[SOLVED] Have Tried For Weeks To Get Dummy AP With VLANs Working With OPNsense, Extremely Stuck, Extremely Frustrated

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,

In advance I apologize if my tone in the following comment is at all harsh, I'm just very irritated, so please be understanding.

I've been trying to get VLANs working with OPNsense as my router and OpenWrt as my dummy AP for weeks. I've tried the OpenWrt Matrix chat repeatedly, to no avail, I've tried the OPNsense forum where there was someone who was very generous with their time but still did not succeed in getting it working after about 2 weeks of back and forth, I've watched multiple videos on the topic (many of them repeatedly while trying to follow along on my AP), I've read plenty of articles on it, and I'm just at my wits end.

I really need to be given baby steps here, so if you're willing to do that, awesome, if not, that's fine, it's a lot to ask and I'm not entitled to your time, this is an open-source project with no obligation to help users, but my head is going to explode if someone just posts another article at me as if the answer is obvious and if only I read yet another thing it would all make sense.

I will include a photo of my current topology. All the OPNsense VLANs work just fine, I can see my devices getting DHCPv4 leases on the appropriate VLANs when I plug them physically into my switch. However on OpenWrt I can't get things to work. It's a little hard to describe what I can't get to work because at this point I've tried so many different things and based on my strategy I've gotten different errors, sometimes disconnection, sometimes SSIDs which I can connect to but have no internet and where nothing can be pinged, sometimes SSIDs which can't be connected to at all. But in the broadest terms, the problem is that I can't seem to reach a configuration where OpenWrt broadcasts wireless networks associated with the VLANs managed by OPNsense and where I can connect devices wirelessly to these VLANs and see OPNsense issue a DHCPv4 lease to the wirelessly connected device on the appropriate VLAN, just as if i had physically connected the device.

I've just factory reset OpenWrt yet again, something which at this point feels like a macabre ritual that I perform many times a day to punish myself, and I just want to know, step by step in terms that someone with the IQ of a small woodland animal could understand, how to make this work.

Hardware:

  • OPNsense on Protectli Vault FW4B.
  • Swich is Cisco Catalyst 3750X 24 Port Layer 3 Gigabit Switch
  • OpenWrt is on an TP-Link AC1750

Software:

  • OpenWRT 23.05.0
  • OPNsense 23.7.9-amd64

This is my topology. Solid lines are for things that are implemented, dashed lines for things I'm trying to implement. If it's at all hard to read, open the image itself in a fresh tab, it will all be legible.

topology
topology2547×2233 213 KB

Thanks again to anyone willing to help, and if nobody is that's fine I understand it's a lot to ask someone to walk through this all.

Happy holidays.

2

We should be able to get you going... I'll read the complete post in a moment and reply with any comments/questions, but we're going to need to see your config, so let's start there:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
3

This should be relatively easy to do -- the key is just learning/knowing the nuances of how OpenWrt works. You'll get it soon... but we'll help get you there.

Before going any further...

thank you for recognizing this. This forum has some really amazing contributors, but there are some people who come here expecting/demanding help with no such understanding. Its refreshing to see... thanks.

Now... on with the show.

Great... that's the first place we always want to start.

That said, in your diagram, I'm seeing "access port" for port 6 that connects to OpenWrt. You need this to be a trunk with all the VLANs that you wish to use on OpenWrt (including your lan or management network).

So, on that note -- please provide the VLAN IDs and the port configuration information that relates to port 6. We also need to know if you have an untagged network on that port, or if they're all tagged.

I'd recommend that you upgrade to the latest -- currently 23.05.2.

Once I know the VLAN IDs and have the default config from your device, I can start showing you the process for building out your VLANs on OpenWrt.

EDIT: One more thing I need -- what is the address you want this device to use on your network (i.e. on your trusted lan or management network)? And what is the size of that subnet (/24 would be the most common)?

1 Like
4

This should be relatively easy to do -- the key is just learning/knowing the nuances of how OpenWrt works. You'll get it soon... but we'll help get you there.

Cool, I really don't mind putting in a lot of time. I know how powerful OpenWrt is, and that's why I want to get it working so badly. I've gone "the long way" with many other pieces of tech with brutal learning curves like Haskell or NixOS, and it always pays off. The problem is just when it feels like I'm not making any progress and I have no clue how to. But I'm always willing to have a positive attitude and keep trying if there is some kind of tangible path forward.

thank you for recognizing this. This forum has some really amazing contributors, but there are some people who come here expecting/demanding help with no such understanding. Its refreshing to see... thanks.

Of course, although I'm a novice with networking, I've been programming for years, and I know how it is from the dev's perspective. It's no fun to put a ton of work into making code, only to have people shit on you for not also being a personal help line. Totally get it.

I'd recommend that you upgrade to the latest -- currently 23.05.2.

Done.

So, on that note -- please provide the VLAN IDs and the port configuration information that relates to port 6. We also need to know if you have an untagged network on that port, or if they're all tagged.

Sure. Here's the output of show running--config which I suspect will give you what you want regarding the switch configuration. Cisco has these "smartport" types, and "Access Port" is a trunk type:

switch#show running-config
Building configuration...

Current configuration : 5809 bytes
!
! Last configuration change at 13:01:15 UTC Wed Dec 13 2023
! NVRAM config last updated at 16:10:25 UTC Tue Dec 12 2023
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname switch
!
boot-start-marker
boot-end-marker
!
enable secret 5 REDACTED
!
!
!
no aaa new-model
clock timezone UTC -5
clock summer-time UTC recurring
switch 1 provision ws-c3750x-24
system mtu routing 1500
!
!
ip domain-name home
!
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 70 30
mls qos srr-queue input threshold 1 80 90
mls qos srr-queue input priority-queue 2 bandwidth 30
mls qos srr-queue input cos-map queue 1 threshold 2 3
mls qos srr-queue input cos-map queue 1 threshold 3 6 7
mls qos srr-queue input cos-map queue 2 threshold 1 4
mls qos srr-queue input dscp-map queue 1 threshold 2 24
mls qos srr-queue input dscp-map queue 1 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue input dscp-map queue 1 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue input dscp-map queue 2 threshold 3 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
!
spanning-tree mode pvst
spanning-tree extend system-id
auto qos srnd4
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
interface FastEthernet0
 no ip address
!
interface GigabitEthernet1/0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 srr-queue bandwidth share 1 30 35 5
 queue-set 2
 priority-queue out
 mls qos trust dscp
 macro description cisco-router
 auto qos trust
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/2
 switchport access vlan 2
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/3
 switchport access vlan 3
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/4
 switchport access vlan 4
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/5
 switchport access vlan 5
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/6
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 7
 switchport mode trunk
 switchport nonegotiate
 srr-queue bandwidth share 1 30 35 5
 queue-set 2
 priority-queue out
 mls qos trust cos
 macro description cisco-wireless
 auto qos trust
 spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
 ip address 10.0.0.2 255.255.255.0
!
ip default-gateway 10.0.0.1
ip classless
ip http server
ip http secure-server
!
ip sla enable reaction-alerts
!
!
line con 0
line vty 0 4
 password REDACTED
 login
 length 0
line vty 5 15
 password REDACTED
 login
 length 0
!
end

The VLANs are configured in OPNsense, as you know, so I'll just list them all here, all are /24, with DHCPv4 enabled, and a DHCP range of 10.0.x.50 - 10.0.x.254:

20231225_19h38m05s_grim
20231225_19h38m05s_grim1076×394 28.8 KB

CORE: 10.0.2.1/24
SERVER_1: 10.0.3.1/24
SERVER_2: 10.0.4.1/24
DEVICES: 10.0.5.1/24
GUEST: 10.0.6.1/24
OPENWRT_MANAGEMENT: 10.0.7.1/24

EDIT: One more thing I need -- what is the address you want this device to use on your network (i.e. on your trusted lan or management network)? And what is the size of that subnet (/24 would be the most common)?

I'd ideally like it to be on OPENWRT_MANAGEMENT, with IP 10.0.7.2/24. For simplicity sake, everything is currently /24. I'm flexible on this though, if you have a preferred way of doing things I'm not attached to this particular schema.

Now for the OpenWrt config stuff you requested. I'll just add before posting it that this is after factory reset with a few very small changes just so I can access it with my topology. The only changes I've made are setting an IP of 10.0.7.2 and a gateway of 10.0.7.1 on OpenWrt lan interface, adding my SSH key so I can sign in easily, and putting a password on the device.

ubus call system board

{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link Archer C7 v5",
	"board_name": "tplink,archer-c7-v5",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ath79/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'REDACTED'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '10.0.7.2/24'
	list ipaddr '192.168.1.1/24'
	option gateway '10.0.7.1'

config device
	option name 'eth0.2'
	option macaddr 'REDACTED'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

cat /etc/config/firewall

config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option dest		wan
#	option proto	tcp
#	option target	REJECT

# block a specific mac on wan
#config rule
#	option dest		wan
#	option src_mac	00:11:22:33:44:66
#	option target	REJECT

# block incoming ICMP traffic on a zone
#config rule
#	option src		lan
#	option proto	ICMP
#	option target	DROP

# port redirect port coming in on wan to lan
#config redirect
#	option src			wan
#	option src_dport	80
#	option dest			lan
#	option dest_ip		192.168.16.235
#	option dest_port	80
#	option proto		tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#	option src		wan
#	option src_dport	22001
#	option dest		lan
#	option dest_port	22
#	option proto		tcp

### FULL CONFIG SECTIONS
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port	80
#	option dest		wan
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
#	option target	REJECT

#config redirect
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port		1024
#	option src_dport	80
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp

And thank you for being willing to take a look at all this, I appreciate your time.

I should maybe also add that I'm doing all this work from "desktop" on "CORE" (see topology diagram).

5

So with your current swconfig based configuration, you have only set up untagged traffic on the LAN ports.

6

I don't speak the world of Cisco, so I cannot reliably review/confirm your config there. Fundamentally, we need to make sure that all of the networks are present on port 6 (minimum all but one of them tagged, or all tagged -- for now, we can keep the management network untagged). In the vernacular of most other vendors, an access port is one that has just a single network, untagged. This makes an "access port" suitable for non-VLAN aware end devices (i.e. computers, game consoles, STBs, etc.) to 'access' the network. A trunk, on the other hand, is usually the way we speak about a port that has more than one network (zero or one untagged + one or many tagged). (My apologies if this is stuff you already know; just want to make sure we're aligned on terminology).

So it looks like you have 6 VLANs. VLANs 2-7.

Let's create those VLANs on the C7's switch (note: I don't know which logical port maps to physical port 1, -- I'm going to assume logical port 2, but this could be wrong and we can fix this later if so):

The TL;DR is that each VLAN will look like this:

config switch_vlan
	option device 'switch0'
	option vlan 'x'
	option ports '2t 0t'

config device
	option name 'br-vlanx'
	option type 'bridge'
	list ports 'eth0.x'

config interface 'vlanx'
	option device 'br-vlanx'
	option proto 'none'

So let's get to the details:

First, we need to edit VLAN2 (which, by default is used by the wan) so that it uses logical port 2, tagged (thus 2t):

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '2t 0t'

Now we'll add the others:

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '2t 0t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '2t 0t'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option ports '2t 0t'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option ports '2t 0t'

Next, we'll create VLAN 7 for consistency - we'll make that untagged on port 2 (which means we need to remove untagged port 2 from VLAN 1 like this:

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '3 4 5 0t'

And add:

config switch_vlan
	option device 'switch0'
	option vlan '7'
	option ports '2 0t'

Now we have all the VLANs created on the switch. We'll edit br-lan to use eth0.7:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.7'

And we should remove the extraneous address from the lan interface:

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '10.0.7.2/24'
	option gateway '10.0.7.1'

Now, we make bridges for each of the VLANs:

config device
	option name 'br-core'
	option type 'bridge'
	list ports 'eth0.2'

config device
	option name 'br-server1'
	option type 'bridge'
	list ports 'eth0.3'

config device
	option name 'br-server2'
	option type 'bridge'
	list ports 'eth0.4'

config device
	option name 'br-devices'
	option type 'bridge'
	list ports 'eth0.5'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.6'

And finally, create unmanged network interfaces for each of the networks:

config interface 'core'
	option device 'br-core'
	option proto 'none'

config interface 'server1'
	option device 'br-server1'
	option proto 'none'

config interface 'server2'
	option device 'br-server2'
	option proto 'none'

config interface 'devices'
	option device 'br-devices'
	option proto 'none'

config interface 'guest'
	option device 'br-guest'
	option proto 'none'

Once all of this is done, reboot the router. You should be able to connect to 10.0.7.2 via the connection to port lan1 (unless I have messed up the port mapping [1].

Next, you'll create SSIDs for each of the VLANs and attach them to the network name.
Assuming your upstream is configured properly, this will all work.

  1. If port 1 doesn't work, try ports 2-4 until you are able to connect... easy to fix. ↩ī¸Ž

7

Oh... and one more thing:

Make sure you turn off the DHCP server on lan explicitly via the config file - make it look like this:

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'
8

So with your current swconfig based configuration, you have only set up untagged traffic on the LAN ports.

Thanks for commenting slh. Again, I'm a novice with networking, this comment does not translate in my mind into a set of changes I need to make to my setup.

I don't speak the world of Cisco, so I cannot reliably review/confirm your config there.

Ok, I'm about to go through all the steps you've listed below, but it seems like the switch is a potential error point that will break the whole thing. So without posting any Cisco command line stuff, I'll just send two photos here. It looks to me from these that the port is a trunk type, and has a native rather than an access VLAN. Can you confirm this is what we want before I continue through your suggested modifications to the config file. I wouldn't want to make them all then just find myself locked out because I screwed up something upstream of the AP. I'll have to put the next photo in a followup post because of the new user media embed limit.

20231210_17h55m45s_grim(1)
20231210_17h55m45s_grim(1)1442×197 12.7 KB

9

20231210_17h56m33s_grim(2)
20231210_17h56m33s_grim(2)1587×241 18.4 KB

10

looks like a trunk, indeed. The thing to verify is that all of your networks are included in the trunk... it should probably be configured the same way as port 1.

11

Ok, I've changed it to be the same type as the router port. It still has a native VLAN of 7, I'm pretty sure without this I won't be able to connect at 10.0.7.2. Hopefully that's what we want here. I'll try to implement your config changes now.

12

Yes, for now anyway... we can make it tagged later if you want.

13

Ok, I made the modifications you suggested then rebooted. Here are the current versions of the two files you had me modify:

/etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'REDACTED'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '10.0.7.2/24'
	option gateway '10.0.7.1'

config device
	option name 'eth0.2'
	option macaddr 'REDACTED'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '2t 0t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '2t 0t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '2t 0t'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option ports '2t 0t'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option ports '2t 0t'

config switch_vlan
	option device 'switch0'
	option vlan '7'
	option ports '2 0t'

config device
	option name 'br-core'
	option type 'bridge'
	list ports 'eth0.2'

config device
	option name 'br-server1'
	option type 'bridge'
	list ports 'eth0.3'

config device
	option name 'br-server2'
	option type 'bridge'
	list ports 'eth0.4'

config device
	option name 'br-devices'
	option type 'bridge'
	list ports 'eth0.5'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.6'

config interface 'core'
	option device 'br-core'
	option proto 'none'

config interface 'server1'
	option device 'br-server1'
	option proto 'none'

config interface 'server2'
	option device 'br-server2'
	option proto 'none'

config interface 'devices'
	option device 'br-devices'
	option proto 'none'

config interface 'guest'
	option device 'br-guest'
	option proto 'none'

/etc/config/dhcp:

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

After rebooting I can no longer ssh into or even ping 10.0.7.2 from desktop on CORE. I also rebooted OPNsense for good measure, which had no effect.

14

the one missing item was associating vlan 7 with br-lan.

try plugging into one of the other ports -- you should hopefully be able to access the device that way (10.0.7.2 via one of the other ports: 2-4).

Once you're in, edit br-lan to use eth0.7.

15

Ok, I was able to do that and now I'm back in VIA ssh on physical port 1 of the OpenWrt device at 10.0.7.2.

16

Great!

Now you can start creating wifi networks for your VLANs.

17

Ok, so I'm getting something that I've gotten before. This is /etc/config/wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'guest'
	option mode 'ap'
	option ssid 'GUEST'
	option encryption 'sae'
	option key 'pass'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

I see GUEST when I scan for networks, but if I try to connect, on my phone for ex, it just says "Obtaining IP address..." forever, then "Saved / IP configuration failure". On the OpenWrt side, I can see this in Wireless Overview briefly then it vanishes:

20231225_22h14m24s_grim
20231225_22h14m24s_grim940×169 12.6 KB

And I see no lease on GUEST in OPNsense.

The password there is a dummy pass, don't worry about it being visible.

18

Have you verified that the guest network is functioning properly from the router > switch.

Test this:

  • create an access port for the guest network (i.e. vlan6 untagged on a port on your switch)
  • plug a computer into that port and see if it gets an IP address and expected connectivity.
19

Ok, there is something f-ed with GUEST. I'll find that out later, but I just made an SSID for DEVICES instead, which i know is working (printer is on it right now VIA physical connection), and it works. Thank you SO much for helping with this. I wonder if I ever technically got to a working config before then failed because I used GUEST for the wireless and assumed the VLANs on OpenWrt were messed up rather than GUEST.

I massively appreciate your time here. You may see more of me because I don't ever want to be too quick to assume something is fixed after it killed me for weeks (sometimes I think it works then I realize it's still in some way busted), but for all I can tell it's working now. This makes me so happy. I'm going to now be able to tinker with and study your config to understand what's going on in detail.

:slight_smile:

20

Yeah, that doesn't entirely surprise me because I had confidence in the OpenWrt config.

Awesome!

Hard to know without looking at your previous attempts, but it works now and that's what matters!

My pleasure.

Sounds good. Feel free to ask questions as they come up.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile: