Setup VLANs for bridge APs along with pfsense

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi all,

I'll describe first my setup before asking about the VLANs setup.

  • My ISP is Hyperoptic which provides "Gigabit" internet connection + VOIP. This comes as a cat5 ethernet to my home.
  • This goes to the hyperoptic router which is handling the voip telephone and have almost everything disabled (wifi, etc) and to my new pfsense router with a ethernet cable as WAN.
  • pfsense router is responsible for DHCP, DNS, firewall rules and VLAN separation.
  • An ethernet cable as LAN connects to a TP-Link Archer 7 v2 repurposed router. This is now working as a bridged AP for providing Wireless capabilities to my network.
  • The ethernet cable which comes from pfsense connects to port 1 of Switch in Archer 7 v2.
  • Port 2 of the Switch is connected to a simple (unmanaged) switch which shares the network.
  • The WAN port and interfaces in OpenWRT are not used (I should probably delete the interfaces).
  • OpenWRT have bridged LAN interface including wifi interfaces (2) + switch interface

The above works properly for all devices incuding wireless but I'd like to adjust it a bit with the following:

  • Set LAN to run over a VLAN instead (vlan.id 20), getting DHCP from pfsense
  • Add an IOT wifi which runs on a separate VLAN (vlan.id 30), getting DHCP from pfsense
  • Add a GUEST wifi which runs on a separate VLAN (vlan.id 40), getting DHCP from pfsense

I've been trying to read about setting a VLAN trunc port in OpenWRT on port 1 of the switch and use port 2 as VLAN 20 (LAN which goes to the unmanaged switch) but can't find anything concrete. Also considering the fact if I set the VLANs wrongly I could lose access to the OpenWRT interface I though it's better to ask.

So let's start with something small for now:

  • How can I setup a new GUEST wifi which runs over VLAN.id 30 on port 1? This won't have an actual physical port assigned to it as I expect to have only wifi IOT. I've setup a new Wireless interface and assign it to a new VLAN (with id 30) but I'm not sure about the tagging against Port 1.

PS: In pfsense I've already setup the VLANs and interfaces but everything seems to be untagged.

Thanks in advance

2

The switch on the Archer C7v2 can be set up using LuCI, or through the command line.

The driver can support a total of 128 VLANs. Use of VID over 127 will require setting the vid option explicitly.

jeff@office:~$ swconfig dev switch0 help
switch0: mdio-bus.0(Atheros AR8327), ports: 7 (cpu @ 0), vlans: 128
[...]

I typically configure directly in /etc/config/.network, but all of this can be done through LuCI

Set the VLANs as "tagged" on the ports that you want to be trunks, untagged on those that are intended for devices that aren't using VLAN tags.

Since you're using external DHCP (and possibly DNS) on several of your subnets, disable DHCP and DNS for those subnets on the OpenWrt box.

I typically set a management interface up on a trunked VLAN, or on a specific switch port. Confirming this is up and running helps avoid connectivity loss.

For this, just define a "bridge" and don't associate it with the switch if using OpenWrt DHCP and DNS. If using external DHCP and DNS, then you'll need to trunk it to the box providing those services (and, perhaps NTP).

You'll need firewall rules to prevent cross-VLAN routing.

2 Likes
3

Hi jeff,

Thanks for your time to explain this. For reference my swconfig and network seems like:

swconfig dev switch0 help 
# swconfig dev switch0 help
switch0: ag71xx-mdio.0(Atheros AR8327), ports: 7 (cpu @ 0), vlans: 128
     --switch
        Attribute 1 (int): enable_vlan (Enable VLAN mode)
        Attribute 2 (none): reset_mibs (Reset all MIB counters)
        Attribute 3 (int): enable_mirror_rx (Enable mirroring of RX packets)
        Attribute 4 (int): enable_mirror_tx (Enable mirroring of TX packets)
        Attribute 5 (int): mirror_monitor_port (Mirror monitor port)
        Attribute 6 (int): mirror_source_port (Mirror source port)
        Attribute 7 (int): arl_age_time (ARL age time (secs))
        Attribute 8 (string): arl_table (Get ARL table)
        Attribute 9 (none): flush_arl_table (Flush ARL table)
        Attribute 10 (int): igmp_snooping (Enable IGMP Snooping)
        Attribute 11 (int): igmp_v3 (Enable IGMPv3 support)
        Attribute 12 (none): apply (Activate changes in the hardware)
        Attribute 13 (none): reset (Reset the switch)
     --vlan
        Attribute 1 (int): vid (VLAN ID (0-4094))
        Attribute 2 (ports): ports (VLAN port mapping)
     --port
        Attribute 1 (none): reset_mib (Reset single port MIB counters)
        Attribute 2 (string): mib (Get port's MIB counters)
        Attribute 3 (int): enable_eee (Enable EEE PHY sleep mode)
        Attribute 4 (none): flush_arl_table (Flush port's ARL table entries)
        Attribute 5 (int): igmp_snooping (Enable port's IGMP Snooping)
        Attribute 6 (int): vlan_prio (Port VLAN default priority (VLAN PCP) (0-7))
        Attribute 7 (int): pvid (Primary VLAN ID)
        Attribute 8 (unknown): link (Get port link information)
swconfig dev switch0 show 
# swconfig dev switch0 show
Global attributes:
	enable_vlan: 1
	enable_mirror_rx: 0
	enable_mirror_tx: 0
	mirror_monitor_port: 0
	mirror_source_port: 0
	arl_age_time: 300
	arl_table: address resolution table
Port 0: MAC c8:08:e9:04:4a:10
Port 0: MAC 00:0d:b9:4f:b0:25
Port 0: MAC f4:f5:d8:21:39:dc
Port 0: MAC c0:ee:fb:d2:c2:36
Port 0: MAC 60:e3:27:af:a8:19
Port 0: MAC 70:85:c2:5a:cb:fb
Port 0: MAC 70:85:c2:65:45:22
Port 0: MAC e8:b1:fc:15:c6:4c
Port 0: MAC 74:da:ea:9a:6b:84
Port 0: MAC 94:65:2d:a9:ff:fa
Port 2: MAC 00:0d:b9:4f:b0:25
Port 3: MAC c8:08:e9:04:4a:10
Port 3: MAC 00:1e:06:33:e9:42
Port 3: MAC 70:85:c2:65:45:22
Port 5: MAC 70:85:c2:5a:cb:fb

	igmp_snooping: 0
	igmp_v3: 0
Port 0:
	mib: MIB counters
RxBroad     : 85100
RxPause     : 0
RxMulti     : 203730
RxFcsErr    : 0
RxAlignErr  : 0
RxRunt      : 0
RxFragment  : 0
Rx64Byte    : 212656
Rx128Byte   : 2221132
Rx256Byte   : 343344
Rx512Byte   : 218229
Rx1024Byte  : 126387
Rx1518Byte  : 400846
RxMaxByte   : 49190
RxTooLong   : 0
RxGoodByte  : 1077989976 (1.0 GiB)
RxBadByte   : 0
RxOverFlow  : 0
Filtered    : 24290
TxBroad     : 90474
TxPause     : 0
TxMulti     : 53445
TxUnderRun  : 0
Tx64Byte    : 28545
Tx128Byte   : 700045
Tx256Byte   : 408686
Tx512Byte   : 149751
Tx1024Byte  : 62457
Tx1518Byte  : 5204503
TxMaxByte   : 1680950
TxOverSize  : 0
TxByte      : 10524713943 (9.8 GiB)
TxCollision : 0
TxAbortCol  : 0
TxMultiCol  : 0
TxSingleCol : 0
TxExcDefer  : 0
TxDefer     : 0
TxLateCol   : 0

	enable_eee: ???
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 0
	link: port:0 link:up speed:1000baseT full-duplex txflow rxflow 
Port 1:
	mib: MIB counters
RxBroad     : 82
RxPause     : 0
RxMulti     : 16
RxFcsErr    : 0
RxAlignErr  : 0
RxRunt      : 0
RxFragment  : 0
Rx64Byte    : 15105
Rx128Byte   : 1066532
Rx256Byte   : 181846
Rx512Byte   : 42047
Rx1024Byte  : 52210
Rx1518Byte  : 609104
RxMaxByte   : 0
RxTooLong   : 0
RxGoodByte  : 1051896099 (1003.1 MiB)
RxBadByte   : 0
RxOverFlow  : 0
Filtered    : 26
TxBroad     : 4
TxPause     : 0
TxMulti     : 14
TxUnderRun  : 0
Tx64Byte    : 31943
Tx128Byte   : 299794
Tx256Byte   : 285470
Tx512Byte   : 61486
Tx1024Byte  : 16511
Tx1518Byte  : 3479012
TxMaxByte   : 0
TxOverSize  : 0
TxByte      : 5385547783 (5.0 GiB)
TxCollision : 0
TxAbortCol  : 0
TxMultiCol  : 0
TxSingleCol : 0
TxExcDefer  : 0
TxDefer     : 0
TxLateCol   : 0

	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 2
	link: port:1 link:down
Port 2:
	mib: MIB counters
RxBroad     : 889
RxPause     : 0
RxMulti     : 88
RxFcsErr    : 0
RxAlignErr  : 0
RxRunt      : 0
RxFragment  : 0
Rx64Byte    : 332902
Rx128Byte   : 888578
Rx256Byte   : 673509
Rx512Byte   : 160647
Rx1024Byte  : 2044551
Rx1518Byte  : 8748455
RxMaxByte   : 0
RxTooLong   : 0
RxGoodByte  : 14468456051 (13.4 GiB)
RxBadByte   : 0
RxOverFlow  : 0
Filtered    : 297
TxBroad     : 68380
TxPause     : 0
TxMulti     : 105194
TxUnderRun  : 0
Tx64Byte    : 354476
Tx128Byte   : 2567733
Tx256Byte   : 2528236
Tx512Byte   : 252755
Tx1024Byte  : 69655
Tx1518Byte  : 686219
TxMaxByte   : 2
TxOverSize  : 0
TxByte      : 1779061986 (1.6 GiB)
TxCollision : 0
TxAbortCol  : 0
TxMultiCol  : 0
TxSingleCol : 0
TxExcDefer  : 0
TxDefer     : 0
TxLateCol   : 0

	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 1
	link: port:2 link:up speed:1000baseT full-duplex txflow rxflow eee100 eee1000 auto
Port 3:
	mib: MIB counters
RxBroad     : 63690
RxPause     : 0
RxMulti     : 40121
RxFcsErr    : 0
RxAlignErr  : 0
RxRunt      : 0
RxFragment  : 0
Rx64Byte    : 53990
Rx128Byte   : 414491
Rx256Byte   : 2436897
Rx512Byte   : 197104
Rx1024Byte  : 12431
Rx1518Byte  : 134653
RxMaxByte   : 0
RxTooLong   : 0
RxGoodByte  : 698179708 (665.8 MiB)
RxBadByte   : 0
RxOverFlow  : 0
Filtered    : 1191
TxBroad     : 73972
TxPause     : 0
TxMulti     : 170367
TxUnderRun  : 0
Tx64Byte    : 218591
Tx128Byte   : 263234
Tx256Byte   : 641246
Tx512Byte   : 190475
Tx1024Byte  : 1595337
Tx1518Byte  : 1569041
TxMaxByte   : 0
TxOverSize  : 0
TxByte      : 3510572975 (3.2 GiB)
TxCollision : 0
TxAbortCol  : 0
TxMultiCol  : 0
TxSingleCol : 0
TxExcDefer  : 0
TxDefer     : 0
TxLateCol   : 0

	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 1
	link: port:3 link:up speed:1000baseT full-duplex auto
Port 4:
	mib: MIB counters
RxBroad     : 37
RxPause     : 0
RxMulti     : 100
RxFcsErr    : 0
RxAlignErr  : 0
RxRunt      : 0
RxFragment  : 0
Rx64Byte    : 1882
Rx128Byte   : 79437
Rx256Byte   : 5174
Rx512Byte   : 4072
Rx1024Byte  : 3050
Rx1518Byte  : 3453444
RxMaxByte   : 0
RxTooLong   : 0
RxGoodByte  : 5252696758 (4.8 GiB)
RxBadByte   : 0
RxOverFlow  : 0
Filtered    : 142
TxBroad     : 24043
TxPause     : 0
TxMulti     : 35267
TxUnderRun  : 0
Tx64Byte    : 7127
Tx128Byte   : 1030905
Tx256Byte   : 31374
Tx512Byte   : 18581
Tx1024Byte  : 7076
Tx1518Byte  : 64436
TxMaxByte   : 0
TxOverSize  : 0
TxByte      : 186753621 (178.1 MiB)
TxCollision : 0
TxAbortCol  : 0
TxMultiCol  : 0
TxSingleCol : 0
TxExcDefer  : 0
TxDefer     : 0
TxLateCol   : 0

	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 1
	link: port:4 link:down
Port 5:
	mib: MIB counters
RxBroad     : 26660
RxPause     : 0
RxMulti     : 13607
RxFcsErr    : 0
RxAlignErr  : 0
RxRunt      : 0
RxFragment  : 0
Rx64Byte    : 147779
Rx128Byte   : 1541230
Rx256Byte   : 316343
Rx512Byte   : 77308
Rx1024Byte  : 49672
Rx1518Byte  : 861842
RxMaxByte   : 0
RxTooLong   : 0
RxGoodByte  : 1536440844 (1.4 GiB)
RxBadByte   : 0
RxOverFlow  : 0
Filtered    : 130
TxBroad     : 48443
TxPause     : 0
TxMulti     : 101876
TxUnderRun  : 0
Tx64Byte    : 34819
Tx128Byte   : 846734
Tx256Byte   : 251339
Tx512Byte   : 130978
Tx1024Byte  : 509398
Tx1518Byte  : 4444015
TxMaxByte   : 0
TxOverSize  : 0
TxByte      : 7108415966 (6.6 GiB)
TxCollision : 0
TxAbortCol  : 0
TxMultiCol  : 0
TxSingleCol : 0
TxExcDefer  : 0
TxDefer     : 0
TxLateCol   : 0

	enable_eee: 0
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 1
	link: port:5 link:up speed:1000baseT full-duplex txflow rxflow eee100 eee1000 auto
Port 6:
	mib: MIB counters
RxBroad     : 333
RxPause     : 0
RxMulti     : 238
RxFcsErr    : 10
RxAlignErr  : 0
RxRunt      : 0
RxFragment  : 0
Rx64Byte    : 32276
Rx128Byte   : 300041
Rx256Byte   : 285471
Rx512Byte   : 61486
Rx1024Byte  : 16511
Rx1518Byte  : 3479011
RxMaxByte   : 0
RxTooLong   : 0
RxGoodByte  : 5385568745 (5.0 GiB)
RxBadByte   : 1040
RxOverFlow  : 0
Filtered    : 347
TxBroad     : 82
TxPause     : 0
TxMulti     : 252
TxUnderRun  : 0
Tx64Byte    : 15104
Tx128Byte   : 1066762
Tx256Byte   : 181832
Tx512Byte   : 42045
Tx1024Byte  : 52208
Tx1518Byte  : 609103
TxMaxByte   : 0
TxOverSize  : 0
TxByte      : 1051889470 (1003.1 MiB)
TxCollision : 0
TxAbortCol  : 0
TxMultiCol  : 0
TxSingleCol : 0
TxExcDefer  : 0
TxDefer     : 0
TxLateCol   : 0

	enable_eee: ???
	igmp_snooping: 0
	vlan_prio: 0
	pvid: 2
	link: port:6 link:up speed:1000baseT full-duplex txflow rxflow 
VLAN 1:
	vid: 1
	ports: 0t 2 3 4 5 
VLAN 2:
	vid: 2
	ports: 1 6 
VLAN 3:
	vid: 20
	ports: 0t 3t 
VLAN 4:
	vid: 30
	ports: 0t 4t 
VLAN 5:
	vid: 40
	ports: 0t 2t
/etc/config/network 
# cat /etc/config/network
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fded:50d6:9e76::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.120.10.2'
	option type 'bridge'
	option delegate '0'
	option gateway '10.120.10.1'
	option ifname 'eth1.1 eth1.20'

config interface 'wan'
	option ifname 'eth0'
	option _orig_ifname 'eth0'
	option _orig_bridge 'false'
	option proto 'dhcp'
	option auto '0'

config interface 'wan6'
	option _orig_ifname 'eth0'
	option _orig_bridge 'false'
	option ifname 'eth0'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'none'
	option reqprefix 'no'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6'
	option vid '2'

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr '10.120.40.2'
	option ifname 'eth1.40'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '20'
	option ports '0t 3t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 4t'
	option vid '30'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option vid '40'
	option ports '0t 2t'

The Luci configuration of VLANs are like below

luci-vlan
luci-vlan.png968×633 33.4 KB

So, how would the above configuration support VLAN trunk on Port LAN 1 and VLANs 20, 30 and 40 over Port 1 LAN?

I'd probably follow your advice to keep a port (LAN 4) as management interface without an VLAN.

Thanks,
Leonidas

4

Make the drop down selection tagged in vlan 20, 30, and 40 lines under LAN1.

2 Likes
5

If you're not using your "WAN" jack, that is, at least for me, a convenient place to put a management interface and/or your trunk as it's visually "different" than the other ports.

2 Likes
6

Hi trendy,

Thanks for the suggestion but it didn't work as I expected. As @jeff suggested I had setup WAN port as a Management interface so I wasn't locked out.
I'll try something even simpler:

  • Set a VLAN with id 20 on Port 2 which should go through Port 1 as tagged. Port 2 should connect a physical cable.

Bear with me for a minute as I describe my thoughts.

If I understood correctly on the Luci switch interface set "off" on all different rows (VLANs) for port 2 except the VLAN I'm interested on which is 20 on this case. Then on Port 1 it should be tagged in VLAN 20 row. So anything which belongs to VLAN 20 which is Port 1 and Port 2 should be tagged with VLAN.20 when transmitted from Port 1.

On the interface I'll need to create an interface, let's say LAN, which has physical interface set as eth1.20 (VLAN 20) and IP static on a network/ subnet which matches the interface from pfsense (10.120.20.0/24 in this case).

With the above settings I should be able to plug an ethernet cable on Port 2 and receive an IP from pfsense DHCP on the 10.120.20.0/24 network. And if DHCP works then I am able to connect to pfsense and if something doesn't work after (like DNS etc) then it's Firewall rules for that interface.

Am I missing something obvious on the above scenario?

Thanks,
Leonidas

7

As it is shown in the image above port 2 is tagging vlan 20, so whatever you connect there must be able to receive tagged frames. If it doesn't you need to select untagged.

You'll do that if you need a L3 interface on vlan20 in Openwrt. If not you can skip it.

Depends if the host you'll connect on port 2 is configured for vlan20 or not, as described in the beginning of this post.

8

Hi,

So after some configuration play I managed to define a "Guest" Wifi interface and bridge it to VLAN 40 which have Port 1 as tagged and Port 4 as untagged. This work as expected and cooperates to pfsense for DHCP / DNS. So overal the GUEST vlan is setup and working as intented.

Now to a more complicated setup of setting the LAN up.

LAN should run on VLAN 20 and should include Port 1 as tagged, Port 2 and Port 3 as untagged along with Wifi from radio0 ("local0") and from radio1 (local1). As you suggested above to setup a L3 interface on it of 10.120.20.2/24 is set

With the above configuration the Port 3 is working fine and I got a DHCP lease from pfsense on the 10.120.20.0/24 network but anything from Wifi connections can't reach pfsense.

I'm not sure why the VLAN 20 configuration would be different than the GUEST, essentially it's the same thing extended to more Ports and Wifi netowrks.

Firewall is set to "Unspecified" so it shouldn't interfear.

Would anyone have any ideas?

Leonidas

9

What you described isn't too complicated. If I understand you correctly...all you need to do is change:

  • eth0.1 to eth0.20 on the LAN interface
  • Change 1 to 20 under Network > Switch
  • properly tag/untag the LAN ports in question
  • and get rid of whatever VLAN 20 settings are already present

That depends on your Global Firewall settings. It's always good to place Interfaces in a properly configured Firewall Zone. I'm not even sure why your LAN Interface isn't in the LAN Firewall Zone - like default.

2 Likes
10

Hi lleachii,

I tried what you suggested like below

vlan20
vlan20.png948×404 20.7 KB

and I got the following results:

  • Port 2 which is directly connected to a PC works fine and gets a IP from VLAN 20 (so packages are properly tagged).
  • Port 3 is connected to a Netgear Switch (GS110TP - managed but has no VLAN setup) but the clients on the Netgear Switch don't get IPs from DHCP server which is running on pfsense
  • The WIFI which are bridged to this VLAN interface don't get IPs from DHCP server which is running on pfsense

I assume this has to do with the interface definition and not the actual switch definition as the PC works fine and get it's packages tagged.

Right?

11

If you connect the PC on port 3, will it get an IP from DHCP?

Can you post the contents of /etc/config/network and /etc/config/wireless ?

1 Like
12

Yes. I've done this test myself and both times the PC gets IP from VLAN 20 DHCP from pfsense.

See below

As you see the interface br-LAN have static IP defined on the 10.120.20.0/24 network which is the VLAN 20.

ip a 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 60:e3:27:af:a8:1a brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::62e3:27ff:feaf:a81a/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 60:e3:27:af:a8:19 brd ff:ff:ff:ff:ff:ff
6: br-GUEST: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 60:e3:27:af:a8:19 brd ff:ff:ff:ff:ff:ff
    inet 10.120.40.2/24 brd 10.120.40.255 scope global br-GUEST
       valid_lft forever preferred_lft forever
    inet6 fe80::62e3:27ff:feaf:a819/64 scope link
       valid_lft forever preferred_lft forever
188: eth1.40@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-GUEST state UP qlen 1000
    link/ether 60:e3:27:af:a8:19 brd ff:ff:ff:ff:ff:ff
189: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 60:e3:27:af:a8:18 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::62e3:27ff:feaf:a818/64 scope link
       valid_lft forever preferred_lft forever
190: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-GUEST state UP qlen 1000
    link/ether 62:e3:27:af:a8:18 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::60e3:27ff:feaf:a818/64 scope link
       valid_lft forever preferred_lft forever
191: br-LAN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 60:e3:27:af:a8:19 brd ff:ff:ff:ff:ff:ff
    inet 10.120.20.2/24 brd 10.120.20.255 scope global br-LAN
       valid_lft forever preferred_lft forever
    inet6 fe80::62e3:27ff:feaf:a819/64 scope link
       valid_lft forever preferred_lft forever
192: eth1.20@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-LAN state UP qlen 1000
    link/ether 60:e3:27:af:a8:19 brd ff:ff:ff:ff:ff:ff
/etc.config/network 
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fded:50d6:9e76::/48'

config interface 'wan'
        option ifname 'eth0'
        option proto 'static'
        option delegate '0'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option gateway '10.120.10.1'
        option dns '10.120.10.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2t 3 4'
        option vid '20'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '30'
        option ports '0t 2t'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '40'
        option ports '0t 2t 5'

config interface 'GUEST'
        option type 'bridge'
        option proto 'static'
        option ifname 'eth1.40'
        option ipaddr '10.120.40.2'
        option netmask '255.255.255.0'
        option gateway '10.120.40.1'
        option delegate '0'

config interface 'LAN'
        option proto 'static'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipaddr '10.120.20.2'
        option gateway '10.120.20.1'
        option type 'bridge'
        option ifname 'eth1.20'
/etc/config/wireless 
config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:01/0000:01:00.0'
        option country 'GB'
        option htmode 'VHT40'
        option legacy_rates '1'
        option channel 'auto'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/qca955x_wmac'
        option country 'GB'
        option htmode 'HT20'
        option legacy_rates '1'
        option channel 'auto'

config wifi-iface
        option device 'radio1'
        option mode 'ap'
        option ssid 'LAN2G'
        option encryption 'psk2'
        option key '****'
        option network 'LAN'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option ssid 'LAN5G'
        option encryption 'psk2'
        option key '****'
        option network 'LAN'

config wifi-iface
        option device 'radio1'
        option mode 'ap'
        option ssid 'guest'
        option network 'GUEST'
        option isolate '1'
        option encryption 'psk-mixed'
        option key '****'
13

Then something wrong is with the switch. Check again if ports are configured properly in terms of vlan without tagging.

Other than that, you have configured 3 Interfaces in Openwrt with static IPs and gateways. This is wrong. There can be only one gateway, or it will be a mess. Since the Archer is a bridged AP as per your first post, you should keep only one managed interface with IP and Gateway. All routing functions are handled by pfSense.

14

Thanks @trendy for any input so far. I will try reconfiguring the Switch VLANs in OpenWRT and try again.

Once I get at least the PC working in both ports then the issue with this sorted I'll focus on the other issues.

Do you think it's worth checking the cables? Is there a special requirement for the cable (CAT-6+ ?) to support VLANs?

Leonidas

15

From my understanding so far your PC is able to get address from pfSense DHCP server on ports 2 and 3. So VLAN20 works fine and packets are sent untagged out of the ports. If you connect it on port 4 you should get IP in VLAN40, according to your diagram.
If the cables work in these test cases, then they are fine. You don't need any special cable for VLANs.
The problem seems to be on the Netgear switch. Try to connect any dumb switch on ports 2 or 3 and verify that hosts connected on that will acquire settings.

16

Correct.

Thanks for confirmation.

Agreed I think it's something with the Netgear switch (and the OpenWRT Access Point where the Wifi which is bridged with VLAN.20 doesn't get IP from DHCP either.

So since this is a OpenWRT forum I'll stick to the OpenWRT questions and deal with the Netgear part myself.

Any idea why would the Bridged Interface (LAN) between VLAN.20 (eth1.20) and Access Points LAN2G (wlan1) and LAN5G (wlan0) only work for physical ports 2, 3 (marked untagged on the Switch UI) and not the wireless?

Note that the VLAN.40 setup works perfectly fine for both Port 4 and GUEST wifi (wlan1-1) and the firewall rules on pfsense are very similar and allow DHCP and DNS requests.

17

What is it not working here?
The SSID is broadcasting?
The clients can connect successfully?
Do you see DHCP Discovery packets traversing from Openwrt towards pfSense?
Post your firewall configuration also just in case...

18

Yes, I can see both wlan0 and wlan1

I think they assosiate with the AP and don't get an IP. So for example the Android phone can't get an IP. Neither the laptop with Archlinux can get an IP through WiFi.

Hmm, I'm not sure how to ensure this happens.

/etc/config/firewall 
config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp'
	option dest_port '10022'
	option name 'LEDE+SSH'
	option enabled '0'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Guest DNS'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option name 'Lan DNS'
	option src 'lan'
	option dest_port '53'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'Guest DHCP'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option name 'Lan DHCP'
	option src 'lan'
	option dest_port '67-68'

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'guest'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config zone
	option output 'ACCEPT'
	option name 'guest'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option network ' '

config forwarding
	option dest 'wan'
	option src 'guest'

I can't see why they are any difference from GUEST WiFi setup.

19

tcpdump -i any udp port 67
Install tcpdump if missing.

1 Like
20

Nevermind, I found the problem.
In firewall LAN zone you have the guest interface and the guest firewall zone has no interfaces. Fix that and it should be fine

1 Like