OPNsense + OpenWrt AP– VLAN configuration issues - DSA TPLINK

Hello,

I am new to VLAN on OpenWRT.

My configuration until recently:

• OpnSense Router

• Regular switch

• Router as AP with proprietary FW

I had to replace the router, so I did some replacements:

• A TPlink Managed switch to replace the Regular switch

• The router is now a TP-Link Archer AX23 v1 with OpenWRT 23.05.05.

Here is my topology:

The configuration of the TPlink Switch is

VLAN ID 	VLAN Name 	Member Ports 	Tagged Ports 	Untagged Ports 	
1	        Default	           1-8	                 	1-8	
10	        Work	           1,7-8	  1	            7-8	
20	        HomeMedia	       1,6	                    1,6		
30	         WiFI	           1,6	                    1,6		
40	         IOT	           1,6	                    1,6

The VLAN 10 is set on untagged (Access) to the 2 PC from work and they are working fine ( Opnsense DHCP, DNS, Firewall)

The issue is with the other Tagged (Trunk) :
None of the ethernet devices connect getting in this way the corresponding VLAN and they get the IP of the Main LAN (192.168.1.x)
I created a Wifi device that uses the right VLAN30 (192.168.30.11) but cannot connect to Internet (Opnsense assign the correct VLAN IP)

WIFI 192.168.30.11 laptop 2025/01/26 20:04:41 2025/01/26 22:04:41 active dynamic

and firewall rules that work fine with the Work PCs

 		IPv4 TCP/UDP 	WIFI net 	* 	WIFI address 	53 (DNS) 	* 	* 		Allow DNS 	
		IPv4 TCP/UDP 	WIFI net 	* 	! InternalNet  	* 	* 	*  Allow Guest to Internet and block internal Networks

I checked the forum and I did find many examples of the Opnsense + Openwrt AP but I could not get them to work, some have a different configuration ( like using the WAN interface and I can't add as VLAN 801q, or CPU interface, that I don't have) So after 10 days of research and I also ask in chat but I got more confused (I also tried to create some FW rules, as some say it need some say it that is not necessary as Opnsense will do that)...

And, I would like to thank you for any help on this.

Here is the config from the system :

ubus call system board
{
        "kernel": "5.15.167",
        "hostname": "OpenWRT-AP",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "TP-Link Archer AX23 v1",
        "board_name": "tplink,archer-ax23-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}

----------------------------------------------------------------------------

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '[prefix]'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option stp '1'
        option igmp_snooping '1'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.4'
        option netmask '255.255.255.192'
        option ip6assign '60'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan3'
        list ports 'lan4'

config interface 'IOT'
        option proto 'static'
        option device 'br-lan.40'
        option ipaddr '192.168.40.2'
        option netmask '255.255.255.240'
        list dns '192.168.40.1'
        list dns '192.168.1.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan1:t'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '40'
        list ports 'lan1:t'
        list ports 'lan3'
        list ports 'lan4'

config interface 'WiFiGuest'
        option proto 'static'
        option device 'br-lan.30'
        option ipaddr '192.168.30.2'
        option netmask '255.255.255.240'
        list dns '192.168.30.1'
        list dns '192.168.1.1'

----------------------------------------------------------------------------

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '[path]'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'
        option country 'CA'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'WIFI'
        option encryption 'sae-mixed'
        option key 'Password'
        option wpa_disable_eapol_key_retries '1'
        option hidden '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '[path]'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'
        option country 'CA'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'WIFI'
        option encryption 'sae-mixed'
        option hidden '1'
        option key 'Password'
        option wpa_disable_eapol_key_retries '1'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'WIFIG'
        option encryption 'psk2'
        option key 'Password'
        option wpa_disable_eapol_key_retries '1'
        option network 'WiFiGuest'
        option hidden '1'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'WIFIG'
        option encryption 'psk2'
        option hidden '1'
        option key 'Password'
        option wpa_disable_eapol_key_retries '1'
        option network 'WiFiGuest'

----------------------------------------------------------------------------

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'WiFiGuest'
        option interface 'WiFiGuest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ignore '1'

----------------------------------------------------------------------------

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'IOT'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list device 'br-lan.40'

config forwarding
        option src 'IOT'
        option dest 'wan'

Let's start with the switch...

The first issue I see is that you don't have your tagging setup properly. You can only a maximum of one untagged network on any given port.

Right now, VLANs 20, 30, and 40 are not actually going to work at all because you have them as untagged only. They must be tagged on the uplink port (I'm guessing that is port 1).

Let's the run an experiment to ensure that all the VLANs are going through the trunk and working properly. Set the following

• VLAN 1
  • port 1 untagged + PVID
  • port 2 untagged + PVID
  • port 8 untagged + PVID
• VLAN 10
  • port 1 tagged
  • port 3 untagged + PVID
  • port 8 tagged
• VLAN 20 untagged + PVID
  • port 1 untagged + PVID
  • port 4 untagged + PVID
  • port 8 tagged
• VLAN 30
  • port 1 untagged + PVID
  • port 5 untagged + PVID
  • port 8 tagged
• VLAN 40 untagged + PVID
  • port 1 untagged + PVID
  • port 6 untagged + PVID
  • port 8 tagged

Now you can connect a computer directly to ports 2-6 and make sure they join the correct network.

Connect your AP's port 1 to port 8 on the switch.

Now... onto the AP.

Remove STP and IGMP snooping:

Adjust the bridge-VLAN for VLAN 1 to explicitly specify that you want this untagged on port 1, 3, and 4:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

Remove ports lan3 and lan4 from VLAN 40:

Edit your IoT network to make it unmanaged... it will look like this:

config interface 'IOT'
        option proto 'none'
        option device 'br-lan.40'

Do the same with the wifi guest network:

config interface 'WiFiGuest'
        option proto 'none'
        option device 'br-lan.30'

I recommend against using sae-mixed. Use either WAP2 or WPA3, but mixed mode will cause problems with some client devices. Also, hidden wifi networks do not improve security, and can actually be counterproductive to this effort.

Same is true for all of the SSIDs.
Delete the DHCPv6 related items including the ra lines

You can delete this:

And you can delete this:

Restart your AP and test again.

@psherman Such amazing speed!!!

Thank you for the rapid response, really appreciate it.

The VLAN config works, by Inserting the cable in each port I can see the different VLAN.

For the Guest ad IOT, it's still WIP.

I am checking the Opnsense firewall logs and see requests for the Wifi...but no connection atm.

Ports 3 and 4 on the AP are still at the VLAN1 192.168.1.X address and not on the VLAN 40.

I am going to take a better look tomorrow, but really thank you for the help

let's see the latest network and wireless config files. And please post screenshots of your switch VLAN config.

Hello Psherman,

I tested the VLAN with the information you provided

But I modify as I needed 2 ports for VLAN10 ( I did a retest and works as before just moving one port down)

For the AP, I just added IOT wifi which is the same as Wifi Guest.

Here is the configs:

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '[prefix]'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.4'
        option netmask '255.255.255.192'
        option ip6assign '60'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config interface 'IOT'
        option proto 'none'
        option device 'br-lan.40'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan1:t'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '40'
        list ports 'lan1:t'

config interface 'WiFiGuest'
        option proto 'none'
        option device 'br-lan.30'
        option ipaddr '192.168.30.2'

------------------------------------------------------------------------

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '[prefix]'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'
        option country 'CA'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'WIFI'
        option encryption 'psk2'
        option key 'Password'
        option wpa_disable_eapol_key_retries '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '[path]'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'
        option country 'CA'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'Wifi'
        option encryption 'psk2'
        option key 'Password'
        option wpa_disable_eapol_key_retries '1'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'WIFIGuest'
        option encryption 'psk2'
        option key 'Password'
        option wpa_disable_eapol_key_retries '1'
        option network 'WiFiGuest'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'WIFIGuest'
        option encryption 'psk2'
        option key 'Password'
        option wpa_disable_eapol_key_retries '1'
        option network 'WiFiGuest'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Wifi-IOT'
        option encryption 'psk2'
        option key 'Password'
        option wpa_disable_eapol_key_retries '1'
        option network 'IOT'

config wifi-iface 'wifinet5'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Wifi-IOT'
        option encryption 'psk2'
        option key 'Password'
        option wpa_disable_eapol_key_retries '1'
        option network 'IOT'

------------------------------------------------------------------------

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

------------------------------------------------------------------------

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

I'm not seeing any specific errors except for this one...

Remove the address line below:

Otherwise, things look correct. Please verify that you have:

• port 1 on the switch connected to the router
• port 8 on the switch connected to port 1 on the AP

And double check that you have the expected wired connectivity when you connect to ports 4-7 on the switch (i.e. the computer gets an IP from the respective VLANs).

I removed the option ipaddr '192.168.30.2'

ad I can confirm that Opsense Port > Switch port 1 > Switch port 8 > OpenWRT AP port 1

Wired Vlan connectivity works from 4-7, still 192.168.1.X ( standard LAN) on the OpenWRT ports 3 and 4

Let's test that the other VLANs are flowing through the AP using the ethernet ports...

Remove port 3 from VLAN 1:

Change port 3 on VLAN 30 to :u* (instead of :t):

Add port 2 (list ports 'lan2:u*') to VLAN 40.

Reboot...

Now you should have:

• trunk on port lan1 (VLAN 1 untagged, VLANs 30, 40 tagged)
• VLAN 40 on port lan 2
• VLAN 30 on port lan 3
• VLAN 1 on port lan 4

Test to see that the VLANs appear as expected.

Hello @psherman

It worked as you described. for the ethernet, but no I had no luck with the Wifi.

So, I decide to reset both Opnsense and OpenWRT and start from scratch.

I created a bare-bone system for both, with the basic settings, and no additional software, and...it worked!!!

I reached the setting and I am not sure for now, what setting was not allowed to get to work ( I mostly think was some setting between the various revisions of OpnSense, so yea in case of doubts, save config, and rebuild and if nothing appends, you can always load the previous config).

So we can set the case as Solved, and I will provide info on what I did for the next person who has an issue with it ( I want to test the firewall rules a bit to see if they really work),

Thank you again @psherman , you are one of the greatest.

Cheers.

There must have been something you had done or installed with OpenWrt that was the issue. While I can't rule out any issues with OPNsense, it seems a bit less likely that it was the culprit. That said, glad it's now resolved.

The OpenWrt firewall will not be involved at all since this is just a switch/AP and not performing any routing. This is 100% the domain of the router (OPNSense in your case).

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.