For now, I would like to ignore AP2 and focus on configuring AP1.
In my main router (OPNsense), I configured several VLANs. For the sake of simplicity, let’s call them:
VLAN 10
VLAN 30
VLAN 99 (which is, as far as I understand, probably unnecessary).
It is worth noting, that for the purpose of configuring VLANs in OPNsense, I followed the instructions published by Michael Schnerring, which I found to be very useful (I added VLAN99 myself, it is not part of the instructions).
After reading explanations online and some trial and error, I managed to configure VLANs on AP1 and almost everything seemed to be working fine, for the most part. However, from time to time AP1 became inaccessible, so it became clear to me that I must have over-complicated things and probably did something wrong.. after playing with some settings and two hard resets, I decided to start everything over, but this time, with some help
Relevant information\assumptions:
I want to use the WAN port on AP1 as trunk to main router, but it doesn’t really matter.
It is my understanding that in such setup OPNsense should manage Firewall, DHCP, DNS, VPN etc, so APs should be “dumb Aps”, but please correct me if I’m wrong.
There is a separate DHCP server for each VLAN.
AP1 is based on BPI R3 and running one of the recent snapshots. Luci is installed.
My question is - what are the correct/recommended settings for AP1 in my case (interfaces \ bridges)?
what should / should not be bridged?
should I create a virtual bridge for all the VLANs first? Or perhaps I should work with br-lan directly?
how to use VLAN filtering correctly? Should it be used on the br-lan or a virtual bridge for the VLANs?
what is the right order of configuring things (if there is any)?
easiest way for us to evaluate is actually to look at your config...
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Yes, and this should usually be on the main router (OPNsense in your case)
This requires more info... but fundamentally any VLAN that will be used on more than one physical interface (so etheret + wifi, multiple ethernet, etc.).
This depends on the device you're using... DSA requires bridge VLAN notation. swconfig can use it, but often just uses the older swconfig methods.
Configure the router first, then move on to the first AP... then the second. If that's what you mean.
I recommend working on one network at a time to prove that thigns are working, then repeating the recipe once it is known to work. This is better for learning and also less 'cleanup' to do if there are problems.
It's worth mentioning, that I did not touch (as far as I remember) any configuration \setting in AP1 after the hard reset.
192.168.1.2 is the IP of OPNsense (which is also the gateway and the dns in my setup)
************************
cat /etc/config/network
******* output *********
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix [ula_prefix]
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'sfp2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.2'
config device
option name 'br-wan'
option type 'bridge'
list ports 'eth1'
list ports 'wan'
config device
option name 'eth1'
option macaddr [MAC ADDRESS]
config device
option name 'wan'
option macaddr [MAC ADDRESS]
config interface 'wan'
option device 'br-wan'
option proto 'dhcp'
config interface 'wan6'
option device 'br-wan'
option proto 'dhcpv6'
*************************
cat /etc/config/wireless
******* output *********
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wmac'
option channel '1'
option band '2g'
option htmode 'HE20'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wmac+1'
option channel '36'
option band '5g'
option htmode 'HE80'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
**********************
cat /etc/config/dhcp
******* output ******
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
************************
cat /etc/config/firewall
******* output *********
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac [MAC ADDRESS]
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac [MAC ADDRESS]
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac [MAC ADDRESS]
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
**************************************************
Thank you. I agree, I should have tested OPNsense's configuration before jumping to APs (btw, how do I test VLANs configuration without setting up a second router\managed switch?). What I originally wanted to ask, was if there is a specific order of changes I should follow while configuring AP1 (for example, do not do X before Y).
The port names seem a bit odd... are you sure this is the default state?
Usually you need a managed switch for this type of test. If you happen to have a Mac with an ethernet connection, you can do VLANs on a Mac really easily.
Generally speaking there are only a few things that could be explicitly sequence dependent. In some cases, you can actually lock yourself out, but I think we can avoid anything like that -- and if we do need to do stuff that could be risky, we'll prepare for it with a sequence plan.
For now, though, don't setup your additional wifi networks until you've got the VLANs defined on the ports as needed. BTW, you can use the wired connections to prove that the VLANs are working from the router... we'll get into that soon.
For now, though, maybe take a backup of your router and then reset to defaults. Post the network config file when you're done with the reset.
I have only Linux and Win machines with an ethernet connection..
I think this is exactly what happened... I locked myself out, twice
I made a backup of my OPNsense settings. However, I don't have a reason to believe that something is wrong with OPNsense settings (although it is possible..), mainly because a) I followed the instructions I mentioned above, which seemed to be very detailed and b) I was able to successfully connect to a VLAN interface on AP1 and it seemed that the right set of settings (from OPNsense) applied (IP range, FW rules, DNS), but I did not perform a thorough test.
My problem was that I did not know what should (and should not) be done while configuring AP1 as a dumb AP. I tried to follow some guides/instructions online, but eventually found myself locked out..
Anyway, if you still think that I should reset OPNsense to defaults, I will do that.
Linux can certainly do VLANs, but it's not nearly as easy as it is on the Mac. Windows probably can, but I've never tried.
No, sorry if there was any confusion. I was referring to your OpenWrt AP... backup and then reset it. Then post the default network config file from that device.
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
