OPNsense + Managed Switch + Ubiquiti 6 LR - VLANS

Hello,

I've tried now the whole day to set up the environment but I hardly failed. Really hope you could help with me what to do

Setup:

  • OPNsense
  • TP-Link Managed Switch
  • Ubiquiti 6 LR (already flashed with recent openwrt version)

Goal:

  • Firewall to Switch (VLAN 1 (mgmt switch + AP), VLAN 10, 20, 30
  • Switch to AP (VLAN 1 (mgmt AP), VLAN 10,20,30

Really having a hard time here to configure this.

Could you help me please to do the initial configuration? Am really lost how to achieve that. I've never worked with OpenWRT so far. So forgive me when I'm asking noob questions. Just with a normal access port I can connect to the AP via DHCP. But unfortunatelly that's it.

Thanks a lot for any help.

KR

Fastboot

Is VLAN 1 tagged or untagged on the switch port that goes to the AP?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network

VLAN1 is tagged on the switch. (it's a cheap TP-Link switch.)

Switch Port 1: (vlans 1,10,20,30) PVID VLAN 1

These are (potentially) contradictory. The PVID is the "Port VLAN ID" and is the active untagged network. The VLAN cannot be both tagged and untagged. Maybe post screenshots of the port-VLAN membership screens.

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.134",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Ubiquiti UniFi 6 LR v2",
	"board_name": "ubnt,unifi-6-lr-v2",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "mediatek/mt7622",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXXXXXX5c3::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'dhcp'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:t*'

config device
	option type 'bridge'
	option name 'BRIDGE_VLAN2'
	list ports 'BRIDGE_VLAN2.2'

config bridge-vlan
	option device 'BRIDGE_VLAN2'
	option vlan '2'

config device
	option type 'bridge'
	option name 'VLAN2_BRIDGE'
	list ports 'BRIDGE_VLAN10.2'
	list ports 'eth0'
	option ipv6 '0'

config interface 'WIFI2_Bridge'
	option proto 'none'
	option device 'BRIDGE_VLAN10'

If I do not put VLAN1 as PVID, then the switch is not reachable at all via its mgmt IP. It's a cheap TP-Link switch

The network config file is very messed up with a lot of invalid stuff. Let's start over -- please reset your device to defaults and then post that network config file.

Is it the TL-SG1xxE series switches (or mabe the SG1xxPE) -- yeah, those are terrible.

Let's see the configuration you have as of now. Please make it clear which port goes to the router and which one to the AP

Switch is a TL-SG608E.

Let me start over. I'll resest to Factory defaults, configure DHCP on the AP and come back here with the config. Give me a second

Enabled DHCP on the LAN Port of the AP. The AP is now connected to Port 4 of the switch. (Access Port) Normally it should to go Port 3 with the VLANS configured as Trunk. But as I need to configure it, its Port 4.

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.134",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Ubiquiti UniFi 6 LR v2",
	"board_name": "ubnt,unifi-6-lr-v2",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "mediatek/mt7622",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix xxxxxxxx6::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

root@OpenWrt:~#

We'll still need to verify the switch configuration, but assuming that VLAN 1 is untagged and that VLANs 10, 20, 30 are tagged, your setup looks like this:

First, add bridge-VLANs:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'eth0:t'

Next edit the lan interface to use br-lan.1:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'dhcp'

Finally, create unmanaged interfaces for the other VLANs:

config interface 'vlan10'
	option device 'br-lan.10'
	option proto 'none'

config interface 'vlan20'
	option device 'br-lan.20'
	option proto 'none'

config interface 'vlan30'
	option device 'br-lan.30'
	option proto 'none'

Once this is all set, you can go into your wireless configuration and create new SSIDs for each VLAN, then associate them with the appropriate network (i.e. vlan10, etc.)

Restart and test. (this all assumes that both the OPNsense router and your TP-Lnk switch are configured properly -- those may need to be proven out separately).

1 Like

VLAN 1 is marked as tagged and PVID 1. Otherwise I cannot reach the mgmt of the switch.

Again, this is generally contradictory... PVID is only valid in the case of a VLAN being marked as untagged on a port. But if I recall the way that the TP-Link firmware works, I think that you can still have it marked PVID but the tagged membership will take precidence.

It would be best, though, if you show us screenshots of that configuration.

Maybe stupid question. How should I add this to the config? copy n paste?

Tried the "config bridge-vlan"
But in fact in the CLI it does not accept that. Coming from the Cisco world, so a CLI is quite common for me.

I've given you text to add/edit directly in the /etc/config/network file. The vi text editor is built-in to OpenWrt and/or you can use other methods to edit the file.

It can also be done by uci config syntax on the CLI, but I personally just edit the text files directly.

1 Like

The AP Is not reachable anymore. Ive added everything from your quotes, beside the remarks and rebooted the device.

I'm done for today. Kinda late here and need to wake up early.

Could you explain me please how to add this via the GUI? Guess this is more straight forward to me. Once it's working I can check the config file to get familiar with this.

I don't usually use the GUI for this, and it is typically harder to get a quick recipe for the gui (more steps involved).

We still haven't seen your switch configuration, so it's possible there is an issue there.

And there is one other config method we can try if the bridge-vlan doesn't work as expected here. I'll write another post for that in a few mins.

1 Like

The alternate way of configuring the VLANs is using dotted notation (instead of bridge VLANs). Starting from the (near) default state, you'd add this:

config device
	option name 'br-vlan10'
	option type 'bridge'
	list ports 'eth0.10'

config device
	option name 'br-vlan20'
	option type 'bridge'
	list ports 'eth0.20'

config device
	option name 'br-vlan30'
	option type 'bridge'
	list ports 'eth0.30'

config interface 'vlan10'
	option device 'br-vlan10'
	option proto 'none'

config interface 'vlan20'
	option device 'br-vlan20'
	option proto 'none'

config interface 'vlan30'
	option device 'br-vlan30'
	option proto 'none'

Then assign the wifi networks as you would before

1 Like

Hi,

I tried both. Unfortunately it did not work. I've also changed a bit the L2 layout, as I read that TP-Link switches could create issues with VLANS > 10.

VLAN 1: MGMT VLAN (Switch + AP)
VLAN 2-6: for WIFIs (GW: should be the FW)
Connections_1: FW(Port 4 <-> Switch(Port 1)
Connections_2: Switch(Port 3) <-> AP(Port eth0)

Find attached the requested switch config

As new user I could only add one picture in the post.