Problem assigning VLAN to WIFI on dumb AP

newbie123987 · August 12, 2023, 6:23pm

Hello,

I have been using OpenWRT for a while on my router but I am struggling with trying to setup a dumb AP using VLANs. I am completely new to setting up wireless to VLAN - I just have something missing which I cannot get working.

Architecture:
Linksys 1900ACS main router using OpenWRT (v22.03), with vlans setup - this works perfectly on a managed switch as I can see the correct ip addresses on untagged ports (for each vlan). The VLANS are being sent via trunk to the managed switch. I have configured the managed switch to send VLANs 1, 20 and 60 as a trunk on one port to the dumb AP.

Linksys EA7300 as dumb AP (OpenWRT v22.03). I have connected one port on the managed switch sending:
VLAN 1 - untagged
VLAN 60 - Guest - tagged
VLAN 20 - Home - tagged

On the dumb AP, I have setup the following:
Disabled firewall and dnsmasq
Devices:
bridge for LAN1 - br-lan1 - assigning Lan1, br-lan1.1, br-lan1.60, br-lan1.20
Interfaces:
Guest - br-lan.60 (unmanaged as ip address being issued from main router)
Home - br-lan.20 (unmanaged as ip address being issued from main router)
MGMT - br-lan.1 (unmanaged as ip address being issued from main router)
Wireless:
2.4ghz - assigned Guest interface (br-lan.60)
5ghz - assigned Home interface (br-lan.20)

Somehow, for the wireless, if I assign the 'lan' interface I am able to obtain internet using VLAN1 ip address, if I assign either of the Guest or Home interfaces to the wireless devices, nothing happens - my phone cannot connect to wireless SSID.

I am completely confused why this isn't working. Looking online there are eth0 ports, but I don't understand how this will help.

I hope some of you knowledgeable folk can help me?

Many thanks, D.

NPeca75 · August 12, 2023, 6:32pm

Hi

start with posting config

cat /etc/config/network
cat /etc/config/wireless

fodiator · August 12, 2023, 6:36pm

See if this helps:

golialive · August 12, 2023, 6:54pm

I'd generally avoid using a single wire for both, tagged and untagged traffic.

If your main router is connected to your managed switch, just

make the corresponding port on your router tagged vlan1, 20 and 60
make the port on your managed switch to expect tagged packages.

If your dumb AP is connected to your managed switch, just:

make that port on your dumb AP tagged vlan 1, 20 and 60,
make the connected port on your managed switch to expect tagged packages.

All "loose" ports on your APs, routers and switches (meaning: Those going to client devices like computers, printers, gaming consoles, etc): Dedicate them to a single vlan untagged.

Just to clarify: Imagine every single package going over the wire.
Regular packages with no vlan basically look like this:
1 Some bits called "preamble"
2 Some bits holding the target MAC address
3 Some bits holding the source MAC address
4 Some bits holding the "type" (TCP, UDP, ICMP)
5 Some bits payload.

Vlan packages basically look like this:
1 Some bits called "preamble"
2 Some bits holding the target MAC address
3 Some bits holding the source MAC address
4 Some bits VLAN tag
5 Some bits holding the "type" (TCP, UDP, ICMP) 6 Some bits payload.

See: https://upload.wikimedia.org/wikipedia/commons/0/0e/Ethernet_802.1Q_Insert.svg

So for really dumb networking devices such as switches and hubs, there's no difference between vlan and non-vlan. They stop caring after they know the source MAC address, potentially even after they know the target MAC address.

What your main router does by using a port for "vlan 1 untagged" is: It sees vlan 1, strips the tag portion and passes it through the cable. So as soon as the package is out of the door, there's no information about it being vlan 1.

Your dumb AP doesn't know anything about "vlan 1". That information is gone. It's just an untagged package.

So do yourself a favor and start with clean ports that are either entirely untagged or entirely tagged, but not a mix of both.

mk24 · August 12, 2023, 8:01pm

In DSA, (I think the 1900 with a recent version is DSA) put all the physical lan ports into one bridge.

config device
    option name 'br-lan'
    list ports 'lan1'
    list ports 'lan2'
    list ports 'lan3'
    list ports 'lan4'

Then have a bridge-vlan for each VLAN number. Here is vlan 60 with lan1 trunked (tagged) and lan2 untagged. This will enable hardware switching from the trunked guest at the main router to a laptop etc plugged into lan2 for testing.

config bridge-vlan
    option device 'br-lan'
    option vlan '60'
    list ports 'lan1:t'
    list ports 'lan2:u*'

Finally, to actually instantiate the bridge it needs to be referenced in an interface section. This also establishes the name 'vlan60' (you might instead call it 'guest') which can be attached to a wifi AP with option network in the wireless file.

config interface 'vlan60'
    option device 'br-lan.60'
    option proto 'none'

Also for testing you can set the vlan60 interface to proto dhcp instead (be sure to set defaultroute 0 and peerdns 0) then check if OpenWrt is able to obtain an IP address from the main router. In normal operation it is insecure to have a guest network IP held by a dumb AP's kernel, so set it back to proto none when finished.

newbie123987 · August 12, 2023, 8:20pm

Thank you for your comment, see below. I have replaced the MAC address values with 'MACADDRESS'.

NETWORK SETTINGS:

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option packet_steering '1'
option ula_prefix 'fde7:9449:e525::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'

config device
option name 'lan1'
option macaddr 'MACADDRESS'

config device
option name 'lan2'
option macaddr 'MACADDRESS'

config device
option name 'lan3'
option macaddr 'MACADDRESS'

config device
option name 'lan4'
option macaddr 'MACADDRESS'

config interface 'lan'
option device 'br-lan'
option proto 'dhcp'

config device
option name 'wan'
option macaddr 'MACADDRESS'

config interface 'wan'
option device 'wan'
option proto 'dhcp'

config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'

config device
option type 'bridge'
option name 'br-lan1'
list ports 'lan1'
list ports 'br-lan1.1'
list ports 'br-lan1.20'
list ports 'br-lan1.60'

config bridge-vlan
option device 'br-lan1'
option vlan '1'
list ports 'br-lan1.1'
list ports 'lan1'

config bridge-vlan
option device 'br-lan1'
option vlan '20'
list ports 'br-lan1.20:t'
list ports 'lan1:t'

config bridge-vlan
option device 'br-lan1'
option vlan '60'
list ports 'br-lan1.60:t'
list ports 'lan1:t'

config interface 'GUEST'
option proto 'none'
option device 'br-lan1.60'
option type 'bridge'

config interface 'HOME'
option proto 'none'
option device 'br-lan1.20'
option type 'bridge'

config interface 'MGMT'
option proto 'none'
option device 'br-lan1.1'

WIRELESS SETTINGS:

config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '1'
option band '2g'
option htmode 'HT20'
option txpower '1'
option cell_density '0'

config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'GUEST-WIFI'
option encryption 'sae'
option key 'password'
option ieee80211w '1'
option network 'GUEST'

config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option txpower '1'
option cell_density '0'

config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option encryption 'sae'
option key 'password'
option ieee80211w '1'
option network 'HOME'
option ssid 'HOME-WIFI'

I used Luci to configure the Dumb AP.

NPeca75 · August 12, 2023, 8:52pm

sorry, but your config is a complete mess

best is to reset to defaults and take @mk24 post as reference

NPeca75 · August 12, 2023, 8:58pm

or you could use this as starting point

newbie123987 · August 12, 2023, 10:23pm

It was reset to defaults, lol. I think there is still a lot I don't understand. I will check mk24's response.

newbie123987 · August 12, 2023, 11:09pm

Thank you for your message and advice, mk24.

I have used LuCi to create what you have suggested on my Dumb-AP, the wifi does not connect for some reason, I tried using my mobile phone to connect to GUEST-WIFI and it did not connect - the password was correct.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd5c:3daa:e1b3::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr 'MACADDRESS'

config device
	option name 'lan2'
	option macaddr 'MACADDRESS'

config device
	option name 'lan3'
	option macaddr 'MACADDRESS'

config device
	option name 'lan4'
	option macaddr 'MACADDRESS'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.128'
	option gateway '192.168.1.1'

config device
	option name 'wan'
	option macaddr 'MACADDRESS'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'br-lan.60'
	list ports 'lan1'
	list ports 'lan2'

config bridge-vlan
	option device 'br-lan.60'
	option vlan '60'
	list ports 'lan1:t'
	list ports 'lan2:u*'

config device
	option type 'bridge'
	option name 'br-lan.20'
	list ports 'lan1'
	list ports 'lan2'

config bridge-vlan
	option device 'br-lan.20'
	option vlan '20'
	list ports 'lan1:t'
	list ports 'lan2:u*'

config interface 'GUEST'
	option proto 'none'
	option device 'br-lan.60'

config interface 'HOME'
	option proto 'none'
	option device 'br-lan.20'

WIRELESS CONFIG

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option txpower '1'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'GUEST-WIFI'
	option encryption 'sae'
	option key 'password'
	option ieee80211w '1'
	option network 'GUEST'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option txpower '1'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'HOME-WIFI'
	option encryption 'sae'
	option key 'password'
	option ieee80211w '1'
	option network 'HOME'

I have also disabled the firewall and dnsmasq. Are there any other configuration(s) I could be missing?

Many thanks.

psherman · August 12, 2023, 11:30pm

Delete this:

and this:

This is wrong....

remove the .60 from here so that it looks like this:

config bridge-vlan
	option device 'br-lan'
	option vlan '60'
	list ports 'lan1:t'
	list ports 'lan2:u*'

Do the same for br-lan.20.

You have lan2 set as untagged on all 3 bridges (br-lan, br-lan.20, br-lan.60). A port may only have a single untagged network associated. This needs to be fixed... more in a moment.

I'd recommend making this change:

add:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'

then edit the lan to look like this (change br-lan to br-lan.1:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.128'
	option gateway '192.168.1.1'

Now, critically, the tagging here must match the upstream (i.e. the router)... which port is connected to your router (lan1 or lan2 on the AP) and what is the configuration of the router with respect to the untagged/tagged networks?

For lan2, what do you want it to do? only one network can be untagged, the others should either be excluded or tagged.

Also, @newbie123987 - I've taken the liberty to add code block formatting to your post... in the future, please do this yourself...

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.

Please edit your post accordingly. Thank you!

newbie123987 · August 13, 2023, 4:26pm

Hi Psherman,

Thank you for the changes and my apologies for not tagging the text appropriately, I will make sure I do this going forward - this is my first post on OpenWRT forum.

Thank you so much for your advice, the wireless access point work perfectly

The only problem is that I can now no longer access the wireless access point using LuCi from the ip address using Lan 1 or Lan 2. I made the changes using Vi. Prior to using Vi, I tried to use LuCi the web page said it was unreachable and I reversed the changes - is this normal or is there a problem configuration elsewhere?

Many thanks for your help.

psherman · August 13, 2023, 4:46pm

What is the vlan configuration of the upstream device? That is critical since the ap needs to match.

newbie123987 · August 13, 2023, 11:02pm

Just checked my main router and there was a problem, fixed the vlan - it was sending tagged vlan 1, changed to untagged 1, it now works!

Thank you for your help, and everyone else!

psherman · August 13, 2023, 11:24pm

Great!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

system · August 23, 2023, 11:24pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.