Unable to access web UI of access point after DSA VLAN tagging

1043Nv5 · December 3, 2021, 5:43pm

The router is a D-Link DIR 2640 with an IP of 192.168.1.1. The access point is a TP-Link EAP225 with an IP address of 192.168.1.2 and it's connected to lan4 of the router. I'm not able to access the web UI of the access point using my laptop connected to the router on lan2 with an IP of 192.168.1.100.

Any suggestions for how to fix this?

root@router:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fda8:fff8:6b6c::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan.10'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device 'guest_dev'
        option type 'bridge'
        option name 'br-guest'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option type 'bridge'
        option device 'br-lan.20'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan4:t'

root@router:/etc/config# cat firewall

... <default rules> ...

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding 'guest_wan'
        option src 'guest'
        option dest 'wan'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'
        option dest_port '67-68'

config forwarding
        option src 'lan'
        option dest 'guest'

root@router:/etc/config# cat wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'HT20'
        option country 'IN'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11a'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option htmode 'VHT80'
        option country 'IN'
        option channel '161'
        option cell_density '0'

config wifi-iface 'wifinet0'
        option device 'radio1'
        option mode 'ap'
        option ssid 'primaryWRT'
        option encryption 'sae-mixed'
        option key '....................'
        option wpa_disable_eapol_key_retries '1'
        option network 'lan'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid 'guestWRT'
        option encryption 'sae-mixed'
        option isolate '1'
        option key '....................'
        option wpa_disable_eapol_key_retries '1'
        option network 'guest'

mk24 · December 3, 2021, 5:54pm

The LAN parts appear correct. The guest may be the problem. In DSA, don't ever use option type bridge in a config interface section. Each interface has at most one option device. which could be a bridge or a VLAN within a bridge. In other words define bridges separately.

You've defined a guest device 'guest_dev' and not used it. I don't think you even need a separate br-guest or just put br-lan.20 as the guest network's device-- it may still be able to bridge in the local wifi AP based on that, since lan does.

1043Nv5 · December 3, 2021, 6:12pm

I've changed /etc/config/network to the one shown below and restarted network

root@router:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fda8:fff8:6b6c::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan.10'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option device 'br-lan.20'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan4:t'

I'm still not able to access the web UI of the access point on lan4 though. I was able to access it after I created a guest WiFi network using this guide.

I restarted my router and it looks like the access point no longer receives a DHCP lease. Here's dhcp

root@sun:/etc/config# cat dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option limit '30'
        option leasetime '6h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'access-point'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.1.2'
        option leasetime 'infinite'

config host
        option name 'laptop'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.1.100'
        option leasetime 'infinite'

config host
        option name 'smartphone'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option leasetime 'infinite'
        option ip '192.168.1.102'

config dhcp 'guest'
        option interface 'guest'
        option start '150'
        option limit '10'
        option leasetime '1h'
        list ra_flags 'none'

The access point still works, however. My Android is able to switch to it when go to the room where it's kept.

mk24 · December 3, 2021, 7:37pm

This suggests the AP has a problem; maybe the AP administration interface is not listening to the proper VLAN. Take the phone to the room with the AP, connect it as a LAN user (not guest) and leave it there. Then check on the main router-- does the phone have a 192.168.1.0 IP? Can you ping the phone (while connected to the AP) with the laptop?

1043Nv5 · December 3, 2021, 8:04pm

Yeah, the phone gets the static IP I've assigned to it (192.168.1.102) while being connected to the AP. The phone also has internet access. I can ping my phone from my laptop (192.168.1.100).

I've also assigned a static IP to the AP (192.168.1.2) but the AP doesn't seem to get it (nor a DHCP address).