Unifi 6 Lite - Default network works, VLANs without Internet access

I've flashed a Ubiquiti Unifi 6 Lite AP with OpenWRT. Funnily enough, the actual flashing process took 5 minutes, whereas I cannot seem to get my VLANs to work no matter what I do. I thought this would be the other way around :grinning:

The main network works (br-lan), the other two (br-lan.2 [guest] and br-lan.3 [IoT]) get a DHCP lease from the router and look functional, however devices 'connect' for a few seconds only before showing a 'No Internet Connection' / 'Wireless Network Activation Failed' message.

The fact that br-lan.2 and br-lan.3 get a DHCP lease at all implies to me that the VIDs are being passed along just fine. I am able to reach LuCI via any of the networks over ethernet.

Network

+---------------+   10.10.0.0/24          +------------------+
|               | ----------------------- |                  |
|               |   10.11.0.0/24 (VID2)   |                  |
|OpenWRT AP     | ----------------------- |    ROUTER        |
|               |   10.12.0.0/24 (VID3)   |                  |
|               | ----------------------- |                  |
+---------------+                         +------------------+

Configs

cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fdd7:10ef:5246::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'

config interface 'guest'
        option proto 'dhcp'
        option device 'br-lan.2'

config interface 'IoT'
        option proto 'dhcp'
        option device 'br-lan.3'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '2'
        option name 'br-lan.2'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '3'
        option name 'br-lan.3'
        option ipv6 '0'

config device
        option name 'wlan1-1'
        option ipv6 '0'

config device
        option name 'wlan1'
        option ipv6 '0'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'lan'
        option ipv6 '0'
/etc/config/wireless
config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'SSID1'
        option hidden '1'
        option encryption 'sae-mixed'
        option key 'PASSWORD'
        option ieee80211w '1'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'SSSID2'
        option encryption 'sae-mixed'
        option key 'PASSWORD'
        option ieee80211w '1'
        option network 'guest'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'SSID3'
        option encryption 'sae-mixed'
        option key 'PASSWORD'
        option ieee80211w '1'
        option network 'IoT'
        option hidden '1'
        option disabled '1'
cat /etc/config/firewall (this shouldn't matter as the firewall is disabled?)
config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'IoT'
        list network 'guest'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

What I've done so far

  • Disable firewall
  • Disable odhcpd
  • Disable dnsmasq
  • Install ip-all
  • Create 2 devices with type 'VLAN (802.1q)'
  • Create 2 interfaces for each and set them to 'DHCP Client'
  • Add 3 wireless networks, attached to the default interface and the 2 VLAN ones

Only the wireless network attached to the default interface (br-lan) is working :confused:

Would be much appreciated if somebody could help me out with this...

You must disable DHCP on all VLANs on your OpenWrt installation since you have an upstream router and this is acting purely as an AP. If the AP serves DHCP info to the network, things will not function properly.

Have you verified that the VLANs work from your main router (ideally using an ethernet connection between the router or managed switch and a computer)?

Also, the firewall doesn't do anything in your current configuration

I have disabled 'odhcpd' at startup.

All VLAN interfaces show 'No DHCP Server configured for this interface'.

The VLANs work everywhere else in the network. Given that OpenWrt is able to get the correct DHCP lease from the router for each VLAN, I'd say those are set up fine?

The AP doesn't actually need an IP address in any network other than the one used for management. I don't think the others will cause any issues, but just an FYI.

Try connecting the same client to each of the SSIDs in turn... let's see what the full DHCP lease looks like (IP, subnet mask, router/gateway, and DNS). Please report those here.

1 Like

SSID1 (default br-lan) -- working

IP Address: 10.10.0.14
Subnet Mask: 255.255.255.0
Router: 10.10.0.1

SSID2 (br-lan.2) -- not working

It's giving an IPv6 address for some reason, even though IPv6 is disabled on every interface?

Connect a wired device to the router and see if the dhcp addresses are being issued for all 3 VLANs.

They are, as per the below OpenWrt screenshot. This is mirrored in the router interface.

I know that the OpenWrt based U6-Lite is indeed showing IPs for each VLAN, but have you then gone back and actually run the experiment to verify that the DHCP is still working from the router when connecting another device to an access port configured for each of the VLANs (while keeping the AP connected). It wasn't clear from your above statement if you had actually run the experiment again before replying. Please confirm.

Confirmed. I have a Unifi AC Lite that has not been flashed and is working across all VLANs.

Ok... thanks for confirming. Didn't want to belabor the point, but wanted to make sure we had 100% confidence in the rest of the network functionality.

Let me continue to look at the configs and think about what might be wrong. And maybe someone else will figure out what's wrong before me anyway.

1 Like

Here's an idea... on your guest network, try removing device br-lan.2 and make it eth0.2 instead. You may need to create another device for eth0.2 as well.

When I do that I lose my 'IPv4 Upstream' on the status page. Doesn't seem to get a DHCP lease at all now.

Same issues with clients, 'no internet' and immediate disconnect.

The IPv4 upstream isn't important for the networks other than the one used for management, but obviously if the clients don't work, we still have to keep thinking...

Can you post the config that you setup for my eth0.2 idea (the one that didn't work)

cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fdd7:10ef:5246::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'

config interface 'guest'
        option proto 'dhcp'
        option device 'eth0.2'

config interface 'IoT'
        option proto 'dhcp'
        option device 'br-lan.3'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '2'
        option name 'br-lan.2'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '3'
        option name 'br-lan.3'
        option ipv6 '0'

config device
        option name 'wlan1-1'
        option ipv6 '0'

config device
        option name 'wlan1'
        option ipv6 '0'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'lan'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '2'
        option name 'eth0.2'
        option ipv6 '0'

I don't think it'll matter, but remove the br-lan.2 definitions just in case they are causing a conflict.

No change, unfortunately.

I don't really know why your original config wasn't working, and not sure what to do... I'll keep thinking about it, but hopefully someone else will know.

Thanks, appreciate all the help :slight_smile: