Strange: First vLAN works, but second and third is not working

Hi all, I'm new in OpenWRT and networking, so maybe I'm asking a stupid question.

I want to create my home network like this:


vLAN10: I'm supposed to use it for the networking devices, servers, NAS;
vLAN20: I'm supposed to use it for normal laptop/phone access;
vLAN30: I'm supposed to use it for IOT-related stuff;
vLAN40: I'm supposed to use it for a guest network;

All is working perfectly except the AP1 and AP2 (OpenWRT operates both and they located in different floors). I want those working as the managed switch and WiFi AP (with 802.11r). But except for the first vLAN, the other vLAN cannot be communicated (I had allowed ALL traffic in OPNsense).

What I had done:

  1. Create the related vLAN in Interfaces/Devices/br-lan/Bridge VLAN filtering;

  2. Created the relevant interfaces in Interfaces/Interfaces (with related devices);

After those, I can access the internet (lease an IP from OPNsense) when I plug my laptop into Port1. Everything looks good! When I plug my laptop into Port 2/3/4, I cannot get an IP. Even though I manually config the relevant IP address.

My AP details:
Model: Linksys E8450 (UBI)
Architecture: ARMv8 Processor rev 4
Target Platform: mediatek/mt7622
Firmware Version: OpenWrt 22.03.2 r19803-9a599fee93 / LuCI openwrt-22.03 branch git-22.288.45147-96ec0cd

I had created the related vLAN in Interfaces/Devices/br-lan/Bridge VLAN filtering like this:

I had also created the relevant interfaces in Interfaces/Interfaces (with related devices) like this:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board 
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

ubus call system board

root@AP02:~# ubus call system board
{
	"kernel": "5.10.146",
	"hostname": "AP02",
	"system": "ARMv8 Processor rev 4",
	"model": "Linksys E8450 (UBI)",
	"board_name": "linksys,e8450-ubi",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.2",
		"revision": "r19803-9a599fee93",
		"target": "mediatek/mt7622",
		"description": "OpenWrt 22.03.2 r19803-9a599fee93"
	}
}

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd9d:6295:23de::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan2'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan3'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'lan4'
	list ports 'wan:t'

config interface '10ADM'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '192.168.110.4'
	option netmask '255.255.255.0'
	option gateway '192.168.110.1'

config interface '20NET'
	option device 'br-lan.20'
	option proto 'static'
	option ipaddr '192.168.120.4'
	option netmask '255.255.255.0'
	option gateway '192.168.120.1'

config interface '30IOT'
	option device 'br-lan.30'
	option proto 'none'

config interface '40GST'
	option device 'br-lan.40'
	option proto 'none'

config bridge-vlan
	option device 'br-lan'
	option vlan '50'
	list ports 'wan:t'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'be_a_man'
	option encryption 'psk2'
	option ieee80211r '1'
	option nasid 'KensonAP02'
	option mobility_domain 'E8C7'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network '10ADM'
	option key '********'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'be_a_man'
	option encryption 'psk2'
	option ieee80211r '1'
	option mobility_domain 'E8C7'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option nasid 'KensonAP02'
	option network '10ADM'
	option key '********'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network '20NET'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name '10ADM'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network '10ADM'
	option forward 'ACCEPT'

config zone
	option name '20NET'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network '20NET'
	option forward 'ACCEPT'

config zone
	option name '30IOT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network '30IOT'

config zone
	option name '40GST'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network '40GST'

config forwarding
	option src '20NET'
	option dest '10ADM'

config forwarding
	option src '10ADM'
	option dest '20NET'

With one more hit, I can ping another subnet gateway (let's say 192.168.120.1) in my laptop which plunged into port 1 (in AP01), but I cannot ping 192.168.120.1 from the AP01 directly (ssh into AP01 which is 192.168.110.4)

I’d recommend setting the untagged port like this:

	list ports 'lan1:u*'

(Repeat as necessary for the other VLANs.)

The VLAN10 address doesn’t match the subnet you described in the OP — 192.168.10.0/24 - this means one of them is wrong.

Change VLAN20 to unmanaged (proto ‘none’).

VLAN50 (and VLAN1) are not specified in the OP… these can be deleted if they’re not being used.

Your wifi is only setup for VLAN10… do you want wifi for the other networks?

You can delete all of these firewall entries… they aren’t needed and may only make things more complicated.

Hi psherman, thanks for your reply.

I’d recommend setting the untagged port like this: list ports 'lan1:u*'

Just because I using the GUI to setup the vlan up. just let it be :stuck_out_tongue:

The VLAN10 address doesn’t match the subnet you described in the OP — 192.168.10.0/24 - this means one of them is wrong.

Yes, you are right. I changed my mind after created the Network Diagram. The correct IP should be

  • vLAN10: 192.168.110.0/24
  • vLAN20: 192.168.120.0/24
  • vLAN30: 172.168.130.0/23
  • vLAN40: 172.168.140.0/23

Change VLAN20 to unmanaged (proto ‘none’).

I changed the VLAN20 to unmanaged (just like vLAN30 and vLAN40), but get the same result (cannot ping 192.168.120.1 from the AP itself, but the laptop. Although both are in the same VLAN10 192.168.110.x).

VLAN50 (and VLAN1) are not specified in the OP… these can be deleted if they’re not being used.

Yes, they are not using it at the moment. I just leave them here for testing. will remove them after live (everything up).

Your wifi is only setup for VLAN10… do you want wifi for the other networks?

Of course not, I'll create those WiFis after those work properly.

You can delete all of these firewall entries… they aren’t needed and may only make things more complicated.

I am just afraid the firewall blocked those traffic. Deleted now.

Your firewall on your main router controls this. Not openwrt dumb APs.

in my main router (OPNsense), I allowed ALL traffic from 10ADM, 20NET, 30IOT, and 40GST to ANY. And I also make sure I didn't block private networks and bogon networks in those interfaces.

Router (OPNsense) <=> Switch (Netgate 8 ports managed switch) <=> AP01 (OpenWRT) <=> MyLaptop (MacOS).

The 192.168.120.1 and 192.168.110.1 are located at Router, MyLaptop can ping 192.168.120.1 and 192.168.110.1, can I expect the AP01 to do the same?

Yes. The ap should be able to ping the router, provided the firewall allows it (main router).

Can the main router ping the ap (192.168.110.4)? Can the ap ping the main router (192.168.110.1)?

Yes!

Yes again.

Strange :thinking:

Now can openwrt ping 192.168.120.1?

No, sorry. So I guess the issue is on OpenWRT instead of the router or switch ....

So this is almost certainly an issue on your main router. You can use tcpdump or other methods to figure out what is happening to the packets.

Does a ping to 8.8.8.8 work?

Can you give me some examples? tcpdump on the AP01? The tcpdump command is not ready on the OpenWRT, I need to install it myself? or it is located in another path?

Just like the 192.168.120.1. I can ping 8.8.8.8 in my laptop, but the AP01 cannot ping it.

Just for your information, both my Laptop and AP01 is located at vLAN10 (10ADM). The firewall rule(s) is/are like that:

I would recommend installing tcp dump or similar on your pfsense router to see if the packets are arriving at the gateway and then what is happening from there.

So to configure, the openwrt router cannot ping 8.8.8.8? But your laptop (on the same vlan - 192.168.110.0/24) can? Are there any other network interfaces on your computer?

I’m not familiar with the pfsense firewall, but it seems that it is the problem, not openwrt.

One alternative might also be to -temporarily- run OpenWrt instead of opnsense on that router (giving all devices a similar configuration syntax), OpenWrt runs sufficiently well from a small USB stick, leaving your normal opnsense installation alone.

Finally, I get it works after removing the unused VLANs (1, 50)...

but I still appreciate somebody can tell me why?