I have tp link 3600 running latest openwrt code 19.07.4
I'm configured openwrt AP in "dump mode". (there is Cisco router at the back who is doing inter VLANs routing).
I have setup three vlans @ AP:
vlan10 - management - everything good here
vlan11 - employees
vlan12 - guests
That router has .11n bgn and .11an radios. (wlan0 and wlan1 accordingly)
My idea is broadcast employee SSID via both radios and guest one via radio0
take a look at sections "vlan11" and "vlan12"
I implemented following config:
config interface 'lan'
option type 'bridge'
option ifname 'eth0.10'
option proto 'static'
option ipaddr '192.168.172.14'
option netmask '255.255.255.240'
option gateway '192.168.172.1'
option broadcast '192.168.172.15'
# option dns '192.168.172.2 192.168.172.4'
option dns '127.0.0.1'
config interface 'vlan11'
option type 'bridge'
option proto 'static'
option ifname 'eth0.11 wlan0 wlan1'
option ipv6 '0'
config interface 'vlan12'
option type 'bridge'
option proto 'static'
option ifname 'eth0.12 wlan0'
option ipv6 '0'
after applying this config I see that vlan 11 can use only AN radio but not BGN (there is no wlan0 in bridge config br-vlan11)
root@ap:/home/sam# brctl show
bridge name bridge id STP enabled interfaces
br-lan 7fff.e8de27ff9f45 no eth0.10
br-vlan11 7fff.e8de27ff9f45 no eth0.11
wlan1
br-vlan12 7fff.e8de27ff9f45 no eth0.12
wlan0
even if I'm shutdown bridge interfaces and all phisical members I'm still not able to add one more interface to existing bridge:
root@ap:/home/sam#
root@ap:/home/sam# ip link set br-vlan11 down
root@ap:/home/sam# ip link set eth0.11 down
root@ap:/home/sam# ip link set wlan1 down
root@ap:/home/sam#
root@ap:/home/sam# brctl addif br-vlan11 wlan0
brctl: bridge br-vlan11: Resource busy
root@ap:/home/sam#
Do not add the wireless interfaces to the bridges on "/etc/config/network"; you should configure the interface as bridges, but mention only the wired devices.
Then, on the wireless configuration, each BSSID is linked to an interface, and OpenWrt does the bridging.
so both radios have to broadcast SSID "a81m", but I still see vlan 11 for radio1 (radio0 missing) and vlan12 for radio0
root@ap:/home/sam# wifi
root@ap:/home/sam# brctl show
bridge name bridge id STP enabled interfaces
br-lan 7fff.e8de27ff9f45 no eth0.10
br-vlan11 7fff.e8de27ff9f45 no eth0.11
wlan1
br-vlan12 7fff.e8de27ff9f45 no eth0.12
wlan0
root@ap:/home/sam#
Bridges that are purely to link a wired VLAN to wireless should be proto none, not static. One of your VLANs should hold an IP address so you can log into the router. The others being of proto none block users of that network from being able to hack into the OS.
Make sure your switch configuration corresponds. Each VLAN on the cable should have a switch_vlan which is tagged on both the trunk cable and the CPU port.
i got your point (static/none mode), but management vlan 10 (actually this is not L2 VLAN but L3 SVI) has IP address assigned. Rest of VLANs 11 & 12 are clear L2 VLANs tagged (dot1q trunk to Cisco router). router performing inter vlan routing. all three VLANs tagged to trunk port and CPU. This is not the question/issue. (see my initial post)
Two (or more) APs to one VLAN would be as @eduperez said, in each of their sections in /etc/config wireless, reference the same network bridge e.g. option network 'vlan12'. Do not have any wlan numbers in /etc/config/network, only eth numbers.
An option proto static without at least an IP address is an incomplete configuration, which would have undefined results. Use option proto none to make a bridge with no protocol connection to the kernel.
config wifi-device 'radio0'
option disabled '0'
option path 'platform/ahb/18100000.wmac'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option htmode 'HT40-' #for channel 6,11 only
option txpower '22'
option noscan '1'
option distance '40'
option diversity '1'
option require_mode 'ng'
option beacon_int '300'
option wpa_group_rekey '600'
list ht_capab 'SHORT-GI-20'
list ht_capab 'SHORT-GI-40'
list ht_capab 'RX-STBC1'
list ht_capab 'TX-STBC'
list ht_capab 'DSSS_CCK-40'
list ht_capab 'LDPC'
list ht_capab 'MAX-AMSDU-7935'
option ldpc '1'
option short_gi_20 '1'
option short_gi_40 '1'
#option tx_stbc '1'
#option rx_stbc '1'
option max_amsdu '1'
option dsss_cck_40 '1'
option legacy_rates '0'
#for madwifi only
#option bursting '1'
#option ff '1'
#option compression '1'
#option uapsd '0'
option log_level '0' #0 = verbose debugging, 1 = debugging, 2 = informational messages, 3 = notification, 4 = warning
option country 'CA'
config wifi-iface
option device 'radio0'
option network 'vlan11'
option mode 'ap'
option ssid 'a81m'
option encryption 'wpa2+ccmp'
option auth_server '192.168.172.2'
option auth_port '1812'
option auth_secret '-= censored =-'
option nasid '1st-AP'
option wmm '1'
#option encryption 'psk2+ccmp'
#option key '-= censored =-'
option disassoc_low_ack '0'
option powersave '0'
option short_preamble '1'
# 802.11v allows client devices to exchange information about the network topology, including information about the RF environment, making each client network aware of the environment, this helps overall improvement of the wireless network
ieee80211v '1'
#this tandard provides Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC) to the 802.11a PHY it's irrelevant for .11n
#option doth '1'
option wpa_disable_eapol_key_retries '0' # this an bottom disable key reinstallation attacks (against KRACK)
option tdls_prohibit '0'
option macfilter 'deny'
option maclist 'E0:06:E6:80:0F:DB'
option device 'radio0'
option mode 'ap'
option bgscan '0'
#option wds '0'
option ssid 'a81m-guest'
option network 'vlan12'
option isolate '1'
option encryption 'psk2+ccmp'
#option encryption 'psk2+aes'
option key '-= censored =-'
option disassoc_low_ack '0'
option wmm '0'
option hidden '0'
#option powersave '1'
option short_preamble '0'
config wifi-device 'radio1'
option disabled '0'
option type 'mac80211'
option channel '36'
option contry 'CA'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0'
option htmode 'HT40'
option txpower '20'
option distance '40'
config wifi-iface
option device 'radio1'
option network 'vlan11'
option mode 'ap'
option ssid 'a81m'
option encryption 'wpa2+ccmp'
option auth_server '192.168.172.2'
option auth_port '1812'
option auth_secret '-=censored=-'
option nasid '1st-APP'
option wmm '1'
#option encryption 'psk2+ccmp'
#option key '-= censored =-'
option disassoc_low_ack '0'
option powersave '0'
option short_preamble '1'
# 802.11v allows client devices to exchange information about the network topology, including informat
ieee80211v '1'
#this tandard provides Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC) to the 802.1
#option doth '1'
option wpa_disable_eapol_key_retries '0' # this an bottom disable key reinstallation attacks (against
option tdls_prohibit '0'
option macfilter 'deny'
option maclist 'E0:06:E6:80:0F:DB'
What's wrong?
with configs above brctl shows me:
root@ap:/home/sam# brctl show
bridge name bridge id STP enabled interfaces
br-lan 7fff.e8de27ff9f45 no eth0.10
br-vlan11 7fff.e8de27ff9f45 no eth0.11
wlan1
br-vlan12 7fff.e8de27ff9f45 no eth0.12
wlan0
root@ap:/home/sam#
and I'm not able to get to wired network (get DHCP address from server behind router where DHCP relay configured on it) whenever I associated with AP....