Sanity check my OpenWrt setup before I deploy a change?

I'm converting my network from a dumb-network to a smart network with managed switches supporting vlans. I've done some work on the managed switches, though they're not installed yet. VLAN 1 is networking devices, vlan 4 is my devices, vlan 5 is my vendor and appliance devices. In support of this, I've separated out my SSID's, so the main network gets an IP on vlan 4 and the guest network gets IP's on vlan 5.

I have TPLink RE450v2's, so like a wireless extender in access point mode, running openWRT. They're set up and good to go. The main question is, what do I need to do to make sure the single ethernet port on there connecting back to the switches is "Trunked" to carry traffic over the vlans? I've been using the GUI, but if that's a mistake, I can switch to the CLI where I'm less comfortable.

As I see it, I need to go into the network -> interfaces -> devices tab -> bridge device -> configure -> Bridge VLAN Filtering, then make sure I have entries for 1, 4, and 5 "untagged". Is that it? Is there a different way to solve this?

Thanks!

Uplink to the switch will be trunk, therefore the vlans will be tagged.
Then each vlan will be associated to an interface and that interface will be linked to an SSID.
The interface with the management vlan will have an IP/mask/gw/dns.
The rest will be unmanaged interfaces.

How does that work? When I go to interfaces, I have a single bridge interface. When I go to devices, I have the bridge, then a bunch of eth and wlan devices I can't edit.

I'm pretty new on my networking journey, would it be helpful to output any config?

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user

{
	"kernel": "5.4.179",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link RE450 v2",
	"board_name": "tplink,re450-v2",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.2",
		"revision": "r16495-bf0c965af0",
		"target": "ath79/generic",
		"description": "OpenWrt 21.02.2 r16495-bf0c965af0"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	option ipaddr '10.1.1.20'
	option netmask '255.255.0.0'
	option gateway '10.1.1.1'
	list dns '10.1.2.10'
	list dns '8.8.8.8'
	option ipv6 '0'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2+tkip+ccmp'
	option key '********'
	option ssid 'Surfrock66 Wireless 5Ghz'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2+tkip+ccmp'
	option key '********'
	option ssid 'Surfrock66 Wireless 2.4Ghz'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Surfrock66 Wireless 5Ghz Guest'
	option encryption 'psk2+tkip+ccmp'
	option key '********'
	option network 'lan'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Surfrock66 Wireless 2.4Ghz Guest'
	option encryption 'psk2+tkip+ccmp'
	option key '********'
	option network 'lan'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

Check the fourth scenario in the DSA tutorial.
You need to config bridge-vlans for each vlan and then assign an interface to them.
Remember to use protocol unmanaged (or none in uci) for the interfaces carrying client traffic, and leave the interface with static IP for management of the device.

I think I have it set up, but I'm not sure I've fully associated an SSID with a specific VLAN, and I'm not seeing how to do that? I see nothing in the device settings or the wireless settings that link an SSID to a VLAN. That being said, my DHCP server assigns static IP's based on MAC which are already on the correct subnet, and all clients are already talking to the correct SSID, so when I switch this over the clients will hopefully get the right VLAN, but I feel like I'm missing something. This is what I'm seeing in the UI:

image962×636 65.9 KB

And here is now the output from the CLI:

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user
{
	"kernel": "5.4.179",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link RE450 v2",
	"board_name": "tplink,re450-v2",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.2",
		"revision": "r16495-bf0c965af0",
		"target": "ath79/generic",
		"description": "OpenWrt 21.02.2 r16495-bf0c965af0"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	option ipaddr '10.1.1.20'
	option netmask '255.255.0.0'
	option gateway '10.1.1.1'
	list dns '10.1.2.10'
	list dns '8.8.8.8'
	option ipv6 '0'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2+tkip+ccmp'
	option key '--------'
	option ssid 'Surfrock66 Wireless 5Ghz'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2+tkip+ccmp'
	option key '--------'
	option ssid 'Surfrock66 Wireless 2.4Ghz'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Surfrock66 Wireless 5Ghz Guest'
	option encryption 'psk2+tkip+ccmp'
	option key '--------'
	option network 'lan'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Surfrock66 Wireless 2.4Ghz Guest'
	option encryption 'psk2+tkip+ccmp'
	option key '--------'
	option network 'lan'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

Repeating the steps.

Sorry, I am not fully understanding. There is only 1 ethernet port on the device, and that bridges "eth0." That device has 3 vlan devices now for the 3 vlans that ethernet port sees (1, 4, and 5, the latter 2 being wifi clients). Are those the "bridge-vlans" you're talking about, or do I need to make a new interface for each vlan?

If that's the case, if I make a new interface, do I create it as "Unmanaged" and associate the "br-lan.4" as the device? Then I can assign the SSID to that interface? Then I do the same thing for "vlan5" associated with "br-lan.5"? The only thing that needs vlan1 is the AP itself, so I don't need to make a separate interface for that, do it?

Edit: I just wanna say thanks for the help, because I know I'm a bit slow on the uptake with all this as I'm just learning how to go from an unmanaged network to a managed network and I don't have my head wrapped around all the concepts yet. Most of my learning has been on the switches I've procured, and the AP side of it has been secondary.

That is the case.
Associate the br-lan.subif to an interface. Then link an SSID to an interface.

Interestingly, when I try to do the first part of that change (make the 3 devices under Bridge VLAN filtering) it fails to apply and reverts. These are the changes it says need to be made:

uci add network bridge-vlan # =cfg05a1b0
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='1'
uci add_list network.@bridge-vlan[-1].ports='eth0:u*'
uci add network bridge-vlan # =cfg06a1b0
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='4'
uci add_list network.@bridge-vlan[-1].ports='eth0'
uci add network bridge-vlan # =cfg07a1b0
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='5'
uci add_list network.@bridge-vlan[-1].ports='eth0'

You can connect from wifi to make the changed, so that it won't lose connectivity and fail to apply.
One more thing, the vlans 4 and 5 are not tagged.

Ok, I finally replaced my L2 and L3 switches so I could implement this change on my 3 AP's. On the first, it failed completely and I'm locked out of the device; I'm looking at a factory reset and a reloading previous firmware.

I was doing the "bridge vlan filtering" to make the 3 vlan tags, and it came back and said it failed and I told it to apply anyway. That's when it locked out. Since I don't have DHCP running on this AP, it had a manual static IP and I was connected from a laptop also with a static IP.

I think this was mostly an order of events problem? On the L2 switch this AP is connected to the port is trunked with vlans 1, 4, and 5. The ethernet port on this AP should carry 1, 4, and 5, then of the 4 SSID's (2.4, 2.4 Guest, 5, 5 Guest) 2 are vlan 4 and 2 are vlan 5.

What's the order of operations for implementing this correctly?

First make an out of band management SSID. Make sure you can connect to it and then make the changes affecting the ethernet ports.

that's a red flag.

I had the config backed up and was ready to factory reset and restore, which is why I did it not worried.

I'm not fully understanding how the bridge interfaces work. This is a device with a single ethernet port, so I think I'm using DSA? But most of the documentation I see uses DSA with multiple ethernet ports; I'm dealing with a single.

Out of the box, the single eth0 port is bridged into br-lan automatically, I didn't touch that. Do I then create new devices, and if so, are they bridge devices, or 802.1Q devices? I've been doing the latter; do I associate them with the eth0 device, or the bridge device? I've been associating them with the bridge. I then enable bridge vlan filtering, vlan 1 being pvid and tagged, then vlan 4 and 5 untagged. If I save and apply this (then go to the upstream switch and configure the port accordingly) the switch goes unreachable, and eventually reverts itself and is reachable again after I revert upstream port changes.

I've read a lot about this, but the way devices and interfaces will work here is still over my head as everything I'm reading about DSA seems to best work with devices with multiple physical ports. Then again, I saw this, which makes me think I just create whole new bridges...but what device would I associate those with, the existing default bridge, or the ethernet port? https://openwrt.org/docs/guide-user/network/vlan/switch_configuration#assigning_vlan_ids_using_dsa_on_devices_with_one_physical_port

You can only have maximum 1 untagged vlan on a trunk.

That or make a br-lan.1, br-lan.4, and br-lan.5

I finally got it, thanks for the help. If it makes sense, this is what I have for /etc/config/network:

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1a:6c57:c141::/48'

config interface 'lan'
	option proto 'static'
	option ip6assign '60'
	option ipaddr '10.1.1.20'
	option netmask '255.255.0.0'
	option gateway '10.1.1.30'
	option device 'br-lan.1'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:t*'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'eth0:t'

config interface 'lan4'
	option proto 'none'
	option device 'br-lan.4'

config interface 'lan5'
	option proto 'none'
	option device 'br-lan.5'

On the bridge, I added bridge filtering for vlans 1/4/5. The PVID is 1 (t*), the other 2 are tagged (t) That creates 3 devices of the 802.1Q type, one for each vlan. Going back to interfaces, I changed the "LAN" default interface to be backed by the vlan1 bridge, and gave that the IP. Then I created 2 other unmanaged interfaces, one for each vlan, each backed by the correct brlan device for the vlan. When I then made the SSID's, I associated them with the correct interface, robert is your mother's brother, all is working.

I needed to work through it to understand it, but now it's good to go!