OpenWRT AP Pfsense Router, OpenWRT Can't Update Packages and No Internet over Ethernet

Hello everyone,

I am new to the forum but have been using OpenWRT for several years now.

Just bought a GL-MT6000 router and installed OpenWRT on it for use as a dumb AP. The AP is connected to my Protectli FW4B running Pfsense. The Pfsense box serves as the main router and firewall.

I have a physical port on the Pfsense box connected to one of the GL-MT6000 LAN ports. This port is divided into 5 different VLANs with tags synchronized between AP and router. I have 4 wireless SSIDs each using its own interface tied to one of the VLANs. The fifth VLAN serves as Ethernet connection.

My dilemma that I can't figure out is that although the wireless connections work perfectly with internet access, I can't access the internet if I connect to one of the open Ethernet ports on the GL-MT6000. There is also no DHCP IP provisioning through the AP Ethernet ports; I have to manually set a static IP on my computer.

Also, although I can connect to the OpenWRT WebGUI through the firewall (computer connected to pfsense LAN port), I can't perform opkg update. The update fails with code 7. I can perform opkg update and download packages when the pfsense box is bypassed but not when I go through it.

Below is a simple diagram of my network setup.
I would like to share screenshots of my settings but am limited to one per post as a new member.

Network Setup1920×3162 116 KB

I can SSH into the OpenWRT AP and Pfsense Router. Happy to share copies of any relevant configuration files.

Instead of screenshots, please show the configs in their text format:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

root@OpenWrt:/# ubus call system board
{
	"kernel": "6.6.93",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.2",
		"revision": "r28739-d9340319c6",
		"target": "mediatek/filogic",
		"description": "OpenWrt 24.10.2 r28739-d9340319c6",
		"builddate": "1750711236"
	}
}

root@OpenWrt:/# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd20:6899:aa85::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	option bridge_empty '1'
	option ipv6 '1'
	option acceptlocal '1'

config interface 'lan'
	option device 'br-lan.812'
	option proto 'static'
	option gateway '192.168.4.1'
	list ipaddr '192.168.4.100/24'
	option delegate '0'
	list dns '208.67.222.222'
	list dns '208.67.220.220'
	option ip6assign '60'

config interface '24GHz_WPA3_E'
	option device 'br-lan.1251'
	option proto 'static'
	option gateway '192.168.7.1'
	list ipaddr '192.168.7.100/24'
	option delegate '0'
	list dns '208.67.222.222'
	list dns '208.67.220.220'
	option defaultroute '0'

config interface '5GHz_WPA3_E'
	option device 'br-lan.1494'
	option proto 'static'
	option gateway '192.168.8.1'
	list ipaddr '192.168.8.100/24'
	option delegate '0'
	list dns '208.67.222.222'
	list dns '208.67.220.220'
	option defaultroute '0'

config interface '5GHz_WPA2'
	option device 'br-lan.3388'
	option proto 'static'
	option gateway '192.168.6.1'
	list ipaddr '192.168.6.100/24'
	option delegate '0'
	list dns '208.67.222.222'
	list dns '208.67.220.220'
	option defaultroute '0'

config interface '24GHz_WPA2'
	option device 'br-lan.187'
	option proto 'static'
	option gateway '192.168.5.1'
	list ipaddr '192.168.5.100/24'
	option delegate '0'
	list dns '208.67.222.222'
	list dns '208.67.220.220'
	option defaultroute '0'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option disabled '1'
	option auto '0'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'
	option disabled '1'

config bridge-vlan
	option device 'br-lan'
	option vlan '812'
	list ports 'lan1:t'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config device
	option name 'br-lan.812'
	option type '8021q'
	option ifname 'br-lan'
	option vid '812'
	option acceptlocal '1'
	option ipv6 '1'

config bridge-vlan
	option device 'br-lan'
	option vlan '1251'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '1494'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '3388'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '187'
	list ports 'lan1:t'

root@OpenWrt:/# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option channel '1'
	option htmode 'HE20'
	option country 'US'
	option cell_density '0'
	option disabled '1'

config wifi-iface '1_radio0'
	option device 'radio0'
	option network '24GHz_WPA2'
	option mode 'ap'
	option ssid 'OpenWrt24_WPA2'
	option encryption 'sae-mixed'
	option isolate '1'
	option key 'password'
	option ocv '0'
	option wpa_disable_eapol_key_retries '1'
	option disabled '1'

config wifi-iface '2_radio0'
	option device 'radio0'
	option network '24GHz_WPA3_E'
	option mode 'ap'
	option ssid 'OpenWrt24_WPA3_E'
	option encryption 'sae'
	option isolate '1'
	option key 'password'
	option ocv '0'
	option wpa_disable_eapol_key_retries '1'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option band '5g'
	option channel '36'
	option htmode 'HE80'
	option cell_density '0'
	option disabled '1'

config wifi-iface '1_radio1'
	option device 'radio1'
	option network '5GHz_WPA2'
	option mode 'ap'
	option ssid 'OpenWrt5_WPA2'
	option encryption 'sae-mixed'
	option isolate '1'
	option key 'password'
	option ocv '0'
	option wpa_disable_eapol_key_retries '1'
	option disabled '1'

config wifi-iface '2_radio1'
	option device 'radio1'
	option network '5GHz_WPA3_E'
	option mode 'ap'
	option ssid 'OpenWrt5_WPA3_E'
	option encryption 'sae'
	option isolate '1'
	option key 'password'
	option ocv '0'
	option wpa_disable_eapol_key_retries '1'
	option disabled '1'

root@OpenWrt:/# cat /etc/config/dhcp

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'
	option dynamicdhcp '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp '5GHz_WPA2'
	option interface '5GHz_WPA2'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'
	option dynamicdhcp '0'

config dhcp '5GHz_WPA3_E'
	option interface '5GHz_WPA3_E'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'
	option dynamicdhcp '0'

config dhcp '24GHz_WPA2'
	option interface '24GHz_WPA2'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'
	option dynamicdhcp '0'

config dhcp '24GHz_WPA3_E'
	option interface '24GHz_WPA3_E'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'
	option dynamicdhcp '0'

root@OpenWrt:/# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'VLANS'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network '5GHz_WPA2'
	list network '5GHz_WPA3_E'
	list network '24GHz_WPA2'
	list network '24GHz_WPA3_E'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

Thanks for posting the config. Let's try to resolve the issue, but before we go into that, one more thing:

This typically isn't necessary for most AP configurations because it's not common to need to install non-default packages onto an AP (but yes, there are situations where that is desired). With that in mind, I want to make it clear that installing packages is fine, but don't upgrade the existing packages as that will at some point cause you major problems.

Anyway, let's clean some things up...

First, remove the last 3 lines of br-lan:

Your non-management networks should be unmanaged (there is no need for the AP to have an address on any network other than the one that is used to manage the AP itself). So, edit your networks to look like this:

config interface '24GHz_WPA3_E'
	option device 'br-lan.1251'
	option proto 'none'

config interface '5GHz_WPA3_E'
	option device 'br-lan.1494'
	option proto 'none'

config interface '5GHz_WPA2'
	option device 'br-lan.3388'
	option proto 'none'

config interface '24GHz_WPA2'
	option device 'br-lan.187'
	option proto 'none'

Since it looks like you want your lan (VLAN 812, 192.168.4.0/24) to be on present on the lan ports as untagged, make it explicit by adding :u* after each of the ports:

config bridge-vlan
	option device 'br-lan'
	option vlan '812'
	list ports 'lan1:t'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'
	list ports 'lan5:u*'

Delete this:

Remove the last line from the lan dhcp server:

Delete all of the other DHCP server stanzas (now those are all unmanaged interfaces anyway):

And delete this:

Now, restart the AP and test again.

Thank you so much for offering your help!

I made all of the instructed changes and tested. The WiFi still works as expected, however, the original two problems remain.

I do want to be able to install packages, as the next step in this process is to make the two WiFi networks listed as "_E" to be WPA3-Enterprise, using the Pfsense box as a RADIUS server. This requires some additional packages for OpenWRT.

I wasn't aware that upgrading packages could cause issues. I will heed this warning as I usually blindly install all the available updates.

Ok... let's check the lan VLAN in general. Connect a computer via Ethernet to one of the other lan ports on the OpenWrt device -- they should all connect to VLAN 812. Make sure that the computer has just that one network connection (disable wifi, unplug any other Ethernet connections). Does the computer get an IP address and normal access to the internet?

It does not. No IP or internet access.

That suggests that there is a problem upstream. It could be:

• the pfsense router isn't properly configured for that VLAN (network config, dhcp, firewall, or VLAN assignments at the port).
• there could be a tagged/untagged mismatch between the pfsense router and the OpenWrt device. If the pfsense device is setup with that network untagged on the corresponding port, this would explain the problem -- you have port lan1 setup with VLAN 812 tagged. To fix this, change the pfsense box to tag that network on that port, or change the OpenWrt side to be untagged + PVID.

I believe the Pfsense router has the port tagged. Do you have familiarity with Pfsense? (I know this is an OpenWRT forum)

My suspicion was that it was a setting incompatibility between the OpenWRT AP and the Pfsense router, however, this doesn't explain why the WiFi networks work fine. They are setup the same on Pfsense's side.

I do not.

There should be no such thing... both environments use the same standards for 802.1q VLAN tagging.

You don't have VLAN 812 (the lan network) associated with a wifi network on OpenWrt side. I expect that even if you did, you would not get proper network connectivity.

To test the Pfsense router's configuration, try unplugging the OpenWrt router and plug a computer directly into the Pfsense box (using the same port as was being used for the OpenWrt router). Does it gain connectivity at that point? If so, it means that VLAN 812 is untagged on the Pfsense side.

If it still doesn't get connectivity, it may be tagged, but something else could be wrong. You'll need to check the configuration of the Pfsense firewall, DHCP server, network interface configuration, and port assignments for that VLAN.

To test the Pfsense router's configuration, try unplugging the OpenWrt router and plug a computer directly into the Pfsense box (using the same port as was being used for the OpenWrt router). Does it gain connectivity at that point? If so, it means that VLAN 812 is untagged on the Pfsense side.

Indeed it does not get a connection from that port.

On Pfsense side, the VLAN configurations, Interface, Ports, DHCP, etc are copied identically between all 5 VLANS. I tried using the 812 VLAN for a WiFi network and indeed it failed to connect.

I suspect the issue lies in the use of both tagged and untagged ports on the OpenWRT setup for VLAN 812. This is the only unique aspect of that VLAN. This confuses me because I thought this setup was correct.

Is it possible to setup a separate untagged bridge and forward traffic to the 812 VLAN?

My apologies for the delay in this response. I accidentally locked myself out of management access on the AP while switching VLANS around for testing... I had to re-flash and reconfigure again. This time I did not update the packages.

So, adding the pfsense box causes the issue?

Is there an IP range conflict between the two?

I'm also a bit of a OpenWRT beginner , but you could try to set PVID seen as " u* " on the untagged ports in vlan 812 ?? ... (I think this (asterisk) means PVID or "native vlan" in cisco language)

image167×146 6.39 KB

You need to tick both ....
But i don' really understand why it should be needed, on a "simple untagged port".

..
..
I would find a managed switch, make a "cloned/mirrored port" of the OWRT <--> pfsense connection. And fire up Wireshark, to have a look.

Or if you don't have a managed switch ... (Go get one)
Sniff via pfSense : Debug --> Packet Capture

With respect to the openwrt side, all VLANs are tagged on the port that connects to the pfsense box, so there is no mixing of tagged + untagged there. (Also, fwiw, this “issue” is very rare anyway). That you have the vlan untagged against the other lan ports is normal for access ports and will not break things.

How many ports do you have on your pfsense box? Try assigning this vlan as untagged to another port on that box and then connect a computer directly to it.

How many ports do you have on your pfsense box? Try assigning this vlan as untagged to another port on that box and then connect a computer directly to it.

@psherman
The Protectli FW4B - Consists of 4 x L3 Intel nics wo. any switching function.
So you can't easily "just make a copy" of vl812 packets to another pfS-IF.

I this situation that would mean to create a "software bridge" on the pfS
Well of OP knows how to do that, and this is just for debugging ....

@Alphilon Another reason to get a cheap $50 managed switch
My favorite "El cheapo" is this one
https://www.amazon.com/D-Link-Ethernet-Managed-Internet-DGS-1100-08V2/dp/B08P2C2GXF?

But i suppose Netgear or even TP-Link (if they got rid of that "forced - all ports member of VL1")
Would be just as fine.

Yup. The point is debugging. Or the vlan could be moved off the existing port and solely onto another one for the debug. We just need to establish that the vlan works at the pfsense box. We don’t care about performance (software bridge considerations) and this would only be temporary.

Didn't the OP state that Inet worked via WiFi ?
That would indicate that VL812 works on the pfSense box, and that VL812 packets can be transported on the OWRT <--> pfSnse wire

..
..

NOT related to this issue, since OP does not use untagged frames on the pfS wire
Just a FYI ..
On a pfSense , you often just make (add) vlan "logical" interfaces in the gui (IF-->Tag).
In order to receive "untagged" you have to add the "logical" IF interface too (the parent/master/owner).
Often on a pfSense trunk, the "parent" "logical" IF is omitted. Then all untagged would "just be dropped" ... Security.

Ps:
I just reread your post above, and see you had already adressed the PVID to OP.
Sorry about that.