Hello folks, Excuse the newbie questions & be gentle y'll. Thx.
All I'm trying to do is get 3 networks going . A Trusted LAN 192.168.1.1 already created by default (I thought I could use that, 2) Guest 192.168.40.1/24 vlan40 (called " Marti" in my case) & 3) perhaps a future Security Lab (172.16.0.1/24 Vlan16).
Once I get the wires part working I will add the second floor AP but first things first. I tried to follow OneMarcFifty 19 & 21 version but 22.03 is different...
There was some default config, I added vlan16 & 40. When I plug my computer into switch port 4 "vlan16" I should be getting a static address of 192.168.40.x switch port 4 "vlan40" & similarly on port3 I should be getting a static address of 172.16.0.x but in both case I'm not... So I screwed up somewhere but not sure where..
Another thing that confused me why I could not choose a Firewall zone for "SecLab" or "Marti" instead the choices were"WAN & Marti".. this was odd
Any help will be appreciated. I have the config and pics below.
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxx:3bd5:xxxx::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0.2'
option macaddr 'xx:xx:6a:f1:xx:xx'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2 3 4 5'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '0t 5t'
option vid '40'
option description 'Marti'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '0t 4t'
option vid '16'
option description 'SecLab'
config interface 'Marti'
option proto 'static'
option device 'eth0.40'
option ipaddr '192.168.40.1'
option netmask '255.255.255.0'
config interface 'SecLab'
option proto 'static'
option device 'eth0.16'
option ipaddr '172.16.0.1'
option netmask '255.255.255.0'
config device
option name 'eth0'
config device
option name 'eth0.16'
option type '8021q'
option ifname 'eth0'
option vid '16'
config device
option name 'eth0.1'
option type '8021q'
option ifname 'eth0'
option vid '1'
config device
option name 'eth0.40'
option type '8021q'
option ifname 'eth0'
option vid '40'
root@OpenWrt:~#
This looks good if you’re using only Ethernet (and/or an external ap connected by Ethernet). If you’re using the internal radios, your interfaces need to use a bridge device (use br-lan as an example).
This is because you have setup your networks as tagged on those ports. Normal computers and such are not expecting to work with 802.1q tagged networks, so they won't see this network unless explicitly configured to do so.
Moreover, you still have your main lan (VLAN 1) associated with those ports, untagged. You may only have one untagged network on a port, so you must remove them from VLAN 1.
Note that logical ports 4 and 5 may map to physical ports 3 and 4, for example, or maybe something else. You may need to try every port to figure out the mapping.
For reference, your device uses logical port 0 for the CPU, and logical port 1 for the WAN port. The other logical ports (2-5) are your lan ports, but the specific mapping is not necessarily straight forward.
You didn't post your firewall configuration, so it's hard to say for sure what you're seeing. You should have a lan zone -- I'd recommend associating your two new networks with the lan zone for now -- it's the most permissive and won't introduce unexpected variables into the equation. You can tighten things down after you know it is working.
On LAN Port 1 & 2, I can ping 172.16.0.1 & 192.168.40.1, however on LAN Port 3 & 4, get an IP address [172.16.0.1/24] nor ping the GW addresses .1 ( Port 3 "VLAN16" and port 4 "VLAN40" (IP address [192.168.40.1/24] )
Are you talking about your dumb AP or the main router at in this sentence?
They should not be bridged. And in this device (the A9), they are not. You have br-lan which contains eth0.1. It should not have anything else.
If you want to use the wifi in the A9, you need to setup bridges for the two other networks
You'll add these two bridge devices:
config device
option name 'br-marti'
option type 'bridge'
list ports 'eth0.40'
config device
option name 'br-seclab'
option type 'bridge'
list ports 'eth0.16'
and then edit your network interfaces to use those bridges (note the device line):
Bridges are required if a network connects to more than one physical interface. So for example, ethernet + wifi, or 2 wifi radios -- without a bridge, it will not work properly.
In this case, since the bridge device consists of just 1 vlan, then technically you won't need the bridge device, cos you can just attach the specific vlan directly from the interface dialog, and in the wifi dialog you'd attach the interface. Am I missing something?
Yes. Ethernet is one physical interface. A radio is another. That makes 2 physical interfaces. Therefore, you need a bridge. But it's a bit more nuanced, which may be why you are thinking that the bridge only has one physical interface.
A network can only associate with a single 'device'. That device can be a physical interface such as eth0, a VLAN (eth0.16), or a radio/SSID -- but there can only be one. In this case, think of it like an ethernet connection on your computer -- if you have one port, you can only directly connect it to one other device. If you want to connect that computer to multiple devices, you get a switch, and that (in super simplistic terms) behaves like a 'splitter' and allows you to have many devices connected together.
Alternatively, you can use a bridge and connect that to your network -- the bridge is basically a software equivalent of a simple/unmanaged switch that allows multiple physical/virtual interfaces to be connected together. A bridge appears as a single device to the network interface -- much like how an ethernet switch has a single physical connection to your computer, but functionally connects it your computer to mulitple devices.
Because of the way OpenWrt specifies wired and wireless devices in separate files, the wifi radios do not appear in the /etc/config/network file. As such, the bridge will contain only the device (i.e. eth0.16) in the network file.
In the /etc/config/wireless file, the network will be associated with a radio/SSID. When you add the network to the radio/SSID (in the wireless file), it will associate with as a 'device' for that network... if the network doesn't have a device defined, that's fine. However, if an ethernet/VLAN (or another radio) device is already defined, that causes a problem since the network can only have a single device attached. This is where the bridge comes in... the association of SSID --> network allows the radio to join the bridge, just as if it is using an ethernet cable to connect to a switch that is connected to the network interface.
Thanks for the thorough answer, you truly are the mvp.
I know the concept of bridging, but I somehow assumed OW would create an interim bridge if you were to associate a lone device to a interface/network and then associate wifi to the same interface. (As to why I asummed that, I dunno, but it probably involves some late-at-nightism where you think you did something that you didn’t lol)