Network VLANS?

ghat · November 24, 2020, 11:45pm

Is this possible....

My ROUTER(APU) (no wifi card) and ACCESS POINT(CF385AC) both run openwrt

I am not able to get wireless working over VLAN20, VLAN30

trendy · November 25, 2020, 9:34am

Yes it is possible.
Tag the frames egressing the router port towards the access point. Do the same on the access point too.
Create interfaces for all vlans on router. The access point needs one interface with static/dhcp for management and the other interfaces as unmanaged. Assign one interface to an SSID on the access point.

ghat · November 25, 2020, 11:00am

hi
Is there any information on the Qualcomm Atheros QCA8337 switch on the CF-E385AC ?

I see 2 CPU's and 2 ports.. and its a bit confusing...
I got one of the VLANS to work (apparently), after switching the VLAN interfaces to unmanaged on the AP, the other still wont fetch a DHCP address

My router is connected to the WAN port, and the LAN port has no wire on it...
[FWIW, there is no WAN interface, there are 3 interfaces LAN, V20,V30 all of which are bridged across both the LAN and WAN ports and the appropriate wireless SSID's for each VLAN)
Very similar to

trendy · November 25, 2020, 11:17am

It is my understanding that eth0 is connected to the LAN port and eth1 to WAN. So the way you have added the vlans looks right. I would also advice you not to combine tagged and untagged frames, tag vlan 2 on WAN.
For the rest we'll need to have a look at the configuration from both devices.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

ghat · November 25, 2020, 3:42pm

This is on the comfast

root@ap-cfe385ac:~# ubus call system board
{
	"kernel": "4.14.195",
	"hostname": "ap-cfe385ac",
	"system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
	"model": "COMFAST CF-E385AC",
	"board_name": "cf-e385ac",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.4",
		"revision": "r11208-ce6496d796",
		"target": "ar71xx/generic",
		"description": "OpenWrt 19.07.4 r11208-ce6496d796"
	}
}
root@ap-cfe385ac:~# uci export network 
package network

config globals 'globals'
	option ula_prefix 'fd35:7a8c:b6c9::/48'

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1 eth1.2'
	option proto 'dhcp'

config interface 'sec'
	option type 'bridge'
	option ifname 'eth0.20 eth1.20'
	option proto 'none'

config interface 'pub'
	option type 'bridge'
	option ifname 'eth0.30 eth1.30'
	option proto 'none'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'
	option ar8xxx_mib_type '0'
	option ar8xxx_mib_poll_interval '500'
config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 1'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '20'
	option ports '6t 1t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '30'
	option ports '6t 1t'
root@ap-cfe385ac:~# uci export wireless
package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'VHT80'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option key 'xXxXxX'
	option ssid 'xx5'
	option encryption 'psk2'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/qca955x_wmac'
	option htmode 'HT20'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'xx2'
	option key 'xXxXxX'
	option encryption 'psk2'

config wifi-iface 'wifinet2'
	option ssid 'pp5'
	option encryption 'none'
	option device 'radio0'
	option mode 'ap'
	option network 'pub'

config wifi-iface 'wifinet3'
	option ssid 'pp2'
	option encryption 'none'
	option device 'radio1'
	option mode 'ap'
	option network 'pub'

config wifi-iface 'wifinet4'
	option ssid 'ha2'
	option encryption 'psk2'
	option device 'radio1'
	option mode 'ap'
	option network 'sec'
	option key 'xXxXxX'

DNSMASQ DISABLED
FIREWALL DISABLED
root@ap-cfe385ac:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.200.155/24 brd 192.168.200.255 scope global br-lan
       valid_lft forever preferred_lft forever
192.168.200.0/24 dev br-lan scope link  src 192.168.200.155
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.200.0 dev br-lan table local scope link  src 192.168.200.155
local 192.168.200.155 dev br-lan table local scope host  src 192.168.200.155
broadcast 192.168.200.255 dev br-lan table local scope link  src 192.168.200.155
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
root@ap-cfe385ac:~#

root@ap-cfe385ac:~# swconfig dev switch0 show
Global attributes:
	enable_vlan: 1
	ar8xxx_mib_poll_interval: 500
	ar8xxx_mib_type: 0
	enable_mirror_rx: 0
	enable_mirror_tx: 0
	mirror_monitor_port: 0
	mirror_source_port: 0
	arl_age_time: 300
	arl_table: address resolution table
Port 0: MAC 00:0d:a9:4c:ec:39
Port 0: MAC 00:0d:a9:4c:ec:3b
Port 0: MAC f4:5c:89:ca:7a:4d
Port 1: MAC 00:0d:a9:4c:ec:39
Port 1: MAC 00:0d:a9:4c:ec:3b
Port 6: MAC 20:7d:b9:7a:91:a4
Port 6: MAC f4:5c:89:8a:40:77
Port 6: MAC f4:5c:89:c5:6a:4d

	igmp_snooping: 0
	igmp_v3: 0
Port 0:
	mib: MIB counters
RxGoodByte  : 13791717 (13.1 MiB)
TxByte      : 504
	enable_eee: ???
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 0
	link: port:0 link:up speed:1000baseT full-duplex txflow rxflow
Port 1:
	mib: MIB counters
RxGoodByte  : 480645990 (458.3 MiB)
TxByte      : 185557593 (176.9 MiB)

	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 2
	link: port:1 link:up speed:1000baseT full-duplex txflow rxflow auto
Port 2:
	mib: No MIB data
	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 1
	link: port:2 link:down
Port 3:
	mib: No MIB data
	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 0
	link: port:3 link:down
Port 4:
	mib: No MIB data
	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 0
	link: port:4 link:down
Port 5:
	mib: MIB counters
RxGoodByte  : 23712 (23.1 KiB)
TxByte      : 23712 (23.1 KiB)

	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 0
	link: port:5 link:down
Port 6:
	mib: MIB counters
RxGoodByte  : 198192685 (189.0 MiB)
TxByte      : 483558702 (461.1 MiB)

	enable_eee: ???
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 0
	link: port:6 link:up speed:1000baseT full-duplex txflow rxflow
VLAN 1:
	vid: 1
	ports: 0t 2
VLAN 2:
	vid: 2
	ports: 1 6t
VLAN 3:
	vid: 20
	ports: 1t 6t
VLAN 4:
	vid: 30
	ports: 1t 6t

trendy · November 25, 2020, 4:52pm

ghat:

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1 eth1.2'
	option proto 'dhcp'

config interface 'sec'
	option type 'bridge'
	option ifname 'eth0.20 eth1.20'
	option proto 'none'

config interface 'pub'
	option type 'bridge'
	option ifname 'eth0.30 eth1.30'
	option proto 'none'

All these bridges are not correct. The eth0 is used for the lan port, which is not used, and you have not configured it for any vlan other than 1.
Also make in vlan2 port 1 tagged from both sides.

ghat · November 25, 2020, 7:55pm

Actually, that eth0 is what was the default, I have not really mucked around with it much...

trendy · November 25, 2020, 8:09pm

Correct me if I am wrong, but I think the default was:
lan interface eth0.1 and wan eth1.2
Then you added the vlans 20 and 30 in the same port as vlan 2 which is wan.
So the vlans 2, 20, are 30 are subinterfaces of eth1. So the eth0.20 (or 30) are wrong because they have not been defined, and I don't see the reason to do that.

do something like this:

config interface 'mgmt'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '172.16.1.1'
	option netmask '255.255.255.0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.2'
	option proto 'dhcp'

config interface 'sec'
	option type 'bridge'
	option ifname 'eth1.20'
	option proto 'none'

config interface 'pub'
	option type 'bridge'
	option ifname 'eth1.30'
	option proto 'none'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 1t' <-notice the tagged port
	option vid '2'

Make vlan2 tagged on the other side too.

ghat · November 25, 2020, 10:22pm

hi

Looks like I got the HA LAN and MAIN LAN working fine now...

There is some screwup with the guest LAN, probably with DHCP and DNS.. not sure debugging...

Yeah, some Firewall issue with the guest LAN DHCP and DNS..

I have set it up exactly as my previous setup...

config rule
        option dest_port '53'
        option src 'public'
        option name 'publicDNS'
        option target 'ACCEPT'

config rule
        option dest_port '67-68'
        option src 'public'
        option name 'publicDHCP'
        option target 'ACCEPT'
        list proto 'udp'

Not sure if I have to include the DHCP server IP for the public interface in those rules..

config rule
        option dest_port '53'
        option src 'public'
        option name 'publicDNS'
        option target 'ACCEPT'
        list dest_ip '172.16.30.1'

config rule
        option dest_port '67-68'
        option src 'public'
        option name 'publicDHCP'
        option target 'ACCEPT'
        list proto 'udp'
        list dest_ip '172.16.30.1'

Even that is not working....

mk24 · November 25, 2020, 10:36pm

In this setup the OpenWrt access point is a dumb wired to wireless converter. It acts at layer 2 to bridge all traffic including DHCP and DNS from wireless users directly to the main router. OpenWrt's firewall is not a factor at all. You need to configure the services at the main router.

ghat · November 25, 2020, 10:44pm

Yes, That is exactly my intention...
I think I have the DUMB AP now working...

My problem is not completely solved yet...
I cannot get DHCP on the guest LAN, this has to do with the firewall on the main router
(which is a PCEngines APU4 with another instance of OpenWRT)

I see that my laptop does associate with the guest WLAN, however does not get dynamic IP.
If I manually set IP address, it works...

so some thing amisss with the firewall for the guest ZONE...
I know what I am doing but still some thing is stuck out somewhere...

Nest I will be trying the dumb thing of rebooting the routers !!!

G

mk24 · November 25, 2020, 10:50pm

Did you activate a DHCP server for the public network?

For testing you can set the firewall to accept all input, then once the network works tighten the rules with a default of reject except for specific rules that open certain ports.

ghat · November 26, 2020, 12:32am

hi,

Looks like the culprit was luci...

Apparently was pushing

option dynamicdhcp '0'

for some weird reason on the pub/guest DNS, I fixed on the cmdline and seems to be all working good now...

trendy · November 26, 2020, 10:08am

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

system · December 6, 2020, 10:08am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.