Mysterious behavior: WLAN on VLAN works on iPhone but not on Windows, Ubuntu and MAC

Hello everyone,

I have a problem with my installation at home that I cannot solve. I have three OpenWRT routers connected to a Mikrotik. See picture. VLAN and VLAN filtering is active on the three OpenWRT routers. All wired connections between routers 1, 2, 3, and 4 works without any problems. I can reach all routers via cable. But I cannot solve the WLAN configuration.

An iPhone connects without problems, but Windows, Mac and Ubuntu say there is no Internet connection. What's the difference between an iPhone WIFI connection and a desktop WIFI connection.

I have activated VLAN filtering on routers 1 to 3 and put the general network on VLAN 1. I have bound VLAN 1 to a second software bridge and connected the WLAN to it.

  • Could WLAN roaming be the problem here? (default_radio0)

  • I have also only created a single WLAN on router 1, but even with a WLAN without roaming, the iPhone and Windows, Mac and Ubuntu say no Internet connection. Same behaviour. (wifinet1)

The WebCam I've added also works without any problems. Nothing is configured for VLAN 1 in the Mikrotik Router. In the long term, there should be a second WLAN and VLAN70 for the children. However, my problem only occurs with VLAN 1 in the Fritz!Boxes 7362 SL.

What am I doing wrong, I've been looking for the error for weeks?

Thank you in advance for your help and time,
Jochen

MACs, passwords and SSID are anonymized with “x”

Network Config OpenWRT
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr '38:10:x:A1:81'

config device
	option name 'lan2'
	option macaddr '38:10:x:A1:81'

config device
	option name 'lan3'
	option macaddr '38:10:x:A1:81'

config device
	option name 'lan4'
	option macaddr '38:10:x:A1:81'

config device
	option type 'bridge'
	option name 'br-h12'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config bridge-vlan
	option device 'br-h12'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'


config interface 'hweg'
	option proto 'dhcp'
	option device 'br-1'

config device
	option type 'bridge'
	option name 'br-1'
	list ports 'br-h12.1'

Wireless Config OpenWRT
config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '8'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'domus@xxxxxx'
	option encryption 'psk2'
	option key 'xxxxxx'
	option dtim_period '3'
	option ieee80211r '1'
	option mobility_domain 'c23c'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'hweg'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'dach@xxxxx'
	option encryption 'psk2'
	option key 'xxxxxx'
	option network 'hweg'
Firewall OpenWRT
config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'h12'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'hweg'

Your openwrt-s provision nothing of "internet" just bridge the networks.

maybe i do not get how your network work, but i'm not sure why you have a dsl interface on openwrt if your main router is not openwrt

Yes, that's right. It is only bridging. The actual Internet connection is established and works without any problems. The wireless configuration is causing the problem. The transition from WLAN to cable.

The DSL connection of the Fritzbox is not used. The port is empty. I have cleaned up the config.

They connect some witness host, i.e dns and free ip traffic pass to that is needed. Probably some blocklist kills that somehow, just apple sneaks past it.

I have another question, is it possible that the Mikrotik remembers which MAC address is connected to which physical port? Which feature would have to be disabled in the Mikrotik?

Like when you install openwrt on mikrotik it becomes FDB timeout.

That's basically how switches work. A device that just passes Ethernet frames across multiple network ports without knowing and making use of knowing about MAC addresses on a per-port basis is a hub.

You want your switch to have that capability. Think about a 4-port switch and 4 computers, all connected via 1 GBit.

A switch can handle a 1 GBit traffic stream from computer A to computer B while dealing with another 1 GBit traffic stream from computer C to computer D at the same time. Generally, you want any port to be connected with any other port at line speed. That's why you have 8-port switches with a 16 GBit back plane and 40-port switches with 176 GBit back planes, which basically means: Any port can maintain an 1GBit inbound stream and an 1GBit outbound stream at the same time.

A hub would not know which package to send to what port, so it needs to send every package to every port. Even a 40-port hub would be limited to a single 1GBit traffic link across exactly two ports -- while all other ports, even though they are neither sender nor receiver of the traffic involved, will be forced to receive that traffic as well, realizing they are not meant to receive that data and drop it. Not only does such a network structure limit the total throughput of the whole network to a single traffic stream at a time, it also forces all computers connected to spend electrical power and CPU cycles to receive and discard traffic that isn't meant for them.

I don't know if you can make your Microtic device behave like a hub, but there's generally not much need for such a setting.
One of them would be port mirroring. "I am the CIA and I demand to have a copy of every network traffic that goes through your network -- mirror me your entire traffic". And even if I'm not the CIA, a data center provider would want such a thing for statistics and sporadic monitoring. But such a thing would be configured on a per-port basis, not for the switch entirely.

If you want two ports on your Microtik device to receive the same data, search for "port mirroring" in the manual. But I kind of doubt that's what you want to do.

fdb is updated when roamed sta sends out packet. Dhcp or so.

Sure. I'm not saying you need to reboot your switches and routers every time you plug a computer from one switch port and plug it into another, or have Wi-Fi devices roam from one AP to another.
Having mechanisms in place to make your infrastructure remove data from forwarding databases and ARP tables is totally a thing, and for good reasons.

In general, when a switch has learned there's a MAC address known to be behind one port and the very same MAC adddress suddenly appears on a different port, the internal database needs to be updated. Which is basically what you're saying.

But the question asked was: Can I make my device not keep track of MAC addresses on a per-port basis at all?

And the point I was trying to drive home was: You might, because there are reasons to, but you most likely don't want to in the first place, and there's a chance your particular device might not even support that, because those reasons are so rare.

It is called a hub, comes in 10mbps speed.

The configuration of this ap seems very strange. Why are there static routes and routing table entries in what should be just a basic bridged ap?

I would recommend resetting and starting from scratch. The only network that should have an address is the one that is used to manage the device. The rest should be unmanaged.

Further, I would highly recommend removing g all traces of 802.11r fast roaming from all APs unless there is an actual demonstrated need for it (this standard can actually cause more problems than it solves).

Thanks, I thought I had configured everything correctly, but with your tip I then deactivated dnsmasq as described here: https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedap and the devices then had clean DNS access to the desired DNS server and Ubuntu worked.

I have now found the appropriate parameter, which has been renamed several times by Mikrotik. You have to set the parameter “learn” to “off” because every hardware port of the Mikrotik switch has one, then the MAC address is not learned on this port. This is necessary for the two ports on which my OpenWRT WLANs are connected.

Yes, I always restart the OpenWRT Switch and also the Mikrotik when I make a change. I have written a bash script that restarts all devices via SSH. I was able to solve the MAC table problem on the Mikrotik, I think - I hope.

I have now set up the configuration of the OpenWRTs again, to make sure there are no careless mistakes.

The configuration looks like this because:

  1. I have completely isolated port 4 on each of the stubs and port 4 serves as a management port with its own DHCP server. This means that if the configuration is incorrect, I can correct the error directly on the switch at any time without having to redo everything. This saves me time and has worked very well so far.

  2. Unfortunately, the Fritz! boxes also have a DSL connection that I don't use. Unfortunately, I forgot to delete the default DSL configuration in the forum entry here.

  3. The statically defined routes were intended for VLAN 70. I now know that I don't need static routes for a VLAN. I have now also deleted them. The aim is to run a separate DNS server such as Adguard in VLAN 70 to restrict access somewhat. But this will only come in the second step when this configuration is running properly.

  4. The roaming protocol was the main reason for me to switch everything at home to OpenWRT. I spend 100% of my time in my home office and really wanted to be able to go out the door with my “Teams” running on my mobile phone. Everything has worked perfectly so far. It was only when I changed from simple configuration to VLAN that I ran into problems.

2/ you can blacklist dsl kernel modules like in /etc/modules.conf and it will go away.
4/ just that R is the wrong ptotocol , you need KV only like usteer after swapping wpad-basic-mbedtls to wpad-mbedtls,

For general wifi - set country code, and if it falls into ETSI, or otherwise enables CH13 add

option acs_chan_bias '1:0.8 5:0.8 9:0.8 13:0.9'

to the 2g radio section to have 4 non-overlapping channels in place of three.

Thanks for all the very good tips.

2/ You can blacklist dsl kernel modules like in /etc/modules.conf and the problem will go away.

I did that via Lucy and the menu entry "Startup" and "Local Startup"

for i in dnsmasq; do
  if /etc/init.d/"$i" enabled; then
    /etc/init.d/"$i" disable
    /etc/init.d/"$i" stop
  fi
done

exit 0

4/ just that R is the wrong protocol, you only need KV like usteer after swapping wpad-basic-mbedtls to wpad-mbedtls,

I have wpad-wolfssl in use! Would wpad-mbedtls be better or more correct?

wpad-wolfssl	2023-09-08-e5ccbfc6-8	~698.69 KiB	This package contains a full featured IEEE 802.1x/WPA/EAP/RADIUS…

But if I see the config correctly, with the right library no separate activation is necessary for “KV”?

For general WLAN - set the country code, and if it falls in ETSI, or else CH13 enabled, add
option acs_chan_bias '1:0.8 5:0.8 9:0.8 13:0.9'
to the 2g radio range to have 4 non-overlapping channels instead of three.

Thanks, I didn't know that! Does 13:0.9 really have to be 0.9 or also 0.8?

In order:
dnsmasq is not related to 5W dsl modem.

wolfssl is valid too. Anything except -basic-\0/
k and v (migration hints and radio reports) are not possible with basic. usteer or dawn can instrument them when hostapd supports.

0.9 as a tribute to eventual US-locked devices.