Previous VLAN configuration doesn’t work in stable release 23.05.2. What am I missing?

Hi all,

Recently I moved from snapshot r22767 to stable release 23.05.2 (r23630).

However, it seems that my previous VLAN configuration does not work in the new version.

Every time I’m trying to restore my previous settings under Bridge VLAN filtering (on br-lan), or actually do anything, I got locked out

My setup is very simple:

laptop -----> [lan1] Dumb AP (openwrt) [wan]------------------> OPNsense --> ISP modem

• The WAN port is used to connect the AP to the OPNsense router.
• WAN interfaces have been removed.
• The LAN interface was assigned a static ip (which is different from OPNsense, but in the same sub-net).
• I manually created all the interfaces for all the VLANs, including an interface for VLAN 99 with a static IP address (in the same subnet).
• OPNsense is responsible for DHCP.

Now, I want to be able to connect my laptop directly to the AP (openwrt) for management purposes. Let’s say that I want to use lan1.

However, it seems that no matter what settings I try, the immediate result is that I’m locked out

I guess that I’m just doing something wrong

What should I do in the Bridge VLAN filtering tab in the above scenario if I want to use lan1 for management?

Bridge VLAN Filtering1125×683 38.9 KB

Impossible to answer without adding the actual device you're talking about to the information (as it might have been involved in swconfig <--> DSA changes).

I am guessing VLAN 99 is your mgmt VLAN and LAN 1 is connected to your Opnsense router which also has VLAN 99 configured for management.

1. On lan1 tag 20,30,40,99

2. Click save.

3. go to network/interface select lan and change the Device to br-lan.99

4. Click save.

5. Finally Click Save & apply

If you want to connect your PC into management vlan 99 via LAN1 port you need to set the LAN1 port untagged and also choose Is Primary Vlan.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

The device is Banana R3. Further to Psherman's comment, I will provide more details soon.

Thanks.

Thank you, @papdee.

I'm sorry if I wasn't very clear.

You're right, VLAN 99 is for management .

However, WAN is connected to my OPNSense.

LAN1 is used only to connect my laptop to the openwrt AP for maintenance\ troubleshooting.

By the way, do I have to use the management VLAN that configured in OPNsense if all I want is accessing the openwrt AP via LAN?

I just did not know I have to use it in order to access the AP via LAN1 (or any other port) I wanted to configure LAN1 to be outside the VLAN framework...Perhaps this is one of my mistakes.

Thank you!

@mattimatt, thank you! I believe I tried this option (probably more than once). But perhaps I've misconfigured something.. I will provide more information about my device and configuration, so it will be easier for you all to understand what is going on

@psherman, please find the requested information below.

Comments:
a) I will disable DHCP and firewall services once I find a solution to the VLAN problem...
b) In the below configuration my OPNsense ip is 192.168.1.1 and my openwrt ip is: 192.168.1.2.
c) openwrt AP is connected via WAN to the OPNsense.

ubus call system board

{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Bananapi BPI-R3",
	"board_name": "bananapi,bpi-r3",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "mediatek/filogic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix *****

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'

config device
	option name 'br-wan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'wan'

config device
	option name 'eth1'
	option macaddr ******

config device
	option name 'wan'
	option macaddr ******

config interface 'VLAN99'
	option proto 'static'
	option ipaddr '192.168.1.99'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option name 'br-lan.10'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '20'
	option name 'br-lan.20'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '30'
	option name 'br-lan.30'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '40'
	option name 'br-lan.40'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '99'
	option name 'br-lan.99'

config interface 'VLAN10'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '192.168.10.2'
	option netmask '255.255.255.0'
	option gateway '192.168.10.1'

config interface 'VLAN20'
	option proto 'static'
	option device 'br-lan.20'
	option ipaddr '192.168.20.2'
	option netmask '255.255.255.0'
	option gateway '192.168.20.1'

config interface 'VLAN30'
	option proto 'static'
	option device 'br-lan.30'
	option ipaddr '192.168.30.2'
	option netmask '255.255.255.0'
	option gateway '192.168.30.1'

config interface 'VLAN40'
	option proto 'static'
	option device 'br-lan.40'
	option ipaddr '192.168.40.2'
	option netmask '255.255.255.0'
	option gateway '192.168.40.1'

config interface 'VLAN99'
	option proto 'static'
	option device 'br-lan.99'
	option ipaddr '192.168.1.99'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Thank you in advance!

Personally I would just put the OPNsense and AP on the same network unless you have specific reasons to do it the way you have set things up. I don't use OPNsense but I guess the web interface defaults to listen on the LAN adapter. Therefore create a VLAN99 adapter in OPNsense and configure the web interface to listen on VLAN99. This way all management interfaces both the openwrt AP and OPNsense are on VLAN99. Create an SSID_Mgmt put this radio on VLAN99 and you will have access to all your management interfaces in one spot. If you want managemnet to be wire only configure one of your ethernet ports either on the OPNsense or AP as VLAN99 untagged and connect the laptop to that management port.

Your device is dsa so you need to use bridge-VLANs.

I can provide specific help later if you need guidance.

You have the wan in two bridges... it can only be in one.
Let's start by deleting this:

Next, delete all of the 802.1q stanzas:

Now, we need to make bridge-vlans. Aside from the wan which is clearly your trunk, I don't know what VLANs should be on each physical port, but I'll make something up (easy to change later). I also don't know if any of the VLANs are untagged from the pfsense box -- so we'll just assume all are tagged.

Here's what will result from below:

• port wan: tagged VLAN 10, 20, 30, 40, 99
• port lan1: untagged VLAN 10
• port lan2: untagged VLAN 20
• port lan3: untagged VLAN 30
• port lan4: untagged VLAN 99

Add this:

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:u*'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan2:u*'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan3:u*'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'lan4:u*'
	list ports 'wan:t'

Now, we'll edit the network interface stanzas. First delete this:

You also have 2 stanzas for VLAN99, so we'll delete one of them:

Next, make all VLANs unmanaged except for the VLAN that is used to manage the device (VLAN 99):

config interface 'VLAN10'
	option proto 'none'
	option device 'br-lan.10'

config interface 'VLAN20'
	option proto 'none'
	option device 'br-lan.20'

config interface 'VLAN30'
	option proto 'none'
	option device 'br-lan.30'

config interface 'VLAN40'
	option proto 'none'
	option device 'br-lan.40'

You can leave VLAN99 as is.

Finally, we need to add VLAN99 to the firewall -- put it in the lan firewall zone like this:

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'VLAN99'

Now, restart your OpenWrt device and it should work.

Thank you, @papdee. Now all the management interfaces are on the same network and everything works and you're right, I want the management vlan to be accessible by wire only, so this is what I'm going to do (I feel uncomfortable allowing wireless access to my routers..).

Thanks.

@psherman, it works !!

Your assumptions are 99% correct. Clients who will connect to the AP, won't know that there are vlans and different networks. I will assign VLANs to different wifi networks on the AP so each category of clients will be on its own and separate network. Probably two machines (clients) will be connected to the AP via a wired connection.

By the way, it didn't work immediately, because it turned out that I deleted the VLAN99 interface that included the following line *"option device 'br-lan.99'", but for some reason it was missing under the other VLAN99 interface I decided to keep. So it took me a while to understand that nothing connects between the interface and the bridge-vlan..and only then I realized that I mistakenly deleted it.

One last question - Shouldn't I disable firewall if the opwnwrt AP functions as a dumb AP only ?

Thank you VERY MUCH for your help and patience - much appreciated !!

I recommend leaving it as-is -- mainly so that you don't have a surprise should things change after an upgrade or other similar event.

Okay, understood. Thank you.

By the way, is there anything special with respect to DNS I need to know? I believe it should use the default gateway as a DNS.

It seems that I can ping 1.1.1.1 and 9.9.9.9 from the AP, but cannot ping openwrt.org, and therefore "opkg update" doesn't work (wget returned 4).

I did configure DNS servers for VLAN99 in OPNsense (although it is not necessary).

Thanks again

This is common, but not required and not always available (does your main gateway offer DNS on this particular network?). But yes, usually your gateway is also the address for the DNS.

We can review the config in its current and hopefully final or near-final form.

You only need to run opkg update if you plan to install packages onto your AP to add additional functionality. Otherwise, it's not really necessary to worry about internet connectivity for the AP itself.

Yes, it does. I configured DNS on this specific interface.

Thank you. Now the VLAN99 interface in /etc/config/network looks like this:

config interface 'VLAN99'
	option proto 'static'
	option device 'br-lan.99'
	option ipaddr '192.168.99.2'
	option netmask '255.255.255.0'
	option gateway '192.168.99.1'
	option delegate '0'
	list dns '192.168.99.1'

However, I suspect that this issue is somehow related to my OPNsense FW/settings, because when I add in OPNsense a specific Port Forward rule that forwards any DNS query from VLAN99 directly to 9.9.9.9, it works. It doesn't work with the default system's DNS settings (local pi-hole), while on other VLANs DNS works I will have to investigate this issue a bit further.

That's a good point, thank you

Thank you again!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.