PfSense + OpenWRT + VLANs (Asus AX53U)

Hi all,

I'm totally revamping my network at home.
I'm struggling with OpenWRT conf with VLANs....

I have the following setup -
Modem --- PfSense --- Netgear 8-port Switch --- OpenWRT (Asus)

My routing, DHCP, DNS, Firewall are currently all managed by my PfSense box.
I want to use my Asus as a switch/AP distributing my various VLANs over WiFi but also to my physical LAN ports.

To do so, this is what I did:
created a bridge interface: br-all to include all 3 LAN ports + WAN port
remove wan, wan6 interfaces
on the br-all interface, I set my 5 VLANs, but let's just consider 2 for now: MGMT & LAN
I'll be using my WAN port on the Asus as the trunk port from my Netgear switch.
My Netgear switch interface (port 4) going to my Asus OpenWRT switch/AP is properly configured as trunk (all VLANs are tagged on this port)
I removed the previous lan interface
I created a MGMT interface from my br-all.77 VLAN (Static DHCP) hooked to the wan port for now
I created a LAN interface from my br-all.11 VLAN (Static DHCP) hooked to the lan1 port
Obviously, no DHCP set on any of the interfaces as I should get my IPs from PfSense.
Both interfaces are able to retrieve an IP in the respective MGMT & LAN ranges, defined on my PfSense

BUT

When I plug my laptop to lan1, I'm not getting any IP...

What am I doing wrong?

Thanks in advance for your support

Let's start by reviewing these things:

1. Please verify that your pfsense box + netgear switch are configured correctly.
   This can be validated by setting access ports (single network, untagged + PVID) on your Netgear swtich for each of your VLANs. Then plug a computer into each of these access ports in turn and verify that they get an address in the correct subnet and have the desired connectivity.

2. provide your configs for review here:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Thanks for the quick feedback.

I have tested my Netgear + PfSense config, working flawlessly.

I had to reset my Asus. I have pretty much everything as I set previously, br-lan & wan are just back for now and I haven't touched my WLAN config yet...

Here are my outputs:

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.10.176",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "ASUS RT-AX53U",
        "board_name": "asus,rt-ax53u",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "ramips/mt7621",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd3e:70e8:c9d6::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'br-all'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'wan'
        option mtu '1500'

config bridge-vlan
        option device 'br-all'
        option vlan '11'
        list ports 'lan1:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-all'
        option vlan '22'
        list ports 'lan2:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-all'
        option vlan '77'
        list ports 'wan:t'

config interface 'MGMT'
        option proto 'dhcp'
        option device 'br-all.77'

config interface 'LAN1'
        option proto 'dhcp'
        option device 'br-all.11'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dynamicdhcp '0'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'MGMT'
        list network 'LAN1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Thanks for your help.

Start by upgrading your OpenWrt version to the latest (currently 23.05.2). During the upgrade, allow it to reset to defaults by unchecking the "keep settings" box. From there, post your newest network config file.

I was already on 23.05.0 but with the many people speaking about the WAN port bug, I just reverted back to 22.

Anyway, I have followed your advise and reflashed with 23.05.2, resetting the whole configuration.
Then configuring as previously... same issue

This is what I have:

bridge vlans727×389 30.4 KB

interfaces509×631 60.9 KB

and the cli commands results:

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "ASUS RT-AX53U",
        "board_name": "asus,rt-ax53u",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}
root@OpenWrt:~#

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd96:824d:ac82::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'br-all'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'wan'

config bridge-vlan
        option device 'br-all'
        option vlan '11'
        list ports 'lan1:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-all'
        option vlan '22'
        list ports 'lan2:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-all'
        option vlan '77'
        list ports 'wan:t'

config interface 'MGMT'
        option proto 'dhcp'
        option device 'br-all.77'

config interface 'LAN1'
        option proto 'dhcp'
        option device 'br-all.11'

root@OpenWrt:~#

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~#

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'LAN1'
        list network 'MGMT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

root@OpenWrt:~#

The same physical ports cannot be members of multiple bridges.
If you are going to use br-all, you must delete br-lan.

Hey pavelgl

One thing I want to say before I respond:

THANK YOU guys !!! I've never seen a forum so knowledgeable and so keen to share and help (and so quickly)

That being said, I indeed completely forgot to remove one of the 2 bridges.
I just did now, as well as removing the wan and wan6 interfaces.
I also didn't realize how important the FW was, even though I'm basically configuring my Asus as a switch + AP only, with no routing involved at all... not sure if I'll get that someday.

I now have my laptop getting a proper VLAN11 IP when connected to lan1. Likewise, my wireless devices are getting the proper LAN IPs from the WLAN.

I'm now only missing one thing:
As I said earlier, I've set the wan port (which is part of the unique br-all bridge) to be the trunk port, connecting to my Netgear: I have tagged all 3 VLANs on that port.

If I now connect my laptop to my Netgear on a MGMT port (VLAN77), I'm obviously able to connect to all my devices as per my FW rules on PfSense BUT I'm not able to reach my OpenWRT interface Luci interface nor can I ping the associated interface IP... This MGMT interface was precisely created for this purpose, I'm just waiting for eveything to work properly before "unmanaging" any other interface. Likewise, in the captures below, you will notice an ANTILOCK interface (lan3) which purpose doesn't need to be described :-).

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc2:a275:5618::/48'
        option packet_steering '1'

config interface 'ANTILOCK'
        option proto 'static'
        option device 'lan3'
        option ipaddr '10.77.0.40'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'br-all'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'wan'
        option mtu '1500'
        option ipv6 '0'

config interface 'lann'
        option proto 'none'
        option device 'br-all'

config bridge-vlan
        option device 'br-all'
        option vlan '11'
        list ports 'lan1:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-all'
        option vlan '22'
        list ports 'lan2:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-all'
        option vlan '77'
        list ports 'wan:t'

config interface 'MGMT'
        option proto 'dhcp'
        option device 'br-all.77'

config interface 'LAN1'
        option proto 'dhcp'
        option device 'br-all.11'

root@OpenWrt:~#

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'ANTILOCK'
        list network 'lann'
        list network 'LAN1'
        list network 'MGMT'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

root@OpenWrt:~#

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'xxxxxxxxxxxxxxxxxx'
        option encryption 'psk2'
        option key 'xxxxxxxxxxxxxxxxxx'
        option network 'LAN1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option channel '36'
        option band '5g'
        option htmode 'HE80'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

root@OpenWrt:~#

Thanks again for your support.

It appears that the MGMT and ANTILOCK interfaces share the same IP subnet, which is most likely the cause of the problem.

Stop the ANTILOCK interface or assign it an IP address on a different (not overlapping) subnet.

What I did....

Now working flawlessly.

Marking your previous reply as the solution to my initial issue.

Thank you so much for your help.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.