Problems setting up VLAN for guest wifi

failures · January 3, 2021, 12:41pm

Hi, I'm having problems setting up (understanding) VLANs. I'm not new to Linux or OpenWrt or networks, but I've never set up anything with VLANs before and I'm stuck.

I have a Ubiquiti Unifi AP Pro running OpenWrt 19.07.5. I've set up a wifi network (HOME) which works fine, but now I'm trying to set up a guest wifi (GUEST) that is only allowed out on the internet, and can't access my NAS or anything else on my home network, and I can't get it to work.

So I've created a guest interface (from /etc/config/network):

config interface 'guest'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option ifname 'eth0.3'

And a vlan 3 (from /etc/config/network):

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 1t 2t'
        option vid '3'

DHCP is running on the guest network (from /etc/config/dhcp):

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '1h'

My guest wifi network is using the guest interface (from /etc/config/wireless):

config wifi-iface 'guest'
        option device 'radio0'
        option mode 'ap'
        option network 'guest'
        option key 'REALLYSECRETGUESTKEY'
        option ssid 'GUEST'
        option encryption 'psk2'

Firewall settings are basically identical to those of the lan network (from /etc/config/firewall):

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config forwarding 'guest_wan'
        option src 'guest'
        option dest 'wan'

When I connect my laptop to the GUEST wifi, I get an IP address (192.168.3.208) from OpenWrt's DHCP server, but I can't get anywhere. When I run tcpdump on the br-guest interface on OpenWrt and try to connect to anything, I just see a SYN and an RST packet. Same thing with ping, I just see the echo request packet, and a ICMP port unreachable reply. tcpdumping on br-lan, eth0, eth0.1, eth0.2, eth0.3, lo, wlan0, and wlan1 gives nothing. tcpdumping on wlan0-1 is the same as on br-guest.

I was expecting to see some 802.1Q tagged packets going out on eth0 or eth0.3 but it's just quiet (the link is up, and works just fine when I use the HOME wifi network). Not even any arp packets, which means I can't blame anything other than my OpenWrt configuration.

So it feels I'm missing something basic. Do I need to add some firewall rule? If so, what? Do I need to set up some routing, or do something else with the VLAN?

I have tried reading up on how VLANs work and are configured on OpenWrt, but it feels like I'm missing or misunderstanding something. I've done the trial and error thing for far too many hours now, so I hope you guys can help me out.

vgaetera · January 3, 2021, 1:42pm

Try to avoid unnecessary port tagging.
Isolate the issue by removing Ethernet interface from the guest bridge.

failures · January 3, 2021, 3:43pm

Like this?:

config interface 'guest'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

Unfortunately that doesn't make a difference as far as I can tell, still can't get anywhere and tcpdump output is the same.

failures · January 4, 2021, 5:48pm

Sigh. It turns out the switch between the Ubiquiti and the router needed some configuration changes to pass along the VLAN packets. Now it's all working.

system · January 14, 2021, 5:48pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.