OPNSense and OpenWrt DSA VLANS on WiFi

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello everyone!

I'm trying to implement DSA VLANS on WiFi. The issue is that I can't get all my VLANS to get DHCP on WiFi.
Ethernet works as intended on assigned ports.
The MGMT(vlan99) works on WiFi, Home(vlan100) and IoT(vlan101) do not.

My topology is the following:

  1. OPNSENSE which handles DHCP, DNS and firewalling. Also 1 port has VLANS 99, 100 and 101.
  2. Xiaomi Mi Router 4A Gigabit Edition with OpenWrt 23.05.3 flashed working as a managed switch and AP.
    VLANS on OPNSENSE provide the following IPs:
  3. MGMT - VLAN 99 - 10.10.99.1-100
  4. HOME - VLAN 100 - 10.10.100.1-100
  5. IoT - VLAN 101 - 10.10.101.1-100

You can find config below:
ubus call system board

{
	"kernel": "5.15.150",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Xiaomi Mi Router 4A Gigabit Edition",
	"board_name": "xiaomi,mi-router-4a-gigabit",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf5:0b89:8836::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option type 'bridge'
	option name 'Bridge_Home'
	option bridge_empty '1'
	list ports 'lan1'
	list ports 'wan'

config bridge-vlan
	option device 'Bridge_Home'
	option vlan '99'
	list ports 'wan:t*'

config bridge-vlan
	option device 'Bridge_Home'
	option vlan '100'
	list ports 'lan1:u*'
	list ports 'wan:t'

config bridge-vlan
	option device 'Bridge_Home'
	option vlan '101'
	list ports 'wan:t'

config interface 'VLAN_MGMT'
	option proto 'dhcp'
	option device 'Bridge_Home.99'

config interface 'VLAN_IoT'
	option proto 'none'
	option device 'Bridge_Home.101'
	option type 'bridge'

config interface 'VLAN_Home'
	option proto 'none'
	option device 'Bridge_Home.100'
	option type 'bridge'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt-IoT'
	option encryption 'none'
	option network 'VLAN_IoT'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt-Home'
	option encryption 'none'
	option network 'VLAN_Home'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt-MGMT'
	option encryption 'none'
	option network 'VLAN_MGMT'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4

LAN bridge has DHCP assigned and is issued until I finish my config, will be deleted in the future.
Can't wrap my head around this issue, probably will have to wipe the config and start fresh, but what should I do differently?

Thank you!

2

DSA currently only supports one bridge on the switch, so all relevant ports should be in the switch. Bridge VLANs will then setup each port according to the desired port-vlan membership.

Start by resetting to defaults and then post your default network config file. We can show you from there how to achieve the goal.

3

Hello!
My OpenWrt has 2 bridges

  1. br-lan - lan2 is assigned - used for accessing openwrt. no vlans etc assigned there
  2. Bridge_Home - wan and lan1 port are assigned - VLANS are assigned in this bridge.

Should I wipe and start fresh so we can start from there?

4

Yes, wipe it. Reset to defaults and post the default network config.

5

Just wiped my device, here's the config.
What I'm trying to achieve is to make OpenWrt a managed switch (trunk/tagged should be on WAN port) and an AP with multiple SSID's associated to different VLANS (99, 100, 101).

ubus call system board

{
	"kernel": "5.15.150",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Xiaomi Mi Router 4A Gigabit Edition",
	"board_name": "xiaomi,mi-router-4a-gigabit",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd05:e983:f0fe::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

cat /etc/config/firewall

config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option dest		wan
#	option proto	tcp
#	option target	REJECT

# block a specific mac on wan
#config rule
#	option dest		wan
#	option src_mac	00:11:22:33:44:66
#	option target	REJECT

# block incoming ICMP traffic on a zone
#config rule
#	option src		lan
#	option proto	ICMP
#	option target	DROP

# port redirect port coming in on wan to lan
#config redirect
#	option src			wan
#	option src_dport	80
#	option dest			lan
#	option dest_ip		192.168.16.235
#	option dest_port	80
#	option proto		tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#	option src		wan
#	option src_dport	22001
#	option dest		lan
#	option dest_port	22
#	option proto		tcp

### FULL CONFIG SECTIONS
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port	80
#	option dest		wan
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
#	option target	REJECT

#config redirect
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port		1024
#	option src_dport	80
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
6

Start by deleting the wan interfaces:

Then add the wan to br-lan:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'wan'

Next, create bridge vlans:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan2:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '101'
	list ports 'wan:t'

Edit the lan interface to use br-lan.1:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

And create the new network interfaces, dhcp for the management network and unmanaged for the others:

config interface 'management'
	option device 'br-lan.99'
	option proto 'dhcp'

config interface 'home'
	option device 'br-lan.100'
	option proto 'none'

config interface 'iot'
	option device 'br-lan.101'
	option proto 'none'

Add the management network to the lan firewall zone:

config zone
	option name		lan
	list   network		'lan'
	list   network		'management'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

And finally configure SSIDs for the new networks as desired.

Restart your device and it should work.

  • wan is the uplink trunk port (all tagged)
  • lan1 is unassigned
  • lan2 is the default lan network (192.168.1.1).
7

Hello again,
Made a couple of changes to your config:

  • Deleted vlan.1, added vlan.99 to br-lan.
  • Changed br-lan to DHCP for now.
  • Added "management" interface as unmanaged.
  • Disabled firewall.

Everything seems to work as intended! Thank you very much for your help!

8

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.