Trunk link with LuCI on WRT3200ACM

The frames agree with what is configured:

16:18:41.867093 e8:9f:80:1c:xx:xx > 70:1c:e7:59:xx:xx, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 107, id 57156, offset 0, flags [DF], proto TCP (6), length 40)
    52.112.120.18.443 > 192.168.0.67.16271: Flags [.], cksum 0x477b (correct), ack 3516455069, win 2049, length 0
16:18:41.927630 70:1c:e7:59:xx:xx > e8:9f:80:1c:xx:xx, ethertype 802.1Q (0x8100), length 1270: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 427, offset 0, flags [none], proto UDP (17), length 1252)
    192.168.0.67.53438 > 52.114.74.118.3478: UDP, length 1224

One flow is sent untagged and the response is coming back tagged.

Even if it was and explained that main router is able to get the frame from dumbAP, it doesn't explain how the dumbAP accepts an untagged frame from the router.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

Dumb AP

root@dumbAP:~# ubus call system board; \
> uci export network; uci export wireless; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
        "kernel": "5.10.134",
        "hostname": "dumbAP",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Netgear WAX202",
        "board_name": "netgear,wax202",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.0-rc6",
                "revision": "r19590-042d558536",
                "target": "ramips/mt7621",
                "description": "OpenWrt 22.03.0-rc6 r19590-042d558536"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd28:xxxx:xxxx::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'wan'

config device
        option name 'lan1'
        option macaddr '34:98:b5:xx:xx:xx'

config device
        option name 'lan2'
        option macaddr '34:98:b5:xx:xx:xx'

config device
        option name 'lan3'
        option macaddr '34:98:b5:xx:xx:xx'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.0.3'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        option device 'br-lan.1'

config device
        option name 'wan'
        option macaddr '34:98:b5:xx:xx:xx'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan2:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan3:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'wan:t'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HE40'
        option txpower '20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'SSID_24'
        option key 'password'
        option encryption 'psk2'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option band '5g'
        option htmode 'HE80'
        option txpower '20'
        option cell_density '0'
        option channel '48'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'SSID_5'
        option encryption 'psk2'
        option key 'password'
        option ieee80211r '1'
        option mobility_domain '5555'
        option reassociation_deadline '20000'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
10: br-lan.1@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.0.3/24 brd 192.168.0.255 scope global br-lan.1
       valid_lft forever preferred_lft forever
default via 192.168.0.1 dev br-lan.1
192.168.0.0/24 dev br-lan.1 scope link  src 192.168.0.3
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.0.0 dev br-lan.1 table local scope link  src 192.168.0.3
local 192.168.0.3 dev br-lan.1 table local scope host  src 192.168.0.3
broadcast 192.168.0.255 dev br-lan.1 table local scope link  src 192.168.0.3
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Router

root@Router:~# ubus call system board; \
> uci export network; uci export wireless; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
        "kernel": "5.4.188",
        "hostname": "Router",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT3200ACM",
        "board_name": "linksys,wrt3200acm",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.3",
                "revision": "r16554-1d4dea6d4f",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 21.02.3 r16554-1d4dea6d4f"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd1a:xxxx:xxxx::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        option device 'br-lan.1'

config device
        option name 'wan'
        option macaddr 'ea:9f:80:xx:xx:xx'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'private_key'
        list addresses '192.168.69.1/24'
        option listen_port '5671'

config wireguard_wg0
        option description 'Guybrush'
        option public_key 'public_key'
        list allowed_ips '192.168.69.50/32'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:t'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'lan1:t'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
        option htmode 'VHT80'
        option country 'FR'
        option cell_density '0'
        option txpower '23'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option key 'password'
        option ssid 'SSID_5'
        option encryption 'psk2'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
        option channel '5'
        option cell_density '0'
        option country 'IT'
        option legacy_rates '1'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option key 'password'
        option ssid 'SSID_24'
        option encryption 'psk2'
        option disabled '1'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
        option cell_density '0'
        option htmode 'HT20'
        option hwmode '11g'
        option channel 'auto'
        option txpower '23'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option network 'lan'
        option mode 'ap'
        option key 'password'
        option encryption 'psk2'
        option ssid 'SSID_24'

config wifi-iface 'wifinet3'
        option ssid 'SSID_24 (guest)'
        option encryption 'psk2'
        option device 'radio1'
        option mode 'ap'
        option key 'password'
        option disabled '1'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'SSID_24 (guest)'
        option encryption 'psk2'
        option isolate '1'
        option key 'password'
        option network 'guest'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.55/24 brd 192.168.1.255 scope global wan
       valid_lft forever preferred_lft forever
17: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 192.168.69.1/24 brd 192.168.69.255 scope global wg0
       valid_lft forever preferred_lft forever
27: br-lan.1@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan.1
       valid_lft forever preferred_lft forever
30: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    inet 192.168.10.1/24 brd 192.168.10.255 scope global wlan0-1
       valid_lft forever preferred_lft forever
default via 192.168.1.254 dev wan  src 192.168.1.55
192.168.0.0/24 dev br-lan.1 scope link  src 192.168.0.1
192.168.1.0/24 dev wan scope link  src 192.168.1.55
192.168.10.0/24 dev wlan0-1 scope link  src 192.168.10.1
192.168.69.0/24 dev wg0 scope link  src 192.168.69.1
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.0.0 dev br-lan.1 table local scope link  src 192.168.0.1
local 192.168.0.1 dev br-lan.1 table local scope host  src 192.168.0.1
broadcast 192.168.0.255 dev br-lan.1 table local scope link  src 192.168.0.1
broadcast 192.168.1.0 dev wan table local scope link  src 192.168.1.55
local 192.168.1.55 dev wan table local scope host  src 192.168.1.55
broadcast 192.168.1.255 dev wan table local scope link  src 192.168.1.55
broadcast 192.168.10.0 dev wlan0-1 table local scope link  src 192.168.10.1
local 192.168.10.1 dev wlan0-1 table local scope host  src 192.168.10.1
broadcast 192.168.10.255 dev wlan0-1 table local scope link  src 192.168.10.1
broadcast 192.168.69.0 dev wg0 table local scope link  src 192.168.69.1
local 192.168.69.1 dev wg0 table local scope host  src 192.168.69.1
broadcast 192.168.69.255 dev wg0 table local scope link  src 192.168.69.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Could you edit the post and include the output from the main router as well?
@psherman @pavelgl @hnyman @mk24 any clues what might be the reason for the communication between a tagged and untagged port?

Could it be related to the VLAN 1 being some sort of "default" or "special" ID?

That would be a valid explanation. Can you try to avoid using vlan1?

It was my plan.
Now I'm unable to logon via LuCI, it keeps returning 403 even after the POST with the right credentials.
I'll try reverting password via SSH and I'll be back...

EDIT: even re-setting the password with passwd had no effect on LuCI.
I had to use a browser private session, so maybe there's some issue with cookies in RC6, idk

Try to clear the cache.

I deleted the cookie just for the AP site and now it's working.
Definitely a cookie issue.

Eureka!
These are my new settings:
Router

image871×362 14.6 KB

AP

image1157×371 21.8 KB

Now:

• with cable between Router.lan1 - AP.wan: via AP wifi I can reach router other clients and web
• with cable between Router.lan1 - AP.lan1: via AP wifi I can reach only the AP and if I connect my PC to the router I can't reach the AP
• with cable between Router.lan4 - AP.wan: via AP wifi I can reach only the AP and if I connect my PC to the router I can't reach the AP

This is was I expected after all your really kind teaching.

So VLAN 1 is indeed a sort of special ID.

I'm glad you managed to sort it out!

Just in case someone would end up here looking for a way to use VLAN and SSID from a dumb AP.
Here's the configuration I created:
Router

image643×545 23 KB

AP

image624×623 26.8 KB

LAN DHCP Server is set to "Ignore interface", only the main router can give addresses, but I can manage the AP from the main LAN network.

Now I can create new SSIDs and connect to the specific interface.

Thank you @trendy for your precious help!

In dumbAP configurations it is better to disable firewall and dnsmasq/odhcpd.

Yep, I read the doc (hell I've been reading really a lot of stuff in this two days).
I still haven't seen the "persistent disable" part; I'll do my homework, I promise!

/etc/init.d/firewall disable
/etc/init.d/odhcpd disable
/etc/init.d/dnsmasq disable

Using LuCI (I think it is the Enabled button):

image1932×554 50.5 KB

Isn't the LuCI way not persistent?

The only way to be sure is to test. I am using LuCI just to visualize the config, but not change, and I am seeing my disabled services having Disabled next to them on that page.
If it is truly not persistent, then use the command line.

It is persistent.

From https://openwrt.org/docs/guide-user/network/wifi/dumbap:

11. To save resources on the wireless AP router, disable some now unneeded services. Navigate to System → Startup. Disable the services labeled firewall, dnsmasq and odhcpd. (Perhaps ironically, click Enable to toggle.) Note even though these services are now disabled, after you flash a new image to the device they will be re-enabled. For a more permanent fix see Disable Daemons Persistently.

Is this correct?

Yes, it is correct.

I think you need to solidify your understanding of VLANs.

Tagged ports - Traffic LEAVING that port is tagged with the VLAN ID.

Untagged port - Traffic LEAVING that port is untagged.

PVID - Untagged traffic entering the port is tagged with this PVID.

Tagged/untagged deal with egress. PVID is solely for ingress.

Tagged ports only to be used when connecting switches together.

Untagged ports only to be used with end devices (such as computer). Why? Because your computer/phone can't understand tagged traffic and will drop it.