Setup dumb AP on second LAN port with VLAN

julibe · June 4, 2022, 6:22pm

Dear all,
I have an old router which runs now on OpenWRT. I would like to repurpose this router as a access point. My idea is that I make out of multiple LAN-based VLANs multiple SSID networks. For security and convenience reasons, I am thinking about keeping the "normal" mode on LAN port 1, that means I let here the Web-Interface run, the DHCP server etc. For the real work, I would only use LAN port 2 which accepts incoming traffic on multiple VLANs and bridges that traffic to corresponding SSIDs. However, I have no luck when setting up this bridging.

Here are my configs:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd01:8b86:1c46::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 2 3 8t'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option description 'GUEST'
        option ports '1t 8t'

config device
        option name 'wlan0'
        option ipv6 '0'

config interface 'GUESTINTF'
        option device 'eth0.5'
        option type 'bridge'
        option proto 'static'
        option ipaddr '10.0.5.48'
        option netmask '255.255.255.0'
        option gateway '10.0.5.1'

config device
        option name 'eth0.5'
        option type '8021q'
        option ifname 'eth0'
        option vid '5'
        option ipv6 '0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
        option cell_density '0'
        option htmode 'HT40'
        option txpower '19'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option ieee80211r '1'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'
        option encryption 'psk2'
        option key 'test1234'
        option network 'GUESTINTF'
        option disabled '1'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid 'SSID2'
        option encryption 'psk2'
        option key 'test1234'
        option network 'GUESTINTF'

I can ping the router on 10.0.5.48 thus incoming VLAN seems to work. I tried also a DHCP client on this Interface and that works as well. However, when I connect to the SSID, I get no IP address from the central router via DHCP nor does it work if I set manually an IP address on the wireless client. It seems that OpenWRT is somehow not bridging the interfaces.

What am I doing wrong?

Thanks!

Julius

psherman · June 4, 2022, 6:36pm

Bridge definitions no longer belong in the interface section.

Look at the syntax for your lan interface - notice the way the bridge is defined. Use that as a template for your second vlan.

julibe · June 5, 2022, 1:41pm

Thank you very much for the hint. It seems that it is better to work on the CLI than with LuCi...

Now, one of the bridges is working (the one for VLAN id 5). Unforntunately the second VLAN not. Already DHCP fails. What is very strange is that I can ping from a wireless client the OpenWRT box (10.0.12.48 in this config) if I configure a static IP on the wireless client. On the openWRT though I cannot ping the router 10.0.12.1. So the problem seems to be not on the Wireless side but on the Ethernet side.

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 8t'

config device
        option name 'internal-lan'
        option type 'bridge'
        list ports 'eth0.5'

config interface 'internal'
        option device 'internal-lan'
        option proto 'static'
        option ipaddr '10.0.5.48'
        option netmask '255.255.255.0'

config switch_vlan
        option device 'switch0'
        option ports '1t 8t'
        option vlan '5'
        option description 'internal'

config device
        option name 'guest-lan'
        option type 'bridge'
        list ports 'eth0.12'

config interface 'guest'
        option device 'guest-lan'
        option proto 'static'
        option ipaddr '10.0.12.48'
        option netmask '255.255.255.0'

config switch_vlan
        option device 'switch0'
        option vlan '12'
        option description 'GUEST'
        option ports '1t 8t'

root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk2'
        option key 'test1234'
        option network 'internal'

config wifi-iface 'guest_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Guest'
        option encryption 'psk2'
        option key 'test1234'
        option network 'guest'

Do you have also for this an idea what could be the problem?
Thanks!

mk24 · June 5, 2022, 2:25pm

Since these are dumb APs which are bridged out to VLANs on a cable which goes to another router, that router will handle the DHCP. The dumb AP is just a wireless to wired converter of layer 2 packets. The interfaces inside OpenWrt should be proto none so they have no IP address, this makes it impossible for a guest to attempt to access any IP based services on the OpenWrt router.

psherman · June 5, 2022, 2:40pm

Start with what @mk24 said. If that doesn’t fix the issue, look at the upstream devices to make sure that the trunk is configured properly.