Per VLAN SSID on ZyXEL NWA50AX

Hello.

I have a brand new ZyXEL NWA50AX that is plugged into a managed switch in vlan trunk mode.

I'm trying to configure multiple SSID, one SSID per VLAN.

VLAN 2 is management and the AP should have an IP on this interface. This works, I can connect to the IP specified in mgt interface below.

VLAN 200 is FREE wifi, and VLAN 201 is KIDS wifi.

The issue is that when I connect to either wifi, I can see the packets on the wlan interface with:

tcpdump -i wlan0-1

But I see no packet at all on the vlan bridges with:

 tcpdump -i br-lan.200
or
 tcpdump -i br-lan.201

But I do see package from LAN devices on those VLAN, so ethernet tagging seems to work.

It seems the issue is that wlanX-Y devices are not bridged with br-lan.XXX

The firewall, dnsmasq and odhcpd are disabled.

Wireless config:


config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option band '2g'
	option htmode 'HE20'
	option channel 'auto'
	option cell_density '0'
	option country 'CH'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option band '5g'
	option htmode 'HE80'
	option channel 'auto'
	option cell_density '0'
	option country 'CH'

config wifi-iface 'radio0_free'
	option device 'radio0'
	option mode 'ap'
	option ssid 'VV FREE'
	option encryption 'none'
	option network 'free'

config wifi-iface 'radio0_kids'
	option device 'radio0'
	option mode 'ap'
	option ssid 'VV KIDS'
	option encryption 'none'
	option network 'kids'

config wifi-iface 'radio1_free'
	option device 'radio1'
	option mode 'ap'
	option ssid 'VV FREE'
	option encryption 'none'
	option network 'free'

config wifi-iface 'radio1_kids'
	option device 'radio1'
	option mode 'ap'
	option ssid 'VV KIDS'
	option encryption 'none'
	option network 'kids'

Network config:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdbb:0c7b:92e0::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '2'
	option name 'br-lan.2'
	option ipv6 '1'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '200'
	option name 'br-lan.200'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '201'
	option name 'br-lan.201'

config interface 'mgt'
	option proto 'static'
	option device 'br-lan.2'
	list ip6addr xxxxxxxxxxxxxxxxx/64'
	option ip6gw 'xxxxxxxxxxxxxx'
	list dns 'xxxxxx'
	list dns_search 'xxxxx'
	list dns_search 'xxxxxxxx'
	option delegate '0'

config interface 'free'
	option proto 'none'
	option device 'br-lan.200'

config interface 'kids'
	option proto 'none'
	option device 'br-lan.201'

You'll still need a bridge to link your SSID to the wired network. I'm not sure what you got going on here, since this is a DSA device, yet you have no VLANs defined, you just set 802.11q type devices that are fine for standalone ports, but not for bridging, which you need to tie the wireless into your VLAN. Even when you just got that single wired port.

Consider below DSA configuration. Note the bridge-vlan stanzas.

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option proto 'static'
	option ip6assign '60'
	option ipaddr '1xx.xx.0.12/24'
	option dns '1xx.xx.0.1'
	option gateway '1xx.xx.0.1'
	option device 'br-lan.1'

config interface 'guest'
	option proto 'static'
	option ipaddr '1xx.xx.20.12/24'
	option device 'br-lan.20'

config bridge-vlan 'lan_vlan'
	option device 'br-lan'
	option vlan '1'
	list ports 'lan0:u*'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config bridge-vlan 'guest_vlan'
	option device 'br-lan'
	option vlan '20'
	list ports 'lan0:t'

I added the bridge-vlan sections but it doesn't change anything.

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '200'
	list ports 'lan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '201'
	list ports 'lan:t'

I guess I would need to bridge the wireless devices, like wlan0 with br-lan.XXX.

Let’s see the latest complete network config file.

To simplify, I have temporarily remove the vlan 201 config, and I am trying to get a single SSID with VLAN tagging.

I see packets with tcpdump on interface wlan0 but not on interface br-lan.200


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdbb:0c7b:92e0::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'
	option vlan_filtering '0'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '2'
	option name 'br-lan.2'
	option ipv6 '1'

config interface 'mgt'
	option proto 'static'
	option device 'br-lan.2'
	list ip6addr 'x'
	option ip6gw 'x'
	list dns 'x'
	list dns_search 'x'
	list dns_search 'x'
	option delegate '0'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '200'
	option name 'br-lan.200'


config interface 'free'
	option proto 'none'
	option device 'br-lan.200'


config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '200'
	list ports 'lan:t'



config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option band '2g'
	option htmode 'HE20'
	option channel 'auto'
	option cell_density '0'
	option country 'CH'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option band '5g'
	option htmode 'HE80'
	option channel 'auto'
	option cell_density '0'
	option country 'CH'

config wifi-iface 'radio0_free'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option network 'free'


config wifi-iface 'radio1_free'
	option device 'radio1'
	option mode 'ap'
	option ssid 'OpenWrt 5g'
	option encryption 'none'
	option network 'free'


Vlan filtering should be on or simply removed. I recommend removing the line.

Delete this:

And delete this:

The reboot and try again

1 Like

Thanks it works.

What confused me is that setting ifname.xxx will automatically create the vlan virtual interface without the device section.

Awesome.

Yeah, I'm not entirely sure why the 802.1q device still exists as a config option... swconfig, DSA, and direct dotted notation methods don't require (and may be negatively impacted by) 802.1q device definitions in the config.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

Like I said earlier, 802.11q works just fine for standalone interfaces, even with DSA still. Its the proper way to configure those. I told the topic starter not to use them to bridge the wireless, he still did...

Either way, happy it got sorted!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.