Openwrt sending wrong VLAN tag when using WIFI

vlan-newbie · February 18, 2025, 2:25pm

I am using OpenWrt 24.10.0 as a switch on a Linksys WRT1900ACS router. I setup VLAN tags on each of the 4 LAN ports and the WIFI devices. WAN port is the trunk. Using pfSense as the router with the subnets.

Problem is that when I connect a device over WIFI, OpenWrt is sending the wrong VLAN tag (23) to pfSense. I'm trying to get it to send tag 22. I confirmed this with packet capture in pfSense. If I connect a device to one of the LAN ports, the correct tag is sent.

Below is my config. What have I setup incorrectly? Thanks.

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'phy1-ap0.21'
	list ports 'phy1-ap1.22'
	list ports 'vlan.1'
	list ports 'vlan.21'
	list ports 'vlan.22'
	list ports 'vlan.23'
	list ports 'vlan.24'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.10.45'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option type 'bridge'
	option name 'vlan'
	option bridge_empty '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config bridge-vlan
	option device 'vlan'
	option vlan '1'

config bridge-vlan
	option device 'vlan'
	option vlan '21'
	list ports 'lan1'
	list ports 'wan:t'

config bridge-vlan
	option device 'vlan'
	option vlan '22'
	list ports 'lan2'
	list ports 'wan:t'

config bridge-vlan
	option device 'vlan'
	option vlan '23'
	list ports 'lan3'
	list ports 'wan:t'

config bridge-vlan
	option device 'vlan'
	option vlan '24'
	list ports 'lan4'
	list ports 'wan:t'

config device
	option type '8021q'
	option ifname 'phy1-ap0'
	option vid '21'
	option name 'phy1-ap0.21'

config device
	option type '8021q'
	option ifname 'phy1-ap1'
	option vid '22'
	option name 'phy1-ap1.22'

brada4 · February 18, 2025, 2:34pm

This?

github.com/openwrt/openwrt

Clients are unable to connect to the wireless network

opened 10:45AM - 19 Jan 25 UTC

grifos

target/ramips bug Official Image release/24.10

### Describe the bug Since the first 24.10.0 RC releases, wireless clients coul…d not establish a successful network connection. The OpenWrt logs were showing clients connected then disconnected after about 30 seconds. The clients showed similar logs but never had any actual network connectivity at all. ``` Tue Jan 7 13:08:29 2025 daemon.info hostapd: wl1.101: STA aa:bb:cc:01:23:45 IEEE 802.11: authenticated Tue Jan 7 13:08:29 2025 daemon.info hostapd: wl1.101: STA aa:bb:cc:01:23:45 IEEE 802.11: associated (aid 1) Tue Jan 7 13:08:29 2025 daemon.notice hostapd: wl1.101: AP-STA-CONNECTED aa:bb:cc:01:23:45 auth_alg=open Tue Jan 7 13:08:29 2025 daemon.info hostapd: wl1.101: STA aa:bb:cc:01:23:45 RADIUS: starting accounting session 7D707FBCB13EEE03 Tue Jan 7 13:08:29 2025 daemon.info hostapd: wl1.101: STA aa:bb:cc:01:23:45 WPA: pairwise key handshake completed (RSN) Tue Jan 7 13:08:29 2025 daemon.notice hostapd: wl1.101: EAPOL-4WAY-HS-COMPLETED aa:bb:cc:01:23:45 Tue Jan 7 13:09:00 2025 daemon.notice hostapd: wl1.101: AP-STA-DISCONNECTED aa:bb:cc:01:23:45 Tue Jan 7 13:09:23 2025 daemon.info hostapd: wl1.101: STA aa:bb:cc:01:23:45 IEEE 802.11: authenticated Tue Jan 7 13:09:23 2025 daemon.info hostapd: wl1.101: STA aa:bb:cc:01:23:45 IEEE 802.11: associated (aid 1) Tue Jan 7 13:09:23 2025 daemon.notice hostapd: wl1.101: AP-STA-CONNECTED aa:bb:cc:01:23:45 auth_alg=open Tue Jan 7 13:09:23 2025 daemon.info hostapd: wl1.101: STA aa:bb:cc:01:23:45 RADIUS: starting accounting session BB50B2A50135313A Tue Jan 7 13:09:23 2025 daemon.info hostapd: wl1.101: STA aa:bb:cc:01:23:45 WPA: pairwise key handshake completed (RSN) Tue Jan 7 13:09:23 2025 daemon.notice hostapd: wl1.101: EAPOL-4WAY-HS-COMPLETED aa:bb:cc:01:23:45 Tue Jan 7 13:10:08 2025 daemon.notice hostapd: wl1.101: AP-STA-DISCONNECTED aa:bb:cc:01:23:45 Tue Jan 7 13:10:10 2025 daemon.info hostapd: wl1.101: STA aa:bb:cc:01:23:45 IEEE 802.11: authenticated Tue Jan 7 13:10:10 2025 daemon.info hostapd: wl1.101: STA aa:bb:cc:01:23:45 IEEE 802.11: associated (aid 1) Tue Jan 7 13:10:10 2025 daemon.notice hostapd: wl1.101: AP-STA-CONNECTED aa:bb:cc:01:23:45 auth_alg=open Tue Jan 7 13:10:10 2025 daemon.info hostapd: wl1.101: STA aa:bb:cc:01:23:45 RADIUS: starting accounting session 60129E9B594E6574 Tue Jan 7 13:10:10 2025 daemon.info hostapd: wl1.101: STA aa:bb:cc:01:23:45 WPA: pairwise key handshake completed (RSN) Tue Jan 7 13:10:10 2025 daemon.notice hostapd: wl1.101: EAPOL-4WAY-HS-COMPLETED aa:bb:cc:01:23:45 Tue Jan 7 13:10:16 2025 daemon.notice hostapd: wl1.101: AP-STA-DISCONNECTED aa:bb:cc:01:23:45 ``` ### OpenWrt version r28304-6dacba30a7 ### OpenWrt release 24.10.0-rc5 ### OpenWrt target/subtarget ramips/mt7621 ### Device Netgear WAX202 ### Image kind Official downloaded image ### Steps to reproduce 1- Configure a wireless network. Use a custom interface name, for example: `wl1.101` 2- On Network > Interfaces > Devices, configure the corresponding wireless device `wl1.101` with default settings 3- The wireless clients can no longer connect to that SSID. Restarting the wireless device seems to resolve but the problem reappears after a reboot. ### Actual behaviour I reconfigured the AP from scratch and it looks like the WiFi fails when I configure the wireless network devices under Network > Interfaces > Devices. I'm using custom wireless interface names and as long as the corresponding device is left unconfigured the WiFi works fine, while if I configure it, even if leaving everything default (like with the code below), the WiFi starts failing. Restarting the wireless device (on the Wireless page) seems to fix it, but after a reboot the problem reappears. ``` uci add network device # =cfg1f0f15 uci set network.@device[-1].name='wl1.101' ``` I then unconfigured the wireless devices on my other MT7621+MT7915E devices and now they're also working fine under 24.10.0-rc5. ### Expected behaviour Clients should connect successfully to the wireless network even when the wireless device is configured on the OpenWrt device. ### Additional info Thank you for the work you do guys, OpenWrt is magnificent. ### Diffconfig ```text ``` ### Terms - [x] I am reporting an issue for OpenWrt, not an unsupported fork.

vlan-newbie · February 18, 2025, 10:26pm

That seems to be about not being able to connect to WIFI. I am able to connect. I tried it though. Created new bridge, assigned the WIFI VLAN 802.q device to it. Then assigned the new bridge to a new interface, added the new interface in the LAN firewall zone and assigned the new interface to the WIFI endpoint. After saving/rebooting, my existing LAN clients lost network access other that to the OpenWrt switch. Reverted everything and the LAN clients started working again.

psherman · February 18, 2025, 10:50pm

This is completely wrong... you're bridging all the VLANs together, which is absolutely not going to work. Delete it:

vlan-newbie:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'phy1-ap0.21'
	list ports 'phy1-ap1.22'
	list ports 'vlan.1'
	list ports 'vlan.21'
	list ports 'vlan.22'
	list ports 'vlan.23'
	list ports 'vlan.24'

Delete all of this, too -- the wifi hardware should not be referenced in this file:

vlan-newbie:

config device
	option type '8021q'
	option ifname 'phy1-ap0'
	option vid '21'
	option name 'phy1-ap0.21'

config device
	option type '8021q'
	option ifname 'phy1-ap1'
	option vid '22'
	option name 'phy1-ap1.22'

Reboot and test again. If that doesn't resolve the issues, let's see the complete network config file.

mk24 · February 18, 2025, 11:17pm

There is no such thing as vlans on a wifi AP. In other words, wifi packets are always untagged.

Do not reference wifi interfaces in /etc/config/network. Use the option network setting in /etc/config/wireless to point back at a named Interface in the network file. Each bridge-vlan must have an interface linking its Device, even if it is only a placeholder of proto none. Use the notation br-lan.N to attach these. This is the only place where the dot vlan number notation is used in DSA.

vlan-newbie · February 22, 2025, 4:22pm

With the help here and examples on the following page, I seemed to have got it to work.

https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial

With the below config, tagging seems to work correctly if I connect a client to the physical 1 - 3 LAN ports and tagging seems to work correctly over LAN port 4 when an unRAID server is connected to this port with VLAN tags of 22, 23 and 24 defined on unRAID. If I want the unRAID connection to get tagged to ID 21 then I use the physical br0 interface in unRAID. The WAN port of the OpenWRT switch is connected to pfSense router. With packet capture on pfSense I verified the correct VLAN tag was being passed as expected. As directed, I assigned with WIFI AP's directly to the appropriate interfaces.

Any thing I did wrong in the below config or should have done differently for best practices, etc? Thanks.

config device
	option type 'bridge'
	option name 'switch'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config bridge-vlan
	option device 'switch'
	option vlan '21'
	list ports 'lan1'
	list ports 'lan4:u*'
	list ports 'wan:t'

config bridge-vlan
	option device 'switch'
	option vlan '22'
	list ports 'lan2'
	list ports 'lan4:t'
	list ports 'wan:t'

config bridge-vlan
	option device 'switch'
	option vlan '23'
	list ports 'lan3'
	list ports 'lan4:t'
	list ports 'wan:t'

config bridge-vlan
	option device 'switch'
	option vlan '24'
	list ports 'lan4:t'
	list ports 'wan:t'

config interface 'vpn_lan'
	option proto 'static'
	option device 'switch.21'
	option ipaddr '10.0.10.45'
	option netmask '255.255.255.0'

config interface 'novpn_lan'
	option proto 'none'
	option device 'switch.22'

config interface 'plex_lan'
	option proto 'none'
	option device 'switch.23'

config interface 'nested_vlan'
	option proto 'none'
	option device 'switch.24'