OpenWrt 21.02 - Wifi Manual VLAN Filtering (Bug) !?

I recently moved to a new flat and I am redeploying my home network. Before reconnecting all devices, I have noticed that there was a new OpenWRT version and my devices supported it.

The biggest change I have noticed so far is the new switch configuration that has been migrated to DSA.

The management network configuration was quite simple to migrate after reading the OpenWRT wiki. However, the wifi has been a bit more trickier. It seems that I have found a bug in LuCI.

This article is being written as an attempt to reproduce the bug.

1) Creating a new Wifi Network

I have created a network as seen in the pictures below:

The wifi network has no Network selected because it will be part of a L2 domain only and my pfSense will do the firewalling/routing.

2) VLAN Configuration

The new wifi network has been added as wlan1 and I will disable IPv6.

I has not been listed as an available device in the bridge interfaces list. However, it is not a problem because we can tick custom and insert the Wifi interface name and save & apply the changes.

I am not sure why, but it seems that although the webUI sees the interface as part of the bridge and the webUI shows the device in the VLAN Filtering tab.

The command line shows a diffent scenario.

I will use the webUI to set the VLAN as intended.

And, the command line shows the opposite seen on the webUI. Even after a reboot.

wlan0 is not listed anymore because the iproute2 commands are not persistent.

3) VLAN Manual Configuration

It is possible to manually configure the VLAN as shown below.

brctl addif br-lan wlan0
brctl addif br-lan wlan1

Adding the Wifi interfaces to the Bridge.

root@r1:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br-lan          7fff.xxxxxxxxxxxx       no              lan1
                                                        lan2
                                                        lan3
                                                        lan4
                                                        wlan0
                                                        wlan1

Bridge interfaces.

bridge v s

port              vlan-id  
lan4              4
lan1              20
br-lan            4
wlan1             1 PVID Egress Untagged
wlan0             1 PVID Egress Untagged

Bridge VLAN configuration.

bridge vlan del dev wlan0 vid 1
bridge vlan del dev wlan1 vid 1

Deleting VLAN 1 from the interfaces.

bridge vlan add dev wlan0 vid 20 pvid 20 untagged master
bridge vlan add dev wlan1 vid 20 pvid 20 untagged master

Adding the VLAN config to the bridge.

bridge v s
port              vlan-id  
lan4              4
lan1              20
br-lan            4
wlan1             20 PVID Egress Untagged
wlan0             20 PVID Egress Untagged

The Wifi now works as expected. My network configuration has some complexity. However, DSA came to openWRT and made easier the virtual networking configuration.

It is worth mentioning that the commands above have to be added to System -> Startup -> Local Startup otherwise it will be wiped after a reboot since iproute2 commands are not persistent.

21.02 can’t route wifi radios on L2.

You need at least a unmanaged interface between each vlan and wifi ssid.
So you can’t leave “wifi network” empty.
If you want to solve the connection the easy way.

Do it in reverse order from what you did. In other words have everything else ready before creating the wifi AP, so that its network already exists and you can choose it from the wifi page. Do not try to back-reference wifi interfaces from other parts of the configuration, since their names may change.

So first get the Ethernet VLANs set up. For DSA to be able to have the hardware Ethernet switch work properly, all the ports that are going to hardware switch different VLANs need to be in the same bridge, with VLAN filtering enabled on that bridge. This generally means that the existing br-lan will become a general purpose bridge, and you may even want to put the wan port into it (which will require giving the wan link an internal VLAN number, conventionally from swconfig that number is 2, but you can choose any number which isn't used for something else). Set the ports tagged or untagged depending on your needs. A trunk cable has all VLANs of interest tagged, and none untagged. An access port for a non-VLAN aware device has one VLAN untagged and the rest off.

Then create new networks for each VLAN. Even if a VLAN will only be hardware switching between two Ethernet ports, you still need a shell interface of proto Unmanaged for the hardware to get set up properly. Use the syntax brigename.N as the interface's physical device. In the full-on DSA VLAN filtering configuration scheme, this is the only place where a .vlannumber syntax is used.

At this point you will have a network for your L2 bridged guests named something like vlan20 or guests, which has br-lan.20 as its device and Unmanaged as it's protocol. One of the Ethernet ports is configured as Tagged in VLAN 20 and connected to the main router. In other words, everything but the wifi is in place. So now go to the wifi section and make an AP, possibly one on each band. Select the network name from the list.

The thing about Luci's list of network names is it will have a lot of ones that should never be used in that context, or ever.

@mk24 spot on !!! Many Thanks.

I have done as you said and magic happened. The wifi interfaces were added to the bridge automatically by LuCI.

Below is the correction added to my blog post.

4) Layer 2 WIFI Network with VLAN Filtering

We need to first create an unmanaged interface.

Adjust the VLAN Filtering on the main bridge.

In my case, lan1 is a trunk port that is connected to my switch.

And finally, let's create the wifi network. We need to make sure that we are selecting the newly created network.

The configuration above bridges our wifi network in a Layer 2 broadcast domain allowing our pfSense to control the Layer 3.