set by uhttpd in the listening_http or listening_https setting.

But uhttpd is by standard the other way around. It listen on everyting so in my case I had to narrow the listening to only one interface.
So you should focus on getting the VLAN5 working as a “guest network” with internet access first, so you know it is alive. Then if you want you can block the WAN forwarding from your VLAN5 interface. Then modify the system admin access.

Did you remember to open firewall rules to the DHCP server port 53 and 67?

IT seems a bit strange with the PVID option. I now disconnected everthing that didn't feel right and after a reboot everything works as I want it to. I can now connect to the management interface of VLAN 5 even on ports where I never set the option for pvid. I also deleted all the bridges that I wasn't sure about.

I configured pvid only for port 2 but it works on every port now (I also removed the other cables from the switch so it doesn't get routed some way around..)

Here is my current config:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9d:27ec:db1f::/48'

config interface 'lan'
        option type 'bridge'
        option delegate '0'
        option ifname 'eth1.1'
        option proto 'none'

config interface 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'IOT'
        option proto 'none'
        option type 'bridge'
        option delegate '0'
        option ifname 'eth1.10'

config interface 'Guest'
        option type 'bridge'
        option delegate '0'
        option proto 'none'
        option ifname 'eth1.12'

config interface 'INT_LAN'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.66.2'
        option gateway '192.168.66.1'
        option type 'bridge'
        option ifname 'eth1.5'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '5'
        option ports '1 2 3t 4t 5 6t'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '10'
        option ports '3t 4t 6t'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '12'
        option ports '3t 4t 6t'

config switch_port
        option device 'switch0'
        option port '2'
        option pvid '5'

As I always say and do, a good old reboot fix a lot of things. Bigger config change needs a bigger reboot.

I not really sure about the pvid if swconfig automatically takes what goes out must come in on a untagged port if nothing else is defined?

The problem is generally a lot bigger on tagged ports where a lot of VLAN can send and receive data, and if untagged data comes in through that port, usually from switches. Then you need a definition with pvid what to do with untagged data. Here is usually a “black hole” VLAN used as a data destroyer for any untagged data that comes in to the tagged port.

But my recommendation is to leave nothing to chance and luck. Computers always need to be told what to do. So if you leave the standard safety of VLAN1 on everything then you should clearly define every single port in both data directions.

Yeah I guess you are right.. I have two questions for this that I couldn't find an answer to:

1. Can you use option 'ports' for multiple ports? and should you link this to the switch (switch) device or the cpu (eth0) device?
2. How do you link WiFi to a VLAN or is this already okay by bridging the interfaces?

1. I don’t really know. As you say, it really doesn’t say if you can have multiple ports to a VLAN PVID. But the problem is kind of self resolving in 21.02 with DSA. This kind of swconfig is obsolete after 19.07.x. As far as I know in DSA PVID is a ‘*’, but the whole switch config seems to be totally different. But the formal info for this switch config is rather non existent for now.
   https://github.com/openwrt/luci/pull/4307

The port to the cpu can’t be untagged so no unknown data can be on that port if the physical ports including WiFi has tagged their data correct. Or it can be set to untagged but what are the cpu supposed to do with untagged data?

2. I guess that depends on what Access point you use. I have a external business class Access point and in that I specify in every SSID I set up what VLAN it belongs to. And a separate system management VLAN is also specified.
   How OpenWRT used to do this in wifi routers as far as I can remember is a bridge between LAN interface (VLAN1) and the WiFi.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.