OPNsense VLAN -> OpenWRT WiFi dumb AP

Hey everyone,

I have an issue that I haven’t been able to solve yet, despite it not being overly complex in nature and me having read and followed a bunch of posts in this very forum, tutorials, and the likes.

I have a couple of VLANs that are administered by my main router, a bare metal OPNsense appliance. This is working very well; clients receive DHCP offers within the subnet should they belong to, they can reach the Internet, etc. etc. The problem is that currently, these are all wired connections via a managed switch. It has a trunk port for all VLANs and then different ports act as untagged/access ports for client devices. Now, I’m trying to set up OpenWRT so that it acts as an access point for two of the VLANs running on my OPNsense. What’s important is that it acts as a dumb AP, leaving DHCP, DNS, etc. to OPNsense.

Initially, I thought I could create a bridge and add LAN1 to it, create an unmanaged interface for the bridge and set that as the network for the WiFi SSID, connect LAN1 via RJ45 to an access port on my managed switch, and be done with it (the idea being that the untagged signal from the port on my switch would be transmitted to the WiFi AP and broadcasted from there, so no need for fiddling with VLAN on the AP). But when I do this, I don’t even get an IP when I connect to the WiFi, so apparently DHCP isn’t working, which leads me to believe that this perceived solution is just too easy to be true.

I also tried a number of other things that I’ll spare you the details of, but suffice to say I feel like I tried all combinations of bridges, interfaces, trunk and access ports, VLANs on the OpenWRT box, etc. etc. that have been mentioned here or elsewhere, along with some of my own creation.

I’m running OpenWrt snapshot r25346-043da3fe5a on a Linksys MX4200v1 with kernel version 6.1.79. I'm deliberately not posting my configuration since it is currently a mess and I will happily reset the unit to defaults prior to adopting a new configuration.

If anybody could give me a rough overview of how I should configure OpenWRT in this scenario I’d be really thankful!

Thanks in advance,
weko

This is probably the best way to start.

Then, you'll setup a dumb AP.
https://openwrt.org/docs/guide-user/network/wifi/dumbap

You'll need a trunk port from your managed switch to the OpenWrt device. By default, the above guide assumes that the uplink has the lan untagged. If it is tagged, you'll need to make some minor modifications to the recipe, probably using bridge-VLANs.

We can help with the bridge-vlan configuration... we just need to know:

• the VLAN IDs we're talking about
• if all of the VLANs are tagged on the trunk or if one of them is untagged
• which VLAN is used for the device management
• the desired IP address for the MX4200 (and the subnet size)
• and ideally, but not necessarily, the names for each of the VLANs.

Then, we need the network config file:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network

Hi Peter,

Thanks so much for the quick response! I’ve gone ahead and reset the router.

The tutorial you linked is actually one of the first ones I tried following. I wasn’t sure regarding tagged vs. untagged traffic and hadn’t thought of having both VLANs untagged on the trunk port. So for my current try, I added both of the VLANs that I’m trying to connect to the AP as untagged on the switch port that is functioning as my WAN/uplink port for the wireless AP.

I also followed the steps mentioned in the tutorial up to “Most important steps are done, your wireless AP works!” I then added a single WiFi SSID, connected it to br-lan, and when I connect to this SSID, I get an IP address and I can browse the Internet. However, the IP I receive is in the range of my main router’s LAN (192.168.1.1/24), which is probably the case because I haven’t actually configured any VLANs and/or VLAN filtering on the bridge, right? So I guess now I need to make those modifications you mentioned regarding bridge-VLANs?

Here is the information you requested:

• the VLAN IDs we're talking about: 10 (MAIN) and 30 (GUEST)
• if all of the VLANs are tagged on the trunk or if one of them is untagged: I have now set all VLANs on the trunk as untagged, but I can change this to match any requirements.
• which VLAN is used for the device management: that’s ID 1.
• the desired IP address for the MX4200 (and the subnet size): It’s currently sitting on 192.168.1.3/24 (with .1.2 being the switch).
• and ideally, but not necessarily, the names for each of the VLANs: MAIN and GUEST.

Also, here is my current configuration, which should hopefully match what is to be expected after following the tutorial you linked:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd14:3aa3:5266::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.3'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option broadcast '192.168.2.255'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'
	list dns_search 'landom'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'

As per the tutorial, the dumb AP is connected to the switch on a LAN port, namely LAN1. And just to reiterate, the LAN port on the switch is serving MAIN (VLAN ID 10), GUEST (ID 30) and ID 1 for management, all untagged.

A little update: I tried following other posts again, but when I apply the solution provided there, I cannot connect to my networks anymore. It worked exactly once for each network (when initially connecting to the SSID after making the changes, I was assigned an IP address of the right subnet by my OPNsense box, so apparently everything was working flawlessly), but when I tried connecting the second time around, it didn't work anymore. I'd simply get an error message as seen in the picture:

670832040916×320 46.7 KB

Neither rebooting my computer nor the router or disabling and reenabling the respective SSIDs changed that. However, connecting to the OpenWRT AP via LAN works.

I checked the logs on my OPNsense box, and it seems that my laptop is making false DHCPREQUESTs when switching between the networks:

2024-03-13T19:34:12
Informational
dhcpd
DHCPACK on 192.168.103.101 to [MAC-ADDR] (HOSTNAME) via vlan04

2024-03-13T19:34:12
Informational
dhcpd
DHCPREQUEST for 192.168.103.101 (192.168.103.1) from [MAC-ADDR] (HOSTNAME) via vlan04

2024-03-13T19:34:10
Informational
dhcpd
DHCPOFFER on 192.168.103.101 to [MAC-ADDR] (HOSTNAME) via vlan04

2024-03-13T19:34:09
Informational
dhcpd
DHCPDISCOVER from [MAC-ADDR] via vlan04

2024-03-13T19:34:05
Informational
dhcpd
DHCPNAK on 192.168.1.103 to [MAC-ADDR] via vlan04

2024-03-13T19:34:05
Informational
dhcpd
DHCPREQUEST for 192.168.1.103 from [MAC-ADDR] via vlan04: wrong network.

2024-03-13T19:34:03
Informational
dhcpd
DHCPNAK on 192.168.1.103 to [MAC-ADDR] via vlan04

2024-03-13T19:34:03
Informational
dhcpd
DHCPREQUEST for 192.168.1.103 from [MAC-ADDR] via vlan04: wrong network.

2024-03-13T19:33:11
Informational
dhcpd
DHCPACK on 192.168.101.104 to [MAC-ADDR] (HOSTNAME) via vlan02

2024-03-13T19:33:11
Informational
dhcpd
DHCPREQUEST for 192.168.101.104 (192.168.101.1) from [MAC-ADDR] (HOSTNAME) via vlan02

2024-03-13T19:33:08
Informational
dhcpd
DHCPOFFER on 192.168.101.104 to [MAC-ADDR] (HOSTNAME) via vlan02

2024-03-13T19:33:07
Informational
dhcpd
DHCPDISCOVER from [MAC-ADDR] (HOSTNAME) via vlan02

Explanation of the above:

• 192.168.101.0/24 is the subnet for vlan02
• 192.168.103.0/24 is the subnet for vlan04
• 192.168.1.0/24 is the LAN subnet

What exactly is the cause here? I'm not sure why my laptop is trying to retain it's IP address across networks/SSIDs, but I never had any issues when quickly switching between SSIDs before, neither on my networks nor on other ones, so I'm guessing this is an issue with either my OpenWRT or OPNsense configuration. The latter is fairly vanilla (PPPoE, VLANs, DHCP, DNS and that's pretty much it) and the OpenWRT is configured as described in this thread. Does anybody have an idea of where or what to dig into here?

Another bit of information: I found this entry in my OpenWRT logs:

Wed Mar 13 19:52:42 2024 kern.warn kernel: [193977.830354] ath11k c000000.wifi: refusing to associate station: too many connected already (128)
Wed Mar 13 19:52:42 2024 kern.warn kernel: [193977.830407] ath11k c000000.wifi: Failed to add station: [MAC-ADDR] for VDEV: 0
Wed Mar 13 19:52:42 2024 daemon.notice hostapd: phy0-ap0: STA [MAC-ADDR] IEEE 802.11: Could not add STA to kernel driver
Wed Mar 13 19:52:42 2024 kern.warn kernel: [193978.211207] ath11k c000000.wifi: refusing to associate station: too many connected already (128)
Wed Mar 13 19:52:42 2024 kern.warn kernel: [193978.211256] ath11k c000000.wifi: Failed to add station: [MAC-ADDR] for VDEV: 0
Wed Mar 13 19:52:42 2024 daemon.notice hostapd: phy0-ap0: STA [MAC-ADDR] IEEE 802.11: Could not add STA to kernel driver
Wed Mar 13 19:52:43 2024 kern.warn kernel: [193978.893593] ath11k c000000.wifi: refusing to associate station: too many connected already (128)
Wed Mar 13 19:52:43 2024 kern.warn kernel: [193978.893644] ath11k c000000.wifi: Failed to add station: [MAC-ADDR] for VDEV: 0
Wed Mar 13 19:52:43 2024 daemon.notice hostapd: phy0-ap0: STA [MAC-ADDR] IEEE 802.11: Could not add STA to kernel driver
Wed Mar 13 19:52:43 2024 kern.warn kernel: [193979.246434] ath11k c000000.wifi: refusing to associate station: too many connected already (128)
Wed Mar 13 19:52:43 2024 kern.warn kernel: [193979.246483] ath11k c000000.wifi: Failed to add station: [MAC-ADDR] for VDEV: 0
Wed Mar 13 19:52:43 2024 daemon.notice hostapd: phy0-ap0: STA [MAC-ADDR] IEEE 802.11: Could not add STA to kernel driver
Wed Mar 13 19:54:31 2024 kern.warn kernel: [194086.943522] ath11k c000000.wifi: refusing to associate station: too many connected already (128)
Wed Mar 13 19:54:31 2024 kern.warn kernel: [194086.943577] ath11k c000000.wifi: Failed to add station: [MAC-ADDR] for VDEV: 0
Wed Mar 13 19:54:31 2024 daemon.notice hostapd: phy0-ap0: STA [MAC-ADDR] IEEE 802.11: Could not add STA to kernel driver
Wed Mar 13 19:54:31 2024 kern.warn kernel: [194087.295775] ath11k c000000.wifi: refusing to associate station: too many connected already (128)
Wed Mar 13 19:54:31 2024 kern.warn kernel: [194087.295827] ath11k c000000.wifi: Failed to add station: [MAC-ADDR] for VDEV: 0
Wed Mar 13 19:54:31 2024 daemon.notice hostapd: phy0-ap0: STA [MAC-ADDR] IEEE 802.11: Could not add STA to kernel driver
Wed Mar 13 19:54:51 2024 kern.warn kernel: [194107.648211] ath11k c000000.wifi: refusing to associate station: too many connected already (128)
Wed Mar 13 19:54:51 2024 kern.warn kernel: [194107.648265] ath11k c000000.wifi: Failed to add station: [MAC-ADDR] for VDEV: 0
Wed Mar 13 19:54:51 2024 daemon.notice hostapd: phy0-ap0: STA [MAC-ADDR] IEEE 802.11: Could not add STA to kernel driver
Wed Mar 13 19:54:52 2024 kern.warn kernel: [194108.016172] ath11k c000000.wifi: refusing to associate station: too many connected already (128)
Wed Mar 13 19:54:52 2024 kern.warn kernel: [194108.016221] ath11k c000000.wifi: Failed to add station: [MAC-ADDR] for VDEV: 0
Wed Mar 13 19:54:52 2024 daemon.notice hostapd: phy0-ap0: STA [MAC-ADDR] IEEE 802.11: Could not add STA to kernel driver
Wed Mar 13 19:57:42 2024 daemon.info hostapd: phy0-ap0: STA [MAC-ADDR] IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)

The MAC address referred to above is the same as the one in my previous post. I'm concerned with the fact that it says there are too many devices connected, as there only really are a max of 2-3 devices connected. This is confirmed in the GUIs of both OPNsense and OpenWRT.

EDIT: This seems to be the same problem as mentioned here. Might this be a bug in the current snapshot release?

Yet another interesting piece of information: If I rename one of the SSIDs and try to connect to it, I sort of get connected. It doesn't tell me my password is wrong, and the error message from the picture above doesn't pop up either, but I also don't get an IP address, so my laptop just assigns itself a random 169.254.x.x address. Which leads me to believe that again, DHCP is likely the culprit. What could be the overarching issue here?

Sorry... seems like I missed this one over the last few days.

You shared a (near) default config 2 days ago... is that still the current network config file? If it has changed, please share the latest.

As far as the upstream...

1. Have the VLANs been tested and verified to work as expected?
2. Is the AP directly connected to the router, or is it connected via a switch?
3. You've got 3 VLANs defined in your post -- is the lan untagged? Then you have VLAN2 and VLAN4 -- I assume both of those are tagged, correct?

No worries at all! Thanks for the taking the time again.

Yes, the config is still the same (or rather, I'll set it back to the state I posted two days ago, as I have been fiddling around following different suggestions trying to make it work).

Regarding your questions:

1. Yes, the VLANs work as expected when connected to the switch via RJ45.
2. It is connected to a switch (Netgear GS324T).
3. There are actually four VLANs configured on the router: vlan01 is just for PPPoE (my ISP requires a specific VLAN tag to be sent along when connecting via PPPoE), vlan03 is a /30 network for an isolated host (with no available leases for any client other than the one this network is dedicated to), and vlan02 and vlan04 are the MAIN and GUEST networks, respectively. As for the tagging, I'm not sure I follow - per my understanding, packets are tagged or untagged depending on their current location in the network. For instance, if a packet is between the router and the switch, it is tagged, whereas it is untagged when it's sent from the switch to a client who is connected to the switch via an RJ45 access port. In OpenWRT, I'm not sure what the tagging and untagging settings have to look like in my scenario.

Thanks. Some followups:

• for the dumb AP, what VLAN is used to manage the device?
• VLANs 2 and 4 (main and guest, respectively) on the trunk port from the GS324T, are these both tagged?
• Which port is used on the dumb AP as the uplink?

Whenever we work with a trunk (that is a port/cable that carries multiple networks), we must have at least one network tagged per the 802.1q standard. This allows:

• zero or one untagged network
• zero, one, or many tagged networks.

Access ports are typically used for end equipment, and have just a single network untagged.

The connection between the router and switch, as well as the switch and the AP must be a trunk to carry the multiple VLANs. It is critical to match the VLAN IDs and tagging status on either side of the cable. That's why I'm asking about what (if any) VLAN is untagged on the GS324T port that connects to the AP, as well as which other VLANs are there (which must be tagged).

From there, we can make the necessary configuration updates to the AP.

• The dumb AP is managed via the LAN network (192.168.1.0/24, with 192.168.1.1 being OPNsense and the GS324T residing at 192.168.1.2).
• Yes, VLANs 2 and 4 (or rather, 10 and 30 going by their PVIDs - 02 and 04 are just the device names in OPNsense) are both tagged on the trunk port from the GS324T.
• The dumb AP's uplink is set to WAN for OpenWRT's br-lan device (as per default), which is connected to an untagged port on the GS324T.

Thanks for the overview of VLANs. I wasn't aware of the number of tagged and untagged networks on each port, but I do know about the VLAN IDs and believe I configured those correctly up to the dumb AP. My only concern is with the tagging on OpenWRT - where do I tag the ports, precisely? Is it on the default br-lan device, do I create a new device (and if so, which type, etc.), do I need to create a VLAN device...?

EDIT: The PVIDs of the VLANs are 10 and 30; I corrected this above. I got confused myself saying they were 20 and 40 because the names of the VLAN devices in OPNsense are 02 and 04, but their PVIDs are actually 10 and 30. This is all correctly configured in my appliances, though. Only mixed it up briefly in the thread here, luckily.

Your switch will need to be configured to carry VLANs 20 (tagged) and 30 (tagged) on the port that is used to connect to the AP.

Let's get the AP configured appropriately. I'm going to use the lan ports to help us prove the configuration is working... we can reassign them as needed after we know everything works.

So... here goes:

You said wan is your uplink, so let's add that to the lan bridge:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'

We need to delete the wan port from the wan interfaces... you can either remove the device in each of these, or delete the entire set of stanzas:

Next, we'll define bridge VLANs:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'wan:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan2:u*'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'lan3:u*'
	list ports 'wan:t'

Now we'll edit the lan interface -- this one has some other issues, so make it look exactly like this:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.3'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

And now add two unmanaged network interfaces for the other VLANs... feel free to name them differently:

config interface 'vlan20'
	option device 'br-lan.20'
	option proto 'none'

config interface 'vlan40'
	option device 'br-lan.40'
	option proto 'none'

Now, reboot the AP.

If all goes to plan, you should be able to attach to the main lan (192.168.1.0/24) by plugging your computer into port lan1. Then ports 2 and 3 will connect you to VLANs 20 and 40 respectively.

If that works, we're 90% there... just need to make SSIDs and connect them to the networks. If it doesn't, it signals that the upstream (switch, maybe router) is not configured properly. Of course, if it doesn't work, please post the updated network config file for review.

Give it a shot and let me know what happens.

Your switch will need to be configured to carry VLANs 20 (tagged) and 30 (tagged) on the port that is used to connect to the AP.

Yes, this is already the case.

You said wan is your uplink, so let's add that to the lan bridge.

Done.

We need to delete the wan port from the wan interfaces... you can either remove the device in each of these, or delete the entire set of stanzas.

I deleted both devices (wan and wan6).

Next, we'll define bridge VLANs.

I'm following your steps using the GUI, where I can choose a bridge device or a VLAN (802.1q), but no bridge VLAN. At first I assumed a bridge VLAN is equivalent to a "regular" bridge, only with VLAN filtering enabled, but when I tried following your steps I under this assumption, I noticed that I cannot set the device to br-lan when creating a bridge device. So I thought when you create what you refer to as a VLAN bridge, I will create a VLAN (802.1q) type of device. However, this is not possible either, as when I create such a device, I can choose a VLAN ID, and I can assign br-lan as the base device, but then I cannot set the ports to tagged or untagged. Is a VLAN bridge something that can only be created via the CLI?

Ok apparently a bridge VLAN is just enabling VLAN filtering on a bridge (which can also be br-lan), if I'm understanding this post correctly. So I went ahead and configured VLAN filtering on my default br-lan device as follows:

bridge-vlan1788×990 54 KB

Now we'll edit the lan interface -- this one has some other issues, so make it look exactly like this:

Done; I actually only had to change the device.

And now add two unmanaged network interfaces for the other VLANs

Done.

Now, reboot the AP.

I was not aware I had to reboot the AP in order for changes to take effect. This maay have actually cost me figuring out the solution earlier. However, I don't even get to rebooting - once I clicked "Save & Apply", I got to stare at "Applying configuration changes..." screen for a minute, got disconnected from my WiFi network, and the settings were subsequently reverted as the device couldn't be reached within 90 seconds from applying the changes. I'll try to apply the changes while connected via LAN to see if that helps.

EDIT: Updated the image; I had accidentally set both VLAN 10 and 30 to LAN2, instead of adding VLAN10 to lan2 and VLAN30 to lan3.

Ok, I applied the changes regardless of the "error" prompt as it made sense that I'd get disconnected - my SSID was connected to br-lan, which I was editing.

I went ahead and it worked very well when connecting to the ports via LAN - I got an IP within the right subnet. I then proceeded to add the SSIDs and assign them to the respective networks, and it works like a charm! I can hop around between my networks like a kid in a bounce house. Thanks a lot for your help, Peter!!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.