RBM33G Dumb AP PoE WAN port as Maintenance Port

troysio · March 18, 2019, 7:26pm

Is it possible to setup the WAN port on an RBM33G with VLANS in Dumb AP mode as the maintenance port? I've tried several different scenarios and keep locking myself out.

I'm trying to have nothing but the PoE WAN port plugged into the network as it provides power, but also have it be the maintenance port with a statically assigned IP address.

All VLANs configured as unmanaged via the Luci GUI, with bring up on boot checked, bridge interfaces checked, STP checked, and IGMP checked.

Unsure how to set the switch config, however, I currently have it configured as such... and the statically assigned IP on the WAN port is still unreachable.

I've tried making the WAN port part of the LAN via changing the switch config as such, however, doing so brings the rest of the network down completely.

mk24 · March 18, 2019, 8:06pm

Tagged and untagged on the same port doesn't always work on consumer-grade hardware. Ports that are used for untagged traffic from a VLAN should be turned off in all the other VLANs.

Assuming you use VLAN 1 as the management VLAN, the network attached to eth0.1 should be configured with a static IP and suitable netmask. It does not need a gateway or DNS server or a firewall zone. This will allow management login to the router's OS.

troysio · March 18, 2019, 9:32pm

@mk24 the WAN port is eth0.2 where the eth0.1 is the LAN 1. The upstream switch I'm using handles untagged and tagged traffic fine, in fact defaults untagged traffic to be tagged what the port VLAN is set to. Is there a way to set eth0.2 as the maintenance port with static IP and have it be visible from the upstream side? I feel like I've tried just about every combination possible, but maybe not.

If I set the other VLANs with statics as suggested in the dumb AP docs, the dumb AP is accessible via those IPs if you're on the upside aka connected to one of those VLANS WiFI. I'm not wanting that however...

mk24 · March 18, 2019, 9:54pm

The VLANs that are only wired to wifi bridges should have proto none. The one you use for administration must have an IP address.

troysio · March 18, 2019, 10:40pm

That's exactly what I'm wanting to do, just clarifying that though all WiFI VLANs are set to proto none, and setting eth0.2 with a static, that static is not visible for some reason from the upstream side. I'm hoping I'm just missing something really dumb in the config. Firewall has been removed.

mpa · March 19, 2019, 12:36am

To avoid locking yourself out, connect over WiFi while you are working on the switch config.
Add a WiFi SSID connected to your management interface if necessary.

This means you likely want to set all VLANs as tagged on the WAN port (except VLAN 2 perhaps, which is the ISP uplink on your main router).

Please don't try to set up the WAN connector as a dedicated maintenance port and as a multi-VLAN uplink at the same time.

Let me try to explain the relationship between the IP address and the physical ethernet socket:

The IP address is assigned to a "logical" interface as set up in LuCI. This logical (OpenWrt) interface is connected to a VLAN by specifying a Linux interface name like eth0.1 in "Physical Settings".
The external ethernet connectors (ports) are also connected to VLANs, this time in the switch config.

Despite the identical name, the logical WAN interface in LuCI is completely different from the WAN connector on the device enclosure and in the switch config.

You should do the following on the AP:

Decide on a VLAN ID as your maintenance VLAN, which is separate from all VLANs used by ordinary clients.
Dedicate a logical interface for maintenance, and assign to it a static IP address from a separate subnet. This could be the default LAN interface or a new interface created by you. However, It must not be used by ordinary clients. The default WAN interface is unsuitable for maintenance access unless you also adjust the firewall.
Connect the interface to the VLAN by specifying the "physical interface" as eth0.1, or whatever your chosen VLAN ID is.
In the switch config, set the VLAN as "tagged" on the WAN ethernet connector. This allows your admin PC to be connected to the main router and still be able to manage the AP. A matching config on the main router and the switch is needed to make this work.

To enable access to this maintenance VLAN and interface from your admin PC, do one or more of the following:

In the AP's switch config, set one of the LANx ports to carry the maintenance VLAN untagged, and no other VLAN. You can plug your admin PC into this port for AP maintenance.
Do the same, but on your main router.
Also make sure it knows about the tagged maintenance VLAN on the other port which is connected to the AP. The same applies to the managed switch in between.
Create a WiFi SSID and specify your maintenance interface as the network.

Be sure to use tagged VLANs on all the links between router, switch and access point.
User-facing ports should be untagged.
A port can carry either a single untagged VLAN, or multiple tagged VLANs.

Although some devices can mix tagged and untagged VLANs on a port, don't try this here,
it might even be the cause of the problems we are discussing.

As I learnt in a previous thread, VLAN 2 is the ISP uplink on your main router. Don't use it anywhere else; choose a different ID for the maintenance VLAN. Since you are using VLAN tagging between devices, each VLAN ID has a single purpose across all the devices involved and must not be reused for something else.

By the way, please don't start a new thread if your question still fits the topic of an existing thread,
because newcomers will miss out on the information given previously. At least, link to the previous discussion. For a new topic, opening a new thread is fine (and recommended).
If the discussion stalls, wait a couple of days and check carefully if you answered all the questions that you were asked.