Struggling to get new OpenWRT access point working with VLANs

I've been running OpenWrt on a Linksys E8450 as my router/AP for several years now. I have multiple SSIDs each associated to a separate VLAN. This has mostly been great, but I'm now trying to add an additional OpenWrt AP (UniFi 6 Lite) to extend my range. After pretty much a full day of trial and error I still can't seem to get the SSIDs on the AP to give an IP address from the main router. I've been trying to do all the configuration from LuCI since it has the nice safety revert thing and all the options are listed.

To add slight complication, I have a TP-Link TL-SG108PE managed switch in between the old router and the new AP which is providing POE for the AP. I don't have a POE injector, so I can't directly connect the AP to my computer or the router.

Here is the /etc/config/network from the router (sanitized)

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd32:0d63:e7ab::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan.101'
	option ipaddr '192.168.1.1'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'REDACTED'
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fdf1:e8a1:8d3f:9::1/64'


config interface 'iot'
	option proto 'static'
	option ipaddr '172.16.0.1'
	option netmask '255.255.255.0'
	option device 'br-lan.103'

config interface 'guest'
	option proto 'static'
	option ipaddr '10.10.10.10'
	option netmask '255.255.255.0'
	option device 'br-lan.102'

config bridge-vlan
	option device 'br-lan'
	option vlan '101'
	list ports 'lan1:t'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '102'
	list ports 'lan1:t'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '103'
	list ports 'lan1:t'
	list ports 'lan4:t'

config device
	option name 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '104'
	list ports 'lan1:t'
	list ports 'lan4:t'

config interface 'CAMS'
	option proto 'static'
	option device 'br-lan.104'
	option ipaddr '172.16.1.1'
	option netmask '255.255.255.0'

And from the AP (note that the port tagging is not enabled in this config file as every time I enable it I lose access to the AP via web interface and SSH)

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd51:ff80:bc35::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.3'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '101'
        option name 'br-lan.101'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '102'
        option name 'br-lan.102'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '103'
        option name 'br-lan.103'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '104'
        option name 'br-lan.104'

config interface 'guest'
        option proto 'none'
        option device 'br-lan.102'

config interface 'iot'
        option proto 'none'
        option device 'br-lan.103'

config interface 'CAMS'
        option proto 'none'
        option device 'br-lan.104'

config interface 'internal'
        option proto 'none'
        option device 'br-lan.101'

config interface 'admin'
        option proto 'static'
        list ipaddr '192.168.1.3/32'

I have tried setting the interfaces to static, DHCP, and unmanaged, I think all with the same results (though at this point it is hard for me to remember if everything I tried was tried for each protocol option).

On the managed switch, I set the port settings to be the same as the port connecting to the router.

image703×224 18.3 KB

image695×415 24.3 KB

Any suggestions for where to go from here? Bonus points if I can do it from LuCI so I can get the safe revert - if the AP becomes unreachable it is a pain to go through system recovery.

You should use bridge vlan filtering as with the router.

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config bridge-vlan
	    option device 'br-lan'
	    option vlan '101'
	    list ports 'lan:t'

config bridge-vlan
	    option device 'br-lan'
	    option vlan '102'
	    list ports 'lan:t'

config interface 'lan'
        option device 'br-lan.101'
	    ...

config interface 'guest'
        option device 'br-lan.102'
	    ...
...

I'm assuming that is the same as this in LuCI?

image910×609 33.7 KB

Whenever I set that (and then set the VLANs on the managed switch as shown in the previous screenshots) I lose connection to the AP and any devices connecting to the AP's SSIDs don't get IPs.

When creating the VLANs, use only the Save button. Click the Save & Apply button only after you have set the correct device (br-lan.x) in the Interfaces menu.

The switch settings look correct if the router and AP are connected to ports 3 and 8.

I am only creating the VLANs on the "Bridge VLAN filtering" tab after setting up all my devices and interfaces (I had already done save & apply after creating those).

You are correct, router is port 8 and AP is port 3 on the switch.

Hi,

Looking at your configuration on managed switch, there is an error.

1 port can be untagged only on 1 VLAN ID. When the port is untagged, it means that the data flowing on this port is the one that is on the VLAN ID. So you cannot mix 2 VLAN IDs on the same port.

Errors are on :

• Ports 1 and 2 : Which are both UNTAGGED on VLANs 1 and 104
• Ports 5 : Which is both UNTAGGED on VLANs 1 and 103
• Ports 6 and 7 : Which are both UNTAGGED on VLANs 1 and 101

Given your config, I would imagine you should configure the switch as follow :

• Port 3 is connected to the OpenWRT router on a fully TAGGED port (all VLAN)
• Port 8 : same config as Port 3. I don't know why you need this, but it could be to link the switch to an other managed switch for example.
• Ports 1 and 2 is for your Cams (they should be untagged to the VLAN ID 104)
• Ports 5 is for an IoT devise (it should be untagged to the VLAN ID 103)
• Port 6 and 7 are for LAN devises (they should be untagged to the VLAN ID 101)
• Port 4 is unused (it should not be tagged or untagged)

VLAN ID = 1 (DEFAULT)

• Tagged ports : 3, 8
• Untagged : (None) ==> You could add port 4 here to always keep access to your switch (failsafe)

VLAN ID = 101 (LAN)

• Tagged ports : 3, 8
• Untagged : 6, 7

VLAN ID = 102 (Guest)

• Tagged ports : 3, 8
• Untagged : (none)

VLAN ID = 103 (IoT)

• Tagged ports : 3, 8
• Untagged : 5

VLAN ID = 104 (Cams)

• Tagged ports : 3, 8
• Untagged : 1, 2

Your config should look like this (depending on router)

Capture d’écran 2024-11-03 à 22.42.511814×1204 174 KB

Have a look at the videos on VLAN. They are very well explained :
https://www.youtube.com/@OneMarcFifty

Huh, you are right. I wonder how I managed to do that, and more importantly why that didn't seem to break anything? (All the devices on those ports seemed to work fine). I've corrected this now. Thanks! Ill try out my AP again now, but it seems I'm locked out again

My new AP I keep trying to setup like this, but I lose access whenever I apply it (I also enable tagging on the managed switch after hitting apply):

image1822×1114 123 KB

My main router is setup like this (ports 1&4 are connected to managed switches, 2&3 are end devices):

image1856×1152 166 KB

I was using OneMacFifty's videos as reference, but maybe I missed a step in there somewhere. I'll have to review them again.

It is because of the PVID setting on the switch. To activate a VLAN as untagged on a port, you must specify both unagged and PVID (the VLAN is not active on the port until/unless the PVID value is set to that same VLAN ID). This means that you can actually have multiple VLANs set as untagged on a given port, but only one will ever be active as untagged (the other(s) will be dormant). However, if you want to have the non-PVID VLANs available on the port, those VLANs must instead be set to tagged.

Let's take a look at your complete text based config as it stands now:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

This part looks good.

Could you also share the AP's Network->devise tab, and Network->Interface tab please?

I'm assuming you are wanting the output from the new AP and not the old router.

root@OpenWrt-AP:~# ubus call system board
{
	"kernel": "5.15.162",
	"hostname": "OpenWrt-AP",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Ubiquiti UniFi 6 Lite",
	"board_name": "ubnt,unifi-6-lite",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.4",
		"revision": "r24012-d8dd03c46f",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
	}
}

Note that the network config doesn't have the bridge VLAN filtering set as I lose access to my AP whenever I set that. I was trying to figure out a way to make an admin SSID that would be a fallback, but couldn't get that working either.

root@OpenWrt-AP:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd51:ff80:bc35::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.3'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '101'
	option name 'br-lan.101'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '102'
	option name 'br-lan.102'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '103'
	option name 'br-lan.103'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '104'
	option name 'br-lan.104'

config interface 'guest'
	option proto 'none'
	option device 'br-lan.102'

config interface 'iot'
	option proto 'none'
	option device 'br-lan.103'

config interface 'CAMS'
	option proto 'none'
	option device 'br-lan.104'

config interface 'internal'
	option proto 'none'
	option device 'br-lan.101'

config interface 'admin'
	option proto 'static'
	list ipaddr '192.168.1.3/32'

root@OpenWrt-AP:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '11'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option country 'CA'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt-recovery'
	option encryption 'sae-mixed'
	option hidden '1'
	option key 'REDACTED'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '112'
	option band '5g'
	option htmode 'HE160'
	option cell_density '0'
	option country 'CA'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option disabled '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'guest'
	option encryption 'psk2'
	option key 'REDACTED'
	option ieee80211r '1'
	option mobility_domain '840a'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'guest'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'lan'
	option encryption 'sae-mixed'
	option hidden '1'
	option key 'REDACTED'
	option ieee80211r '1'
	option mobility_domain '840a'
	option ft_over_ds '0'
	option network 'internal'
	option disabled '1'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option ssid 'iot'
	option encryption 'sae-mixed'
	option hidden '1'
	option key 'REDACTED'
	option ieee80211r '1'
	option mobility_domain '840a'
	option ft_over_ds '0'
	option network 'iot'
	option disabled '1'

config wifi-iface 'wifinet5'
	option device 'radio1'
	option mode 'ap'
	option ssid 'guest'
	option encryption 'psk2'
	option key 'REDACTED'
	option ieee80211r '1'
	option mobility_domain '840a'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'guest'

config wifi-iface 'wifinet6'
	option device 'radio1'
	option mode 'ap'
	option ssid 'lan'
	option encryption 'sae-mixed'
	option hidden '1'
    option key 'REDACTED'
	option ieee80211r '1'
	option mobility_domain '840a'
	option ft_over_ds '0'
	option network 'internal'
	option disabled '1'

config wifi-iface 'wifinet7'
	option device 'radio1'
	option mode 'ap'
	option ssid 'iot'
	option encryption 'sae-mixed'
	option hidden '1'
	option key 'REDACTED'
	option ieee80211r '1'
	option mobility_domain '840a'
	option ft_over_ds '0'
	option network 'iot'
	option disabled '1'

root@OpenWrt-AP:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'admin'
	option interface 'admin'
	option start '100'
	option limit '150'
	option leasetime '12h'

root@OpenWrt-AP:~# cat /etc/config/firewall
config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option dest		wan
#	option proto	tcp
#	option target	REJECT

# block a specific mac on wan
#config rule
#	option dest		wan
#	option src_mac	00:11:22:33:44:66
#	option target	REJECT

# block incoming ICMP traffic on a zone
#config rule
#	option src		lan
#	option proto	ICMP
#	option target	DROP

# port redirect port coming in on wan to lan
#config redirect
#	option src			wan
#	option src_dport	80
#	option dest			lan
#	option dest_ip		192.168.16.235
#	option dest_port	80
#	option proto		tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#	option src		wan
#	option src_dport	22001
#	option dest		lan
#	option dest_port	22
#	option proto		tcp

### FULL CONFIG SECTIONS
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port	80
#	option dest		wan
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
#	option target	REJECT

#config redirect
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port		1024
#	option src_dport	80
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp

It looks like you do not have any firewall zones assigned to the interface. I am not 100% sure, but this is what I did on my setup :

Taking Interface "internal" as an example.
It should be in the firewall zone named "lan"

Click on Edit on the Internal interface, go to "Firewall Settings" tab, and set the zone to "Lan"

This should do the trick.

You will also need to setup dedicated zones for : IOT, GUEST, CAMS

That is what you did for the "dumb AP"? Everything I was reading said firewalls should be disabled for the AP and only enabled on the router, but I certainly could have misunderstood.

delete all of the 802.1q stanzas:

Remove this because we'll be using br-lan.101 for the lan network interface later:

And remove this (you already have this address defined in the lan interface):

Now, add the following bridge VLANs:

config bridge-vlan
	option device 'br-lan'
	option vlan '101'
	list ports 'lan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '102'
	list ports 'lan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '103'
	list ports 'lan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '104'
	list ports 'lan:t'

Edit the lan network interface to use br-lan.101:

config interface 'lan'
        option device 'br-lan.101'
        option proto 'static'
        option ipaddr '192.168.1.3'
        option netmask '255.255.255.0'
        option ip6assign '60'

Your other networks (guest, iot, cams) are already set correctly.

On the wireless config:

"Hidden" networks don't actually improve security. In fact, there is a lot written up about how it may actually reduce security slightly. Just remove that.

Also, I recommend avoiding sae-mixed. Use either WPA2 or WPA3, but not mixed mode, as there are some client devices that will not work properly when this method is used.

160MHz channel width is really wide and may be subject to issues of noise and interference, so you may end up with reduced performance. Consider using 80MHz intead. Further, you've selected a channel which is inside the DFS range, so you may see the 5G radio go down if there are any radar hits.

I recommend against the use of 802.11r unless there is a true demonstrated need for it (this applies to all of your networks, and on all APs in your setup). Again, this is a situation where some client devices fail to roam properly as a result of this standard. Instead, it's most important to make sure your APs are properly tuned in terms of power levels, channels, and when possible also position. If you need advice here, just say the word.

Remove the lines for dhcp6 and ra_flags from the lan DHCP server to ensure that it is truly disabled.

delete the admin dhcp server:

Once all those changes have been made, reboot and things should work. Note that the lan (VLAN 101) is set to be tagged, so make sure your switch is updated accordingly (or, conversely, if you want it to be untagged, change the bridge-vlan for VLAN 101 to use lan:u* instead of lan:t).

Thank you for all the detailed feedback! I won't have a chance to make those changes right away, but I'll report back once I give them a go.

Progress!

I did my best to make your suggested changes through LuCI to have the safe revert but still managed to lock myself out, so I decided to start from scratch. This time I only set up VLAN 101 and no wifi, just to see if I could continue to talk to it once tagging was enabled. I disabled DHCP on the lan, but didn't bother disabling the dnsmasq or firewall services. This was enough to get me talking!

I'm now setting up the wifi networks, basically from scratch too so as to address your suggestions, and so far I'm able to link the SSIDs to specific VLANs too.

Thanks again for all your help and suggestions!

I'm starting to set up my SSIDs, but rather than set them all up and get them critiqued, would you like to suggest some sane starting settings?

I'll have 3 SSIDs, lets call them guest, iot, and lan. Currently on the existing main combo router I have the same SSIDs setup for 2.4GHz and 5GHz (except iot which is restricted to 2.4).

For 2.4 I've heard to restrict to channel 1, 6, and 11, and for APs on the same network the nearest neighbours shouldn't use the same channel.

Any other suggestions? My wifi speeds with the existing setup have not been ideal (part of the motivator for the new AP), but maybe the same SSID on both 2.4 and 5 is partly to blame?