Struggling with VLANS

Installing and Using OpenWrt Network and Wireless Configuration
22

agreed about the semi-deprecation of net mask notation... however insofar as the size of the network is defined by either the netmask or CIDR notation, it is critical for the OP to verify that it is defined as the correct size for the network to which the AP is connected.

23

Oh I did not know that netmask was depreciated. Interesting.

Yes 2 subnets are /28 and one is /27

Which i beleive is

255.255.255.240

And

255.255.255.224

24

It is sort of deprecated. You can specify either netmask or CIDR in OpenWrt and it will work either way.

The way we talk about network size, however, is now almost exclusively in CIDR terms (a /24 network for example) -- the idea of classful networking (i.e. class A, B, C, etc.) is entirely deprecated. People rarely use the netmask in conversation since CIDR notation is basically another way of specifying netmask (a /24 is all 1's in the highest 24 bits of the netmask).

In terms of your netmask <-> CIDR conversion, yes, you've got it right. Most home users stick with /24 networks in that they are really simple to use and have sufficient space for most home scenarios. There isn't necessarily much of a reason to use a smaller network, but there's nothing wrong with it... IMO, it just requires more attention when evaluating the network addresses. (/24 is super simple... a.b.c.x where x is any value between 1-254 and the subnet id is a.b.c.0/24. -- I like the visual simplicity of it, but nothing wrong with using larger or smaller subnets).

1 Like
25

Can you see anything with the config as things are still not working

26

whos willing to have a remote in and help me out :face_with_peeking_eye:

27

I provided a number of suggestions above... have you implemented them? If so, please post the latest config files (both network and wireless).

29

I currently see your lan as 192.168.1.1 on br-lan (with eth0), and then eth0.101, eth0.102, and eth0.103 802.1q device definitions.

For any networks that will be connected to an SSID, you need to setup a bridge... and the bridge must be defined as a device, not part of the interface definition. So for example, if eth0.101 is going to be used on wifi but is not the management network, it should be:

config device
        option name 'br-vlan101'
        option type 'bridge'
        list ports 'eth0.101'

config interface 'vlan101'
        option device 'br-vlan101'
        option proto 'none'

This will be the case for each of your VLANs that is not management.
For the one that is management, the proto will either be DHCP or static (and if static, you'll set an address in the correct subnet, probably also dns and netmask, assuming you want the AP to be able to reach the internet).

31

Why do you think you should see traffic? there is nowhere for the traffic to go? The AP itself isn't going to generate or terminate any traffic since it is unmanaged, and the VLANs are not connected to the radios so there are no devices that can connect to those networks.

On the AP, the trunk should be established (except for the fact that the bridges and networks were not defined properly, as I indicated above)... the upstream switch may not be right, but we'll figure that out after you have the AP fully configured.

32

Ok heres my full config. I have confirmed that if I plug into a switchport on VLAN 103 on the cisco switch, I cannot reach 172.16.103.1.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd74:fac0:9b2c::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '101'
        option name 'eth0.101'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '102'
        option name 'eth0.102'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '103'
        option name 'eth0.103'
        option ipv6 '0'

config interface 'vlan101'
        option device 'eth0.101'
        option type 'bridge'
        option proto 'none'

config interface 'vlan102'
        option device 'eth0.102'
        option proto 'none'

config device
        option type 'bridge'
        option name 'br-vlan101'
        list ports 'eth0.101'
        option ipv6 '0'

config device
        option type 'bridge'
        option name 'br-vlan102'
        list ports 'eth0.102'
        option ipv6 '0'

config interface 'vlan103'
        option device 'eth0.103'
        option proto 'static'
        option ipaddr '172.16.103.1'
        option netmask '255.255.255.240'
33

Delete these:

Is VLAN 103 for management only, or does it also need to connect to wifi?

You still haven't defined interfaces for VLANs 101 and 102.

config interface 'vlan101'
        option device 'br-101'
        option proto 'none'

config interface 'vlan102'
        option device 'br-102'
        option proto 'none'
34

Vlan103 is for management only

35

ok... so VLAN 103 is properly defined.

From where are you trying to reach this address? Have you verified that the switch is properly configured? The port in question must be setup with all three VLANs (101, 102, 103) tagged on that port. Those VLANs must then exist on other ports (presumably also the router) and you must either try to reach that address from another host on VLAN 103 or your router must allow inter-VLAN routing if you're connecting from a host on another network.

Also, you need to assign vlan103 to the lan firewall zone.

36

Yes the port I am pinging from is a switchport in access mode on vlan103.

The cisco trunk has

Switchport mode trunk
Switch trunk allowed vlan 101,102,103

Also tried with

Switchport nonegotiate

37

Well, let's complete the setup of the AP and then we can move onto the switch... I'm not familiar with Cisco's specific terminology, so I'll try to help on that... but I can get your AP setup properly.

Once you have made the updates, please post the full network and wireless files again, and also post the firewall file.

39

Everything is generally looking good now.

Add vlan101 to the fireawall lan zone.

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vlan101'

Next, we need to make sure the switch is configured properly (as well as your router).

40

So let's talk about the rest of the network...

Is your router configured for all three VLANs? Have you verified that each VLAN is working as expected? If so, how did you do this (please be specific)?

42

Ok... have you verified that each network is working as expected. If each network is associated with a physical interface, you should be able to plug a device into each port and verify that the device is assigned an address on the correct network and that it has connectivity to the internet.

Meanwhile, let's establish your physical setup...

  • What switch port is connected to the router interface assocated with VLAN 101?
  • What switch port is connected to the router interface assocated with VLAN 102?
  • What switch port is connected to the router interface assocated with VLAN 103?
  • What switch port is connected to the AP?
43

Ok well theres the first doozy.

Port Vlans allowed on trunk
Gi1/0/3 101-102

should be 101 - 103

44

Ok FFS now can ping in on VLAN103 not sure how I missed that.

45

Yeah... I suspect that you overlooked errors in your switch config because you were struggling with your AP.

Are things now beginning to work as expected? OR are you still having issues?