[Solved] How can I get guest Wifi Vlan ID to work on a dumb AP?

I followed the guide online and created a separate vlan for guest network on a dumb AP.
This what I did.

Upstream router [WRT3200ACM]
Created a new guest interface and added vlan lan1.3 to it.

Downstream router [EAP615wall]
Created a new guest interface and added a Vlan lan0.3 to it.

I can see the guest interface on the AP is correctly getting the IP address listed on the interface box but as soon as I add a WiFi to EAP615wall lan0.3 there is no IP assigned to any wifi devices, they can connect but no IP address. If I attach the wifi to the lan interface then everything starts working.

I experimented with bridge on the AP with no success.

firewall , dnsmasq and odhcpd are disabled on the AP.

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdxx::/64'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config interface 'guest'
	option proto 'dhcp'
	option device 'lan0.3'
	option hostname 'Guest'
	option type 'bridge'

config device
	option name 'lan0.3'
	option type '8021q'
	option ifname 'lan0'
	option vid '3'
	option macaddr '34:60:F9:FB:22:D5'

/etc/config/wireless


config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '11'
	option band '2g'
	option htmode 'HE40'
	option cell_density '0'
	option country 'US'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'xxx'
	option encryption 'psk2+ccmp'
	option skip_inactivity_poll '1'
	option disassoc_low_ack '0'
	option key 'xxx'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option channel '149'
	option band '5g'
	option htmode 'HE80'
	option country 'US'
	option cell_density '0'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'xxx'
	option encryption 'psk2+ccmp'
	option skip_inactivity_poll '1'
	option disassoc_low_ack '0'
	option key 'xxx'
	option disabled '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Test'
	option encryption 'psk2+ccmp'
	option isolate '1'
	option skip_inactivity_poll '1'
	option disassoc_low_ack '0'
	option key 'xxx'
	option network 'guest'

You need to use bridge VLANs.... your VLAN configuration as shown is entirely invalid.

What physical port is carrying VLAN3? I assume it is tagged on that port?

lan0 is getting internet from the router

Ok... So the rest of this will assume VLAN 3 is already setup on the main router and that it is all properly configured upstream.

start by deleting this:

Next, add bridge-vlans:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan0:u*'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan0:t'

Next, edit the lan interface to use br-lan.1 and the guest interface to use br-lan.3. We'll also be making the guest interface unmanaged and the bridge type needs to be removed:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'dhcp'

config interface 'guest'
	option proto 'none'
	option device 'br-lan.3'

Reboot and test again.

Looks like I am getting IP address for connected devices now but no Internet.

I created a new interface on the upstream router WRT3200ACM by adding lan1.3 to it and I think this might be the problem.

This is the network on the main upstream router. Let me know how to correctly create a vlan 3 on port 1 which connects the AP.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdxx::/64'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.88.88.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ip6hint '00'

config device
	option name 'wan'
	option macaddr 'xxx'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'force'
	option reqprefix '56'
	option peerdns '0'
	list dns '2001:4860:4860:0000:0000:0000:0000:8888'
	list dns '2001:4860:4860:0000:0000:0000:0000:8844'

config interface 'iot'
	option proto 'static'
	option device 'lan3'
	option ipaddr '10.132.241.1'
	option netmask '255.255.255.0'

config interface 'guest'
	option proto 'static'
	option device 'lan1.3'
	option ipaddr '10.88.22.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

Yup... that would also be wrong for the same reasons.

Word of caution -- you may need to re-do your iot network with bridge-vlans... not sure if this is going to break that. We'll find out shortly:

create bridge VLANs again:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan1:t'

Then edit the lan and guest networks to use br-lan.1 and br-lan.3:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '10.88.88.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ip6hint '00'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '10.88.22.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

Restart this router and test again. If it still doesn't work, we need to look at the dhcp and firewall files.

Thank you very much, I will try this config at night when no one is using the Internet and let you know. :+1:

IOT network in on a different port 3. AP is on port 1.

Regarding the IoT network -- yes, I saw that it is on port 3. However, when setting up bridge-VLANs, it is possible we'll need to do this instead (you don't need to do this unless the IoT network breaks):

Add lan3 back to br-lan:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

create a bridge VLAN for VLAN 2 on port lan3 untagged:

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan3:u*'

And then change the iot network interface to use br-lan.2

config interface 'iot'
	option proto 'static'
	option device 'br-lan.2'
	option ipaddr '10.132.241.1'
	option netmask '255.255.255.0'
1 Like

Looks like it is working great. IOT is also working too without creating any additional config. :100:

Thanks !

Awesome!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

If anyone in the future comes here for help here are the screenshots for main router and downstream AP.

Upstream Router [WRT3200ACM]

Downstream Router [EAP615-Wall]

These two videos I watched before I tried to create my VLans, they are very helpful.

One last question for the access point, if I want to move lan1 lan2 and lan3 to Guest Vlan 3 do I have to do something like this?

6dff85060568059e9476aaa069357b707f30829f_2_690x341

1 U* - - -
3 T T T T

?

If you have a port only on a single VLAN set to primary then you don't need to tag it.
The port will be connected that VLAN directly, and connected devices will behave as if there's no VLANs at all.

@3_95gy68q is correct.

You'll u* for ports lan1-lan3, assuming the intent is to connect normal (non-VLAN aware) devices to those ports.

In other words:

1 U* - - -
3 T u* u* u*
1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.