OpenWRT with Unifi, LAN and VLAN

I am trying to set up a Ubiquiti UniFi AP AC Lite as a dumb AP. On my OpNSense, I have the LAN 192.168.11.0/24 (which is to serve as the management LAN) and 3 VLAN (User, Guest, IoT with VLAN ID 10,20,30 and 192.168.{110,120,130}.0/24) networks. The Unify AP is currently accessible on the LAN via 192.168.11.54 – so far, so good. However, I can't get the VLAN and the “Mgmt” IP 192.168.11.54 to work together with the VLAN – LUCI loses the connection and the rollback saves me. Unfortunately, the Unify Lite only has one physical Ethernet port.

I have enabled VLAN filtering on the default device br-lan, VLAN ID 1 is untagged and the primary LAN is ‘*’. The VLANs are tagged with the corresponding VLAN ID.

I assigned an interface LAN (perhaps not the most clever choice of name in hindsight) to this with br-lan.1 and assigned the IP 192.168.11.54 on the first attempt and 192.168.11.55 on the second attempt without success (i.e., I pressed apply rollback in each case).

The actual VLANs are also created as (unmanaged) interfaces, but I haven't gotten that far in my testing yet.

The ip-tools package is installed.

You don't need to use bridge-vlans as the mechanism here, especially since you're using an ath79 device with just a single port.

You can use direct dotted notation to create bridges, and from there use unmanaged network interfaces for all but the management VLAN.

A few bits of info we need:

• Are all of the VLANs tagged on the uplink, or is one of them untagged? If one is untagged, which one?
• What, if any, VLAN ID is associated with the management/lan VLAN?
• Is the below the desired IP for the AP to use on its management network?

And finally, let's see your config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Thank you! Here the output:

root@UniFi:~# ubus call system board
{
	"kernel": "6.6.119",
	"hostname": "UniFi",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "Ubiquiti UniFi AC LR",
	"board_name": "ubnt,unifiac-lr",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.5",
		"revision": "r29087-d9c5716d1d",
		"target": "ath79/generic",
		"description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
		"builddate": "1766005702"
	}
}
root@UniFi:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf7:59bf:9148::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	option gateway '192.168.11.1'
	list ipaddr '192.168.11.54/24'
	list dns '192.168.11.1'
	list dns '1.1.1.1'

root@UniFi:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option band '5g'
	option channel 'auto'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'DE'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Home-User'
	option encryption 'psk-mixed'
	option key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option ieee80211r '1'
	option nasid '4201'
	option mobility_domain '19CE'
	option ft_over_ds '0'
	option wpa_disable_eapol_key_retries '1'
	option ft_psk_generate_local '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option band '2g'
	option channel 'auto'
	option htmode 'HT40'
	option cell_density '0'
	option country 'DE'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Home-User'
	option encryption 'psk-mixed'
	option ieee80211r '1'
	option nasid '4201'
	option mobility_domain '19CE'
	option ft_over_ds '0'
	option wpa_disable_eapol_key_retries '1'
	option key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option ft_psk_generate_local '1'

root@UniFi:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piofolder '/tmp/odhcpd-piofolder'

root@UniFi:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

You don't need to use bridge-vlans as the mechanism here, especially since you're using an ath79 device with just a single port.

You can use direct dotted notation to create bridges, and from there use unmanaged network interfaces for all but the management VLAN.

Obviously, I miss the background here. So, the UI doesn’t abstract this especially for ath79 ?

• Are all of the VLANs tagged on the uplink, or is one of them untagged? If one is untagged, which one?

• What, if any, VLAN ID is associated with the management/lan VLAN?

• Is the below the desired IP for the AP to use on its management network?

The untagged, default (also OpnSense) LAN is 192.168.11.0/24. Here are all my devices’ UI, e.g. OpnSense and OpenWrt/Unify AP. (The 192.168.1.0/24 is still used by my old network configuration.)

On OpnSense I VLAN-tagged 3 VLAN (User, Guest, IoT with VLAN ID 10,20,30 and 192.168.{110,120,130}.0/24) networks. This I want to send over WLAN/OpenWRT Unify (at 192.168.11.54).

There isn’t any VLAN tagged Mngmt LAN. I still use the 192.168.11.0/24 for this. I plan to use my own user (VLAN) for the wired computers in the future and then use 192.168.11.0/24 exclusively for management, as this will allow me to add VLAN capabilities to the network for some clients if necessary.

Bridge VLANs can work in the context of a single ethernet port device on ath79, but they don't work with any multi-port devices that leverage an internal switch since swconfig is necessary there.

Meanwhile, repeating back what you've said (to make sure I've understood it properly):

• Management network is untagged and uses 192.168.11.0/24.
• The address on the AP should be 192.168.11.54
• There are three tagged networks -- VLANs 10 (User), 20 (Guest), 30 (IoT).

The lan interface and br-lan are all set -- leave those as they are.

Add the following to /etc/config/network:

config device
	option name 'br-user'
	option type 'bridge'
	list ports 'eth0.10'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.20'

config device
	option name 'br-iot'
	option type 'bridge'
	list ports 'eth0.30'

config interface 'user'
	option device 'br-user'
	option proto 'none'

config interface 'guest'
	option device 'br-guest'
	option proto 'none'

config interface 'iot'
	option device 'br-iot'
	option proto 'none'

From there, you can add SSIDs for the 3 new networks, connecting them in the /etc/config/wireless file with the SSID's network filed.

After making the changes, restart and test.

Sorry for the late answer, but there were other trouble …

root@UniFi:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf7:59bf:9148::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option gateway '192.168.11.1'
        list ipaddr '192.168.11.54/24'
        list dns '192.168.11.1'
        list dns '1.1.1.1'

config device
        option name 'br-user'
        option type 'bridge'
        list ports 'eth0.10'

config device
        option name 'br-guest'
        option type 'bridge'
        list ports 'eth0.20'

config device
        option name 'br-iot'
        option type 'bridge'
        list ports 'eth0.30'

config interface 'user'
        option device 'br-user'
        option proto 'none'

config interface 'guest'
        option device 'br-guest'
        option proto 'none'

config interface 'iot'
        option device 'br-iot'
        option proto 'none'

root@UniFi:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option band '5g'
        option channel 'auto'
        option htmode 'VHT80'
        option cell_density '0'
        option country 'DE'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Home-User'
        option encryption 'sae-mixed'
        option key 'xxxxxxxxxxxxxx'
        option ieee80211r '1'
        option nasid '4201'
        option mobility_domain '19CE'
        option ft_over_ds '0'
        option wpa_disable_eapol_key_retries '1'
        option ocv '0'
        option network 'user'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option band '2g'
        option channel 'auto'
        option htmode 'HT40'
        option cell_density '0'
        option country 'DE'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Home-User'
        option encryption 'sae-mixed'
        option ieee80211r '1'
        option nasid '4201'
        option mobility_domain '19CE'
        option ft_over_ds '0'
        option wpa_disable_eapol_key_retries '1'
        option key 'xxxxxxxxxxxxxx'
        option ocv '0'
        option network 'user'

Actually, I have only one VLAN active to simplify things. I have access to OpenWRT’s UI from my LAN (192.168.11.0/24). AP’s SSID and Key seems to work, but the connected device doesn’t get an IP. On OpenWrt’s SSH console, logread doesn’t show anything.

I’m not sure, how to pinpoint the error for my dumb AP. OPNSense has the VLAN Interface for User (ID=10, Net=192,168.110.0/24). From OpenWrt’s SSH console I’m able to ping the Gateway at OPNsense:

root@UniFi:~# ping 192.168.100.1 -c2
PING 192.168.100.1 (192.168.100.1): 56 data bytes
64 bytes from 192.168.100.1: seq=0 ttl=63 time=15.189 ms
64 bytes from 192.168.100.1: seq=1 ttl=63 time=10.220 ms

--- 192.168.100.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 10.220/12.704/15.189 ms

also DNS is working:

root@UniFi:~# ping www.google.com -c2
PING www.google.com (142.251.141.68): 56 data bytes
64 bytes from 142.251.141.68: seq=0 ttl=117 time=30.541 ms
64 bytes from 142.251.141.68: seq=1 ttl=117 time=30.762 ms

--- www.google.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 30.541/30.651/30.762 ms

and I’m also able to ping the OpenWrt’s UI from OPNsense:

root@OPNsense:~ # ping -c2 192.168.11.54
PING 192.168.11.54 (192.168.11.54): 56 data bytes
64 bytes from 192.168.11.54: icmp_seq=0 ttl=64 time=0.473 ms
64 bytes from 192.168.11.54: icmp_seq=1 ttl=64 time=0.384 ms

--- 192.168.11.54 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.384/0.428/0.473/0.044 ms

DHCP is active on the User interface and is configured equivalently to the LAN - I have a DHCP lease there.
On the managed switch Cisco SG 200-08, which is connected between OPNsense and OpenWrt, I have left all ports set to trunk.

Your problem is likely upstream. More about that in a moment...

First, some things about your wifi setup:

I highly recommend disabling 802.11r unless you have a demonstrated need for it (and only after properly configuring your APs). If you have only one AP, 802.11r is not useful anyway, but even with multiple APs, it can cause more harm than good. Remove all of the 802.11r related items for now.

Also, use WPA2 (psk2) or WPA3 (sae), but don't use wpa2/wpa3 mixed mode. Again, this cause cause problems.

Back to your core issue...
The user network/VLAN is properly configured on this AP based on the bridge device, the unmanaged network interface, and the SSID (aside from the 2 points above).

What this means is that your problem is almost certainly either at the router or the switch. Because those aren't running OpenWrt, specific config advice is out of scope for this forum. But here's the pro-tip:

• On your switch, set access ports (I.e. just one network, untagged+PVID) for each of the VLANs (1 port per VLAN).
• Connect a computer directly via Ethernet to each of the ports in turn and observe their connectivity. If they fail to connect as expected, your problem is the switch or the router.
  • Assuming DHCP is expected on each subnet, if DHCP fails, you can set the computer's interface manually for the respective subnet and see if it connects... if so, your problem is the router's DHCP configuration. If not, it's probably the router's base configuration and/or the trunk configuration between the router and the switch.
  • If you get DHCP but lack other connectivity, the problem is the router config (firewall and/or routing).

Thank you very much for your reply and help. I have adjusted the WiFi settings for now. Unfortunately, I have older devices that are not yet WPA3-compatible.

root@UniFi:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option band '5g'
	option channel 'auto'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'DE'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Home-User'
	option encryption 'psk2'
	option key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option wpa_disable_eapol_key_retries '1'
	option network 'user'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option band '2g'
	option channel 'auto'
	option htmode 'HT40'
	option cell_density '0'
	option country 'DE'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Home-User'
	option encryption 'psk2'
	option wpa_disable_eapol_key_retries '1'
	option key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option network 'user'

I have connected a small NUC to the switch port configured as an access port - this also does not receive an IP from the user VLAN network. So I will have to move my activity to the OPNsense forum for now.

This is why the ethernet method is so great... it helps eliminate variables and tests the base networking config.

Yup... that makes sense. Once you resolve the issues on the router, everything downstream should spring to life (assuming the switch is properly configured). And, when that happens...

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

It has turned out that minor configuration error on OPNsense (the interface IP had the netmask /32 which wont’t work) and misconfiguration on Cisco switch - general port (aka hybrid, not trunk). I just checked it with User VLAN and it works for now. Thanks to all helper!

What would happen if I enabled VLAN filtering here at br-lan or at br-user? The VLANs are tagged at eth0 and then have to be distributed/demuxed to the individual radio via the bridge. I chose a dumb AP.

Or is that only relevant if I want to pack packets into VLANs myself?

I'm not sure I understand your question, but I'll try to address them the best I can. Feel free to rephrase the question if this doesn't help.

VLAN filtering works in conjunction with bridge-VLANs and these are constructs that are used with devices that use DSA (distributed switch architecture) to address their internal Ethernet switch.

Your device does not need DSA syntax -- the target (ath79) hasn't yet migrated to DSA and your device does not have an internal Ethernet switch chip.

A device that uses ath79 that has an embedded switch chip will have swconfig constructs to configure the switch. These are not compatible with DSA syntax, full stop.

That said, when using an ath79 device that has only a single Ethernet port (such as your UAP-AC-LITE), it is possible to use the DSA/bridge-VLAN syntax when you're working with the base Ethernet device (i.e. eth0 without any dotted notation). It would not be valid for br-user since it uses eth0.10), but br-lan would work (you'd need to first remove all the other bridges, though).

It's not actually happening at the radio, but rather the CPU/kernel. That's the reason that you need a network interface (unmanaged works fine for this).

If you were to use bridge-vlan syntax, the difference would be cosmetic, as the same things are happening under the hood.

Yes, you've got a dumb/bridged AP. That is what we call an AP that is not performing routing, so it would be true regardless if you use bridge-vlans or direct dotted notation.

Not sure what you mean here, but bridge-vlans vs separate bridges with dotted notation achieve the exact same goal -- again, just cosmetic with respect to the syntax.