OpenWrt (Dumb AP) + OPNsense (Firewall) + SSID-VLANs

willygg · September 29, 2021, 7:11pm

Hello,
I have OpenWRT running on an Archer C7 AC1750, and I have a server running OPNsense (bare metal, not virtualized). I have been having trouble setting up my setup properly and cannot figure out where I am going wrong. I have tried searching, and have come across a few posts in these forums, and on the internet. I have also looked at guides for pfSense seeing they're similar setups. I have been at this for weeks now and can't figure it out.

Let me first explain my setup and goals:
OpenWRT is meant to act only as an access point for wireless, and OPNsense will handle everything else.
I have currently 3 VLANs, Mine (LAN), Family (LAN2), Guest. Both LAN and LAN2 have ethernet on OPNsense interfaces, Guest will be ONLY wireless (so the AP).

All ethernet devices on LAN are on one unmanaged switch, that plugs into OPNsense interface (ix2).
All ethernet devices on LAN2 are on another unmanaged switch which plugs into another OPNsense interface (ix1).
I have already confirmed by doing some ping tests, that LAN and LAN2 can't communicate to each other over ethernet as planned. So that isolation seems to be working.
The OpenWRT access point plugs directly into another interface (ix5) on OPNsense. For clarity here is the assignments page for OPNsense:

Now, as shown in the assignments page above, I have 3 VLANs setup on OPNsense. They all have the parent interface set as ix5. Then they are tagged accordingly, 10, 20, 30.
OPNsense interface LAN is set to 10.0.10.1, LAN2 10.0.20.1
OPNsense vWLAN is 10.0.10.2, vWLAN2 10.0.20.2, 10.0.30.1 (vWLAN are the VLANs that are meant to connect with OpenWRT if that wasn't clear).
OPNsense WLAN (the actual interface for the AP; ix5) has no static IP set (because this is handled by the VLANs as listed above).
Under services > DHCP on OPNsense, I setup DHCP for all the vWLANs.

Now on OpenWRT's side, I have followed the OpenWRT guide for setting it up as a dumb ap here: https://openwrt.org/docs/guide-user/network/wifi/dumbap

I then created 3 interfaces on OpenWRT. LAN, LAN2, Guest.
LAN has IP of 10.0.10.3, LAN2 10.0.20.3, Guest 10.0.30.2
I then made the SSIDs under Wireless.
I then went to Switching (if it wasn't clear, I have no managed switch besides the switch in the Archer AC1750) and created 3 VLANs, tagged them 10, 20, 30. I set all the boxes to "TAGGED" vertically for eth0 and LAN1 (LAN1 PORT to be specific, which is the ethernet cable that runs between OpenWRT and ix5 on OPNsense). See picture.
Basically I'm mirroring the VLANs on OPNsense, just set the interface IPs +.1 so it doesn't conflict.
Switch settings: https://i.ibb.co/7gtWBZD/photo-2021-09-27-17-48-09.jpg

Now I go back to interfaces, setup a bridge for each interface, so LAN gets and SSID1+eth0.10, LAN2 gets SSID2+eth0.20, LAN3 gets SSID3+eth0.30.

Save and apply everything. Reboot OpenWRT and OPNsense. Everything is applied as expected..
I connect my phone to one of the LAN access points (SSID), and it doesn't grab an IP. So I set a static IP for now just to see, and I cannot ping OPNsense @ 10.0.10.1, nor any machines on LAN. Nor do I have internet, so cannot reach out. If I check the firewall live log on OPNsense, I do not see anything coming from 10.0.10.2 or the IP set on my phone when connected to the SSID, trying to do anything. Like it doesn't even show it's being blocked. So it looks like the packets aren't even getting to OPNsense.

I can reach the web gui of OpenWRT from my phone (makes sense), so yeah it is something with the transmission from OpenWRT to OPNsense it's getting stuck on.
Yes I have tried a different ethernet cable, yes I have tried switching to a different port (interface) on OPNsense for the access point. Seems like a configuration issue not hardware.
And yes DHCP and Firewall are disabled on OpenWRT.

Here are my OPNsense Firewall rules for the LAN/vWLAN/WLAN interfaces/vlan.

LAN: https://i.ibb.co/rZ4z80s/lan.png
WLAN: https://i.ibb.co/6ZK18nh/wlan.png
vWLAN: https://i.ibb.co/dLLRTX9/vwlan.png

So yeah, I'm not sure where I'm going wrong. I would highly appreciate help.
Sorry if anything was confusing, it's simpler than it sounds, but I am just poor at explaining things. If you need any other logs, or screenshots let me know and I can try my best to answer and provide! Really need to get this working. Thank you!

trendy · September 30, 2021, 11:35am

You cannot do that. Either LAN and vWLAN will be separated interfaces with different subnets, or you'll bridge them and use only one IP for the bridge interface. Your configuration on the OpenWrt looks good to me, so you'll have to work your way on bridging the vWLAN subinterfaces to the main interface.

willygg · September 30, 2021, 1:09pm

Can you elaborate to me what you mean by bridge the interfaces in your context?
Are you saying to give the vWLAN no static ip, then bridge LAN with vWLAN?
And then give vWLAN2 no ip, then bridge LAN2 with vWLAN2

Won't that mean the access point will conflict with the IP of LAN on Opnsense? and acess point for LAN2 conflict with the IP of LAN2 on Opnsense?
Or do I keep the IP's how I have them, and literally just bridge LAN and vWLAN, LAN2 and vWLAN2?

Also do I need to bridge WLAN to anything? (the actual Opnsense interface ix5, that connects to the access p9int? No right? Just bridge the VLANs on Opnsense because tix5 is set as their parent interfact, correct?

Thank you! Will try when I get home.

trendy · September 30, 2021, 2:40pm

This one.

Correct.

willygg · October 15, 2021, 12:57pm

Apllogies for the late response, this has worked and been working great. Thank you.
I do notice one issue, the throughput when right next to the router is only getting only around 50mbps? It says my link speed to OpenWRT from my phone is around 400mbps so it shouldn't be struggling right?
Mind you I get around 700-900mbps no problem when connected over ethernet to Opnsense.
So it seems to be related to wireless only which is OpenWRT.

Any ideas what might be going on?

trendy · October 15, 2021, 1:23pm

It is 2,4GHz, right? 5GHz band is not supported from what I see in the device page.

Are you referring to the link speed in wireless network details? This is generally inaccurate. Other than that I haven't been able to reach with the smartphone the same results in speedtests as I have with my laptop connected by cable. And I am using vendor firmware on a Ubiquiti UAP-AC-lite.

willygg · October 15, 2021, 1:45pm

it's 2.4 and 5ghz.
What device page are you referring to? The TP Link one? or OpenWRT's page on the Ac1750? I know for a fact my device supports 2.4 and 5ghz, and claims 1gbps (of course I don't expect that out of wireless, but 50mbps is nothing)

Anyways I previously had OpenWRT running with the same exact setup, just it was also acting as the firewall/router. Same exact device.
I just got an Opnsense machine, and wanted to set up the AC1750 as the dumb ap.
It worked without issue on both 5ghz and 2.4 when it was running as an all in one.

Out of curiousity you say you have a Unifi AC, Iwas looking at getting the AC Pro to replace the AC1750 eventually.
How good are your speeds with the Lite?
Have you tried OpenWRT on it?

trendy · October 16, 2021, 7:56pm

The OpenWrt one.

The 2,4GHz band is not that fast. Only in 5GHz do I see some good results.
I keep them in stock firmware for now. Maybe I'll convert them to OpenWrt as soon as they go EoS from ubiquiti.

psherman · October 16, 2021, 8:29pm

The AC Pro is a great AP (I have 2 of them and I have 4 at my dad's house), but don't buy it now... it is too old. The U6-Lite is the better buy in terms of price/performance. Or the NanoHD, but even that is a bit older that the U6-Lite.

willygg · October 16, 2021, 8:55pm

That is only for V1
I have the V5 AC1750