I want to use a management VLAN on my bridged AP and ensure that only that network has access to the administration of that device. Here's the current situation:
I referred to one of our older threads regarding carrying vlans. I mimicked that config for vlan10 and vlan30.
I mimicked the current good-known-config for vlan10 to vlan30 on the switch vlans.
I am able to connect to vlan10 via SSID. I am getting connected, no internet. It is not pulling a 10.x address
I am pulling a 192.168.30.x IP from eth4 on the router but unable to ssh to the AP when vlan30 is selected as the ssh interface.
current config:
AP
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd91:4cfb:b589::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.1'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan:u*'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan:t'
config interface 'vlan10'
option device 'br-lan.10'
option proto 'none'
option type 'bridge'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'lan:t'
config interface 'vlan30'
option device 'br-lan.30'
option proto 'none'
router
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'eth1:t'
list ports 'eth2:u*'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth1:u*'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'eth1:t'
list ports 'eth3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'eth1:t'
list ports 'eth4:u*'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option delegate '0'
option ipv6 '0'
config interface 'GST'
option proto 'static'
option device 'br-lan.10'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config interface 'cams'
option proto 'static'
option device 'br-lan.20'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
config interface 'mgmt'
option proto 'static'
option device 'br-lan.30'
option ipaddr '192.168.30.1'
option netmask '255.255.255.0'
fw
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'vlan_1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'vlan_10'
option output 'ACCEPT'
option forward 'REJECT'
option input 'ACCEPT'
list network 'GST'
config zone
option name 'cams'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'cams'
config zone
option name 'mgmt'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'mgmt'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'vlan_1'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-vlan10-DNS'
option src 'vlan_10'
option dest_port '53'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
config rule
option name 'Allow-vlan10-DHCP'
list proto 'udp'
option src 'vlan_10'
option dest_port '67-68'
option target 'ACCEPT'
config forwarding
option src 'vlan_10'
option dest 'wan'