[Solved] RT-AX53U Bridge/VLAN Config

I saw the other thread on problems with the "new style" configuration but . My config looks like this:

  1. SSIDs for the primary 2.4Ghz network and 5Ghz network. These are both on "default" (on DD-WRT they show up on VLAN 1 if you configure multiples, and you MUST if you want more than one.)

  2. Secondary SSID for a GUEST 2.4Ghz network on VLAN 3.

With DD-WRT this too me a good while to figure it out but once I did it was easy (even if it didn't make a lot of sense to me); the default setup had one bridge (br0) and then you set up br1 with the wireless interface (e.g. wl0.1) and the vlan you were using for the guest (vlan3). Br0 would then show up as having eth1 and eth2 in it, plus vlan 1 and 2 -- "2" is the WAN port (which I'm not using as this is just an AP)

Then you set the VLANs to be tagged and both 1 and 3 to the ethernet port you wanted on the switch, and it worked -- but your switch had to be configured to tag ALL packets for both VLANs; you couldn't "split" it (leave the base untagged), which is fine.

Doing as close as I can figure is the same setup on OpenWRT doesn't work at all. I'm going through Luci and the base has br-lan there with no VLAN filtering. I went into network->Interfaces and defined br-lan.3 as a VLAN 802.1q, and configured that, with the base device being br-lan. This is fine and applies without problems.

But -- as soon as I turn on br-lan.3 here (anything in the hyphens fields) I lose access and after a while Luci reverts it (good, as otherwise I'd be locked out.) Plugging into a separate cable on the switch that has both VLANs 1 and 3 tagged on all frames doesn't help so whatever is going on it screws it immediately.

Its ok for the base SSIDs to be on VLAN 1, since the switch its connected to can either tag or untag there (either tag secondaries VLANs or tag all), and "1" is the "base" VLAN. But I need the secondary "guest" SSID on the same LAN port -- not two separate ports.

The "must tag everything" sorcery for DD-WRT took a while to figure out and is apparently a switch limitation but in this case that's not helping -- if I make that change and the switch the network cable to one that has both Vlan 1 and 3 tagged I lose connectivity so I'm obviously missing something important.

This is what is in /etc/config/network and works -- until I turn on Vlan 3 on the port, then its entirely dead.

 OpenWrt 22.03.3, r20028-43d71ad93e
 -----------------------------------------------------
root@Airgw:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fdf0:de44:bce4::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        option vlan_filtering '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.10.253'
        option gateway '192.168.10.200'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'Guest'
        option device 'br-lan.3'
        option type 'bridge'
        option proto 'none'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '3'
        option name 'br-lan.3'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        option local '0'

root@Airgw:~#

remove the vlan_filtering line.

remove the type bridge from the interface... interfaces should not contain this line.

you can delete this.

Remove the local line. But here, the important thing is that you haven't defined which port(s) VLAN3 will use.

For example, you'd add:

        list ports 'lan1:t'

to indicate that it is tagged on port lan1 (as an example).

Ok, so as recommended....

root@Airgw:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fdf0:de44:bce4::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.10.253'
        option gateway '192.168.10.200'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'Guest'
        option device 'br-lan.3'
        option proto 'none'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan1:t'

root@Airgw:~#

Did that, did a commit, and on a reboot... I'm completely locked out; all three LAN ports are non-responsive. It came up and I can see the lan port blinking when I try to ping it, but -- nothing. Tried with both a tagged all (vlan 1 and 3) and untagged all -- no joy.

Not sure how I force a hard reset; will look at how to get back in.

Sorry that you got locked out...

Use failsafe mode. From there, you can edit your conifg (or reset to defaults).

So, once in failsafe, the next thing to do would be try editing the config such that you set vlan1 as untagged on all 3 ports...

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan2:u*'

And then change the lan to br-lan.1 like this:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.10.253'
        option gateway '192.168.10.200'
1 Like

Ok, that appears to be working generally. I'm back in.

However, now I have my "guest" SSID -- there is no network showing up to attach it to unless I go into Network->Interfaces and define "GUEST" as being on br-lan.3 and select "unmanaged". Then, with that present, I can attach the guest SSID to it.

But now I have this, which you said shouldn't be here (the last Stanza)

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd16:672e:8276::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.10.253'
        option gateway '192.168.10.200'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan1:t'

config device
        option name 'br-lan.3'
        option type '8021q'
        option ifname 'br-lan'
        option vid '3'

config interface 'Guest'
        option proto 'none'
        option device 'br-lan.3'

root@OpenWrt:~#

That doesn't look right...... I haven't tried to bring up the WiFi interfaces yet although I can see it on the LAN without a problem.

This is what the "network" for br-lan looks like in Luci -- this looks correct, but the config file looks wonky..... will test sometime tomorrow and see if either or both WiFi SSIDs work as expected.

If you have trouble, let’s see your wireless file.

The last stanza in the network file is necessary. The 802.1q stanza is not. But it doesn’t hurt. Everything else looks right.

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'
        option country 'US'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'Cthulhu'
        option encryption 'psk2'
        option key '**********'
        option disabled '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option band '5g'
        option htmode 'HE80'
        option disabled '1'
        option cell_density '0'
        option channel 'auto'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'Cthulhu-5g'
        option encryption 'psk2'
        option key '************'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Cthulhu_Guest'
        option disabled '1'
        option network 'Guest'
        option encryption 'psk2'
        option key '**********'
        option isolate '1'

root@OpenWrt:~#

They're all disabled right now as there is an existing AP out there with these SSIDs so my intention is to swap it and then enable them.....

Fair enough. I expect it will work, but let us know either way.

Looks good.....

great!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.