[SOLVED]Dumb Access Point tagged Vlan behind Opnsense[SOLVED]

Hey guys,

I really love openWRT since its bringing the possibility to breath new life into my AVM Repeater.

my current setup is the following :

ISPModem -------> OPNsense------> managed Switch1---------->managed Switch2-----> Dumb AP with OpenWrt

the device is Fritzrepeater 1750E which regarding to this documentation(https://openwrt.org/toh/avm/avm_fritz_wlan_repeater_1750e) should be able to work with vlan
openwrt 23.05.0 installed

what I did was to segregate my network into 2 sections to test if everything works.

So I have my main Subnet 192.168.2.0/24 and my IOT Subnet 192.168.20.0/24
what I want to do is to use the 2.4Ghz network as IOT Wifi Channel. It already works with my Omada AP which is connected to the managed Switch1.

So I created a Vlan with the ID 20 which is tagged on the correct ports on the opnsense and the managed switches.

so now I want to setup the 1750E repeater as repeater but with the vlan 20 as the interface for my 2.4ghz channel.

 cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'IOT'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'IOT'

config forwarding
	option src 'IOT'
	option dest 'wan'
cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'hybrid'
	option ra 'hybrid'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc9:867f:6476::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '20'
	option name 'eth0.20'

config interface 'IOT'
	option proto 'dhcp'
	option device 'eth0.20'
	option type 'bridge'

preparations to make 1750E a dumb access point:

  • stopped firewall
  • stopped dhcp
  • stopped dnsmasq

my journey till now:

  • I create a vlan device with the correct id

  • since the 1750E has one port the vlan base device is eth0

  • after that I create an interface named IOT as dhcp client and as device I choose the vlan (eth0.20)

  • I observe that the interface is getting an ip address in the correct subnet from my opnsense(dhcp server)

  • now I attach the interface to the correct wireless interface

  • sadly once I try to access the wireless channel, I can connect but wont get an ip address
    .

alternatively I tried creating a bridge with just the vlan and also a bridge with eth0 and the vlan but this methods didn't even get an IP address from the dhcp server.

so now im really frustrated and I already tried looking for a solution online but I think im missing something.

im pretty new to this so already sorry in advance if some information is missing. Please let me know if there is something I can provide for an easier solution finding and thanks for the help.

cheers
derToaster1412

I will assume for now that you have properly configured your main router and your two switches properly such that the IoT network has been verified to be working properly. I’ll also make the assumption that your IoT network is tagged on the port that connects to the AP.

Starting out, you must disable the DHCP server on the lan. Since you’ve got the lan as DHCP client, it actually shouldn’t ever attempt to start the server, but you should always explicitly disable the server to ensure it will never cause you headaches. It should look like this:

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'

Next, delete the 802.1q stanza:

Then, add a bridge for the iot network on eth0.20

config device
	option name 'br-iot'
	option type 'bridge'
	list ports 'eth0.20'

Finally, edit the iot network. It should be unmanaged, use br-iot, and critically the bridge line must be removed (it will break the interface). When you’re done, it will look like this:

config interface 'IOT'
	option proto 'none'
	option device 'br-iot'

Restart your router and test again. If it doesn’t work, post the latest config files for review.

Thank you soooo much, the unmanaged Interface did the trick ! Now everything is working like a charm. Again thank you so much for your help !

Awesome!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.