Pass VLAN on AP 3705i

Hello everyone,

I have a HuAWEI router on which I have declared two vlans (2,3) with IP addresses 192.168.2.1 /24 and 192.1.68.3.1 /24 respectively.
The same router propagates the VLANs to a Huawei switch.
I have an Enterasys AP3705i access point with OpenWRT 23.05.
The port on which the AP is connected is in trunk allow pass for vlans 2 and 3.
What is the configuration on the AP to be able to receive the VLAN tag?
IN access, the AP is reachable, in trunk not.. I think I have to modify the /etc/network/config file but I don't know how..
Can anyone help me?
I thank you in advance.

PS my idea is to use vlan 2 for home automation (wifi) and vlan 3 for the home wifi network..

Can we see the current contents of the file?

BTW, it's /etc/config/network.

1 Like
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde2:05a0:8438::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.3'
        option netmask '255.255.255.0'
config interface 'prova'
        option proto 'static'
        option device 'eth0.3'
        option ipaddr '192.168.3.2'
        option netmask '255.255.255.0'
        option gateway '192.168.3.1'
        option type 'bridge'

config interface 'Mngt'
        option proto 'static'
        option device 'eth0.2'
        option ipaddr '192.168.2.3'
        option netmask '255.255.255.0'
        option gateway '192.168.2.1'
        option type 'bridge'

config interface 'eth04'
        option proto 'static'
        option device 'eth0.4'
       option ipaddr '192.168.4.2'
        option netmask '255.255.255.0'
        option gateway '192.168.4.1'
        option type 'bridge'

config interface 'eth05'
        option proto 'static'
        option device 'eth0.5'
        option ipaddr '192.168.5.2'
        option netmask '255.255.255.0'
        option gateway '192.168.5.1

Typically on an AP, only one interface will have an address -- it is the one used to manage the device. I'm assuming that is the Mngt interface. The rest should be unmanaged in most cases.

You also have an overlap of the Mngt and lan interface which will cause problems.

If your actual management is happening on VLAN 2, you should delete the lan interface and br-lan device.

Further, the bridge type is invalid inside a network interface stanza and will actually break things. You need to create bridge devices separately and then use the bridge in the network interface stanza. So, take this:

The above needs to be edited to look more like this:

`config device
        option name 'br-prova'
        option type 'bridge'
        list ports 'eth0.3'

config interface 'prova'
        option proto 'none'
        option device 'br-prova'

Repeat this for eth04 and eth05 interfaces, as well as the Mngt interface if it is used for wifi as well (if not, just remove the bridge line and it's fine).

So, I put the port where the AP is attached in trunk allow pass vlan 2 3 4 5, set it as you said, and then I can act on LUCI to associate the wifi networks with the interfaces, right?
Like "home automation" SSID to eth03, "main SSID" to eth04 and so on, so I have the segmented network, right?
By putting the ports in access the router correctly assigns the DHCP address for each port and I should be fine..

Yes. Provided that the everything is done correctly.

This is my network file:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde2:05a0:8438::/48'

config device
        option name 'br-eth02'
        option type 'bridge'
        list ports 'eth0.2'


config interface 'Mngt'
        option proto 'static'
        option device 'br-eth02'
        option ipaddr '192.168.2.3'
option netmask '255.255.255.0'
        option gateway '192.168.2.1'

config device
        otion name 'br-eth03'
        option type 'bridge'
        list ports 'eth0.3'

config interface 'eth03'
        option proto 'none'
        option device 'br-eth03'

config device
        option name 'br-eth04'
        option type 'bridge'
        list ports 'eth0.4'

config interface 'eth04'
        option proto 'none'
        option device 'br-eth04'

config device
        option name 'br-eth05'
        option type 'bridge'
        list ports 'eth0.5'

config interface 'eth05'
        option proto 'none'
        option device 'br-eth05'

And into AP ping all the gateway (2.1, 3.1, 4.1, 5.1)
If I try to ping the address 192.168.2.3 from a PC I get an unreachable port.

I think it's a firewall zone issue.
This is conf firewall file:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Did you have any idea?
It's already a great success that he managed to do this. and I am very happy.
Thank you for your kind help

From a PC on what network? What is the IP address of the PC?

The pc have the address on vlan 2, IP 192.168.2.245. I can ping the address 192.168.2.3.the static address of ap.and release the messagge "Port IS unreacheable".
If i log into ap with putty with consolle, in the cli of openwrt i can ping the gateway of vlan 2 3 4 5,.
I suppose the problem IS in the firewall config, right?
From pc i can ping all the gateway of vlan..

This suggests that the connection upstream of the AP is not tagged for VLAN 2.

Check that the switch is configured with VLAN 2 tagged on the trunk to the AP.

Yes, are tagged.
The allow pass IS for vlan id 2 3 4 5 on the trunk.

If not, on the ap will not ping the gateway...
Or not?

So the AP can ping the gateway? Can the gateway ping the AP?

The ap ping all the gateway of vlan, But the gateway will not ping the ap.

Ok... I see what the issue is:

Edit your firewall lan zone like this:

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'Mngt'

Then restart the AP (or just the firewall service), and try again.

Now I can also see the 192.168.2.3 interface from the PC.
The problem is that they don't connect to Wifi if I associate the relevant interface (eth03 or eth04 or eth05) to the SSID.
If instead I associate the SSID with the mngt interface, the wifi network works.
If i connect a PC with an ip address in vlan 3, takes the IP address of VLAN 3 with IP address and has access to the internet.
So DHCP from the router works.


this is the strange things..

That screenshot is fine.

let's see your /etc/config/wireless file.

I tried to see.
If I associate the "home automation" ssid with vlan 3 it doesn't work, while if I put it on vlan 2 it works without problems.
Do I need to create static routes?

No, the AP is supposed to be a transparent bridge, no routing, thus no static routes. All the routing is handled by your main router.

So that active route was propagated from the main router, correct?