If you're not using your "WAN" jack, that is, at least for me, a convenient place to put a management interface and/or your trunk as it's visually "different" than the other ports.
Thanks for the suggestion but it didn't work as I expected. As @jeff suggested I had setup WAN port as a Management interface so I wasn't locked out.
I'll try something even simpler:
Set a VLAN with id 20 on Port 2 which should go through Port 1 as tagged. Port 2 should connect a physical cable.
Bear with me for a minute as I describe my thoughts.
If I understood correctly on the Luci switch interface set "off" on all different rows (VLANs) for port 2 except the VLAN I'm interested on which is 20 on this case. Then on Port 1 it should be tagged in VLAN 20 row. So anything which belongs to VLAN 20 which is Port 1 and Port 2 should be tagged with VLAN.20 when transmitted from Port 1.
On the interface I'll need to create an interface, let's say LAN, which has physical interface set as eth1.20 (VLAN 20) and IP static on a network/ subnet which matches the interface from pfsense (10.120.20.0/24 in this case).
With the above settings I should be able to plug an ethernet cable on Port 2 and receive an IP from pfsense DHCP on the 10.120.20.0/24 network. And if DHCP works then I am able to connect to pfsense and if something doesn't work after (like DNS etc) then it's Firewall rules for that interface.
Am I missing something obvious on the above scenario?
As it is shown in the image above port 2 is tagging vlan 20, so whatever you connect there must be able to receive tagged frames. If it doesn't you need to select untagged.
You'll do that if you need a L3 interface on vlan20 in Openwrt. If not you can skip it.
Depends if the host you'll connect on port 2 is configured for vlan20 or not, as described in the beginning of this post.
So after some configuration play I managed to define a "Guest" Wifi interface and bridge it to VLAN 40 which have Port 1 as tagged and Port 4 as untagged. This work as expected and cooperates to pfsense for DHCP / DNS. So overal the GUEST vlan is setup and working as intented.
Now to a more complicated setup of setting the LAN up.
LAN should run on VLAN 20 and should include Port 1 as tagged, Port 2 and Port 3 as untagged along with Wifi from radio0 ("local0") and from radio1 (local1). As you suggested above to setup a L3 interface on it of 10.120.20.2/24 is set
With the above configuration the Port 3 is working fine and I got a DHCP lease from pfsense on the 10.120.20.0/24 network but anything from Wifi connections can't reach pfsense.
I'm not sure why the VLAN 20 configuration would be different than the GUEST, essentially it's the same thing extended to more Ports and Wifi netowrks.
Firewall is set to "Unspecified" so it shouldn't interfear.
What you described isn't too complicated. If I understand you correctly...all you need to do is change:
eth0.1 to eth0.20 on the LAN interface
Change 1 to 20 under Network > Switch
properly tag/untag the LAN ports in question
and get rid of whatever VLAN 20 settings are already present
That depends on your Global Firewall settings. It's always good to place Interfaces in a properly configured Firewall Zone. I'm not even sure why your LAN Interface isn't in the LAN Firewall Zone - like default.
Port 2 which is directly connected to a PC works fine and gets a IP from VLAN 20 (so packages are properly tagged).
Port 3 is connected to a Netgear Switch (GS110TP - managed but has no VLAN setup) but the clients on the Netgear Switch don't get IPs from DHCP server which is running on pfsense
The WIFI which are bridged to this VLAN interface don't get IPs from DHCP server which is running on pfsense
I assume this has to do with the interface definition and not the actual switch definition as the PC works fine and get it's packages tagged.
Then something wrong is with the switch. Check again if ports are configured properly in terms of vlan without tagging.
Other than that, you have configured 3 Interfaces in Openwrt with static IPs and gateways. This is wrong. There can be only one gateway, or it will be a mess. Since the Archer is a bridged AP as per your first post, you should keep only one managed interface with IP and Gateway. All routing functions are handled by pfSense.
From my understanding so far your PC is able to get address from pfSense DHCP server on ports 2 and 3. So VLAN20 works fine and packets are sent untagged out of the ports. If you connect it on port 4 you should get IP in VLAN40, according to your diagram.
If the cables work in these test cases, then they are fine. You don't need any special cable for VLANs.
The problem seems to be on the Netgear switch. Try to connect any dumb switch on ports 2 or 3 and verify that hosts connected on that will acquire settings.
Agreed I think it's something with the Netgear switch (and the OpenWRT Access Point where the Wifi which is bridged with VLAN.20 doesn't get IP from DHCP either.
So since this is a OpenWRT forum I'll stick to the OpenWRT questions and deal with the Netgear part myself.
Any idea why would the Bridged Interface (LAN) between VLAN.20 (eth1.20) and Access Points LAN2G (wlan1) and LAN5G (wlan0) only work for physical ports 2, 3 (marked untagged on the Switch UI) and not the wireless?
Note that the VLAN.40 setup works perfectly fine for both Port 4 and GUEST wifi (wlan1-1) and the firewall rules on pfsense are very similar and allow DHCP and DNS requests.
What is it not working here?
The SSID is broadcasting?
The clients can connect successfully?
Do you see DHCP Discovery packets traversing from Openwrt towards pfSense?
Post your firewall configuration also just in case...
I think they assosiate with the AP and don't get an IP. So for example the Android phone can't get an IP. Neither the laptop with Archlinux can get an IP through WiFi.
Hmm, I'm not sure how to ensure this happens.
/etc/config/firewall
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '10022'
option name 'LEDE+SSH'
option enabled '0'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Guest DNS'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option name 'Lan DNS'
option src 'lan'
option dest_port '53'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'Guest DHCP'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'udp'
option name 'Lan DHCP'
option src 'lan'
option dest_port '67-68'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'guest'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config zone
option output 'ACCEPT'
option name 'guest'
option input 'ACCEPT'
option forward 'ACCEPT'
option network ' '
config forwarding
option dest 'wan'
option src 'guest'
I can't see why they are any difference from GUEST WiFi setup.
Nevermind, I found the problem.
In firewall LAN zone you have the guest interface and the guest firewall zone has no interfaces. Fix that and it should be fine
Maybe it's a better idea to put the Netgear Switch before the OpenWRT. Then all ethernet devices are send to Netgear Switch which has support for VLAN.20 and VLAN.40 and OpenWRT is only managing the Wireless clients with different networks and only VLAN trunking on one port (no ethernet clients). I guess that's my summer project