Need Help Configuring VLANs for Multiple SSIDs

Hello, I'm working on configuring my home network so that devices connected via different SSIDs could use different gateway. But now I encountered an issue inter-VLAN routing issue, please help.

Hardware and Connections

OpenWRT Router [PORT LAN1] --> [PORT 1] UniFi Switch
UniFi Switch [PORT 2] --> UniFi AP

The AP broadcasts 2 SSIDs: WLAN-A and WLAN-B.

Goals

  • Devices connected to WLAN-A should use 192.168.1.1 as the gateway.
  • Devices connected to WLAN-B should use 192.168.1.2 (not 192.168.2.1) as the gateway.

After some investigation I believe that using VLANs might be the right approach and have set up the following:

Configuration Steps

  1. Created VLAN 32, make it tagged on PORT LAN1.
  2. Configured a new interface LAN_B (192.168.32.1/24) with its physical setting as eth0.32 (corresponding to VLAN 32). I did not set LAN_B gateway to 192.168.1.2 here, because I plan to test connectivity from LAN_B to LAN before doing that.
  3. On the UniFi AP, set WLAN-A to use VLAN 1 (default) and WLAN-B to use VLAN 32.

Issue Encountered

Devices connected to WLAN-B can access the internet (WAN) but are unable to reach any hosts on the LAN. I attempted to create firewall rules to allow this traffic but without success.

Configuration details

See the comments below for the latest config

What is the output of

ubus call system board

Thanks for the fast reply!

root@OpenWrt:~# ubus call system board
{
        "kernel": "4.9.152",
        "hostname": "OpenWrt",
        "system": "Atheros AR9344 rev 2",
        "model": "NETGEAR WNDR4300",
        "board_name": "wndr4300",
        "release": {
                "distribution": "OpenWrt",
                "version": "18.06.2",
                "revision": "r7676-cddd7b4c77",
                "target": "ar71xx\/nand",
                "description": "OpenWrt 18.06.2 r7676-cddd7b4c77"
        }
}

Maybe I should also attach the UniFi switch PORT 1 config here.

Yikes! This is old! This version has been EOL and unsupported for many years and it has many known security vulnerabilities.

You really need to upgrade -- this device is supported by the latest firmware

Because of how old this firmware is, a direct upgrade will not be possible. Therefore, you can either step through several firmware upgrades (allow the device to reset to defaults on each upgrade by unchecking the 'keep settings' box), or you can use the TFTP method as described here:
https://openwrt.org/toh/netgear/wndr4300#oem_installation_using_the_tftp_method

Your configuration will not be compatible -- you can make a backup to use as a human readable reference, but don't try to restore that backup to the new installation.

Yes really old. I installed this version years ago and it has been running well without any issue so I did not upgrade it. I'll try upgrade later if there was no solution in current version :slight_smile:

I cannot stress this enough -- please upgrade first.
Consider these two reasons:

  1. Your primary firewall and protection from the internet has many known and actively exploited security vulnerabilities that have stacked up since December 2020 when the development stopped on the 18.06 series. Your specific installation (18.06.2) was actually released almost 2 years prior in January 2019. Continuing to run such an old version puts your router and your network at considerable risk.
  2. The syntax has changed considerably since 18.06 was released. Advice given while you are running that version will very likely break your configuration (possibly badly, knocking you offline and making it difficult to recover) because few people will actually remember how to configure such an old version.

It is time to upgrade -- please consider this an opportune time to address a critical upgrade to your network.

1 Like

I see. Going to upgrade now!

1 Like

I have installed the latest version via TFTP method. BTW, I really love the new LuCI! It is much smoother and more intuitive than 18.06.

Now the output of ubus call system board is

{
	"kernel": "5.15.150",
	"hostname": "OpenWrt",
	"system": "Atheros AR9344 rev 2",
	"model": "Netgear WNDR4300",
	"board_name": "netgear,wndr4300",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "ath79/nand",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}

My network is not complex and it did not take me much time to recovery my settings manually. And I still encounter the same issue before upgrading, which is cannot access LAN from LAN_B

I've updated output of cat /etc/config/network and cat /etc/config/firewall in my original post.

Yet another good reason to upgrade!! Glad you're happy.

Let's take a look at your latest config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Here is my latest config

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdcb:181a:3ada::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr '6c:b0:ce:11:98:f1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'pppoe'
	option username '******'
	option password '******'
	option ipv6 'auto'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 4 3 2 1'
	option vid '1'
	option description 'LAN'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5'
	option vid '2'
	option description 'WAN'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '32'
	option ports '0t 4t'
	option description 'LAN-B'

config interface 'LAN-B'
	option proto 'static'
	option device 'eth0.32'
	option ipaddr '192.168.32.1'
	option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'LAN-B'
	option interface 'LAN-B'
	option start '100'
	option limit '150'
	option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'LAN-B'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'LAN-B'

config forwarding
	option src 'LAN-B'
	option dest 'lan'

config forwarding
	option src 'LAN-B'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'LAN-B'

Ok... thanks. So your OpenWrt config looks fine.

Can you confirm the IP addresses that are obtained when a wifi client connects to each of the SSIDs (corresponding to lan and LAN-B, respectively)?

How are you testing your inter-VLAN connections?
What operating systems are on the hosts that you've been using as the target of those tests?

Thanks for confirming my last config to be good! I reran tests and have some new findings this time.

Can you confirm the IP addresses that are obtained when a wifi client connects to each of the SSIDs (corresponding to lan and LAN-B, respectively)?

Yes I did confirm the devices' IP address every time switching SSID.

How are you testing your inter-VLAN connections?
What operating systems are on the hosts that you've been using as the target of those tests?

I've used two MacBooks, each hosting an HTTP server on port 3000. I then tried accessing them from each MacBook to test connectivity (e.g. visiting http://192.168.1.198:3000).

I'll answer them below with details.

Tests that I have done before creating this topic

Test 1

Device SSID IP Access MacBook1 Access MacBook2
MacBook1 WLAN-A 192.168.1.198 Success Success
MacBook2 WLAN-B 192.168.32.161 Fail (:x: Unexpected) Success

Test 2

I swapped the SSIDs for the MacBooks in this test.

Device SSID IP Access MacBook1 Access MacBook2
MacBook1 WLAN-B 192.168.32.198 Success Fail (:x: Unexpected)
MacBook2 WLAN-A 192.168.1.161 Success Success

By this time I believed LAN_B cannot access LAN so I came to create this topic for help.

New test done this time

Test 3

While still using the MacBooks as HTTP servers, I used my PC and iPhone as clients instead. They behaved as expected! So the connectivity problem only occurs when MacBooks are used as clients. The issue seems not related to OpenWRT.

Device SSID IP Access MacBook1 (WLAN-A) Access MacBook2 (WLAN-B)
iPhone WLAN-A 192.168.1.145 Success Success
iPhone WLAN-B 192.168.32.145 Success Success
PC WLAN-A 192.168.1.113 Success Success
PC WLAN-B 192.168.32.113 Success Success

I also repeated test 1&2 again this time, and their result is same as before.

All devices has no system proxy set. Don't know why it only does not work on MacBooks...

In the future and below tests, I will not use MacBooks as client anymore.

I did many tests but the test results are conflicted, so I removed them from the last comment. I'll do more test before posting them here.

Ok... sounds good. It is seeming more like a problem with the computer's configuration than the networking in OpenWrt, but we'll figure that out when you have more tests to report. If there are still issues, please be sure to summarize them as I'm not entirely certain what problems still exist based on the tests you've shown.