OpenWrt guest ssid and guest vlan not working

Hi,

Wifi guest client.
Assign it a fixed IP address
Client: 192.168.179.3
openwrt: 192.168.179.4
Server: 192.168.179.1

Client can ping openwrt
Client cannot ping Server
openwrt can ping client.
openwrt can ping server
server can ping openwrt
server cannot ping client.

Looking at packet traces.
ping from client to server fails:
icmp echo request:
client -> openwrt -> server
icmp echo response
server -> openwrt -> .... (it gets lost before it reaches the client)

ping from openwrt to client works:
icmp echo request:
openwrt -> client
icmp echo response:
client -> openwrt

ping from client to openwrt works:
icmp echo request:
client -> openwrt
icmp echo response:
openwrt -> client

brctl show
bridge name bridge id STP enabled interfaces
br-lan 7fff.22bf98e9dcf0 no phy1-ap0
lan4
lan2
sfp2
lan3
lan1
phy0-ap0
br-guest 7fff.22bf98e9dcf0 no phy0-ap1
lan1.5
phy1-ap1
br-wan 7fff.22bf98e9dcf1 no eth1
wan

The client is on phy1-ap1
The openwrt is on br-guest
The server is on lan1.5

Does anyone have any hints as to how to track this down?

From the dumb ap…

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
2 Likes

Some extra information.
Having 2 SSIDs, one private and one guest one.
Whereas a single private one can use untagged ethernet on the LAN4
When using two SSIDs, it does not work if one of the SSIDs uses an untagged ethernet and the other uses a VLAN tag. in this case, only the one using the untagged ethernet works, the tagged vlan fails to forward traffic.
When using two SSIDs and they both use a different VLAN tag on LAN4, it forwards traffic. I.e. if no untagged traffic is used, it works.
Technology wise, the use case of one tagged, and one untagged should work, it must be a bug in the Linux kernel or something.

ubus call system board
{
	"kernel": "5.15.105",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Bananapi BPI-R3",
	"board_name": "bananapi,bpi-r3",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r22497-f25abdf144",
		"target": "mediatek/filogic",
		"description": "OpenWrt SNAPSHOT r22497-f25abdf144"
	}
}

You haven’t provided all the requests information. Please provide the configs.

1 Like
cat /etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd0f:066a:3878::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4.1'
	list ports 'sfp2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.4'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.0.1'
	list dns '192.168.0.1'

config device
	option name 'br-wan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'wan'

config device
	option name 'eth1'
	option macaddr '22:bf:98:e9:dc:f1'

config device
	option name 'wan'
	option macaddr '22:bf:98:e9:dc:f1'

config interface 'wan'
	option device 'br-wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'br-wan'
	option proto 'dhcpv6'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.179.4'
	option netmask '255.255.255.0'
	option gateway '192.168.179.1'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'
	list ports 'lan1.5'
	list ports 'lan4.5'

config device
	option type '8021q'
	option ifname 'lan1'
	option vid '5'
	option name 'lan1.5'
	option mtu '1500'

config device
	option type '8021q'
	option ifname 'lan4'
	option vid '5'
	option name 'lan4.5'

config device
	option type '8021q'
	option ifname 'lan4'
	option vid '1'
	option name 'lan4.1'
cat /etc/config/wireless
config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'a02'
	option encryption 'sae-mixed'
	option key 'xxx'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wmac+1'
	option channel 'auto'
	option band '5g'
	option htmode 'HE40'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'a03'
	option encryption 'sae-mixed'
	option key 'xxx'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'g02'
	option encryption 'sae-mixed'
	option network 'guest'
	option key 'xxx'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'g03'
	option encryption 'sae-mixed'
	option network 'guest'
	option key 'xxx'


cat /etc/config/dhcp
config dnsmasq
	option localise_queries '1'
	option rebind_protection '0'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '0'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

cat /etc/config/firewall
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option log '1'
	option log_limit '1000'
	option masq_allow_invalid '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option log '1'
	option log_limit '1000'
	option masq_allow_invalid '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'guest'
	list device 'br-guest'
	list device 'lan1.5'
	list device 'phy0-ap1'
	list device 'phy1-ap1'
	option log '1'
	option log_limit '1000'
	option masq_allow_invalid '1'


With the current config I have posted.
LAN1 has untagged vlan 1, and tagged vlan 5
LAN4 has untagged nothing, tagged vlan 1, tagged vlan 5.
If I connect the network switch to LAN1, private traffic on untagged vlan1 works, guest traffic on tagged vlan 5 fails. (Packets pass from guest to server ok, Packets do not pass from server to guest)
If I connect the network switch to LAN4, private traffic on tagged vlan1 works, guest traffic on tagged vlan5 works.

Note, the network switch has matching config, Port 1 on switch connects to LAN1, Port 2 on switch connects to LAN4. I only connect either LAN1 or LAN4, never both connected, for the purposes of testing.