Unifi AP-Lite as “DUMB AP” behind Router Fritzbox 6490 - Vlan

user4385 · May 17, 2024, 7:58am

I have used my two Unifi AP-Lite with Unifi Firmware and Unifi Controller.
Now i changed to OpenWrt on the two Unifi AP-Lite.
With the Unifi Firmware everything worked fine, but i love open source so i changed.

I set ub the two AP with this tutorials:
https://openwrt.org/docs/guide-user/network/wifi/dumbap
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

In the "HOME WLAN" everything is working. Even 802.11r Fast Transition over all FLOOR´s
In the "GUEST WLAN" everting works except 802.11r Fast Transition over all FLOOR´s. I think it is becuase the different dhcp servers in the "GUEST WLAN"

Because i have a managed switch, i have tried to use the "GUEST LAN Port 4" of the Fritzbox manage the clients. But i dont get it work.

Can someone explain how i have to config the openwrt ap to use the also the "GUEST LAN Port 4" of the Fritzbox fo "GUEST WLAN?

psherman · May 17, 2024, 3:35pm

To ensure that I understand -- the difference between this new thread and your previous one relates to the addition of the guest network? Is that correct?

If so, it seems that you've already setup VLAN 2 on your managed switch for the guest network. On the managed switch, VLAN 2 should almost certainly be untagged on port that connects to the FB port 4. Then, you'll setup VLAN 2 as tagged on the ports that connect to the APs.

Finally, you'll add VLAN 2 in an unmanaged interface (and a bridge) to the AP configuration and then create an SSID to broadcast the guest network. If you share your current AP config, I can show you what to add.

user4385 · May 17, 2024, 4:09pm

Yes

Can you please comment the picture with the correct settings.
I think my switch has only port based vlan. The switch is from 2014. On the picture you see the only setting site belong to vlan

psherman · May 17, 2024, 4:20pm

I have no idea how that ZyXel UI works, so I'm not necessarily going to be able to help here.

What are the options in the dropdown items for Ingress Acceptance and Egress Tagging?

user4385 · May 17, 2024, 4:40pm

user4385 · May 17, 2024, 4:41pm

psherman · May 17, 2024, 4:44pm

Ok... so I suspect that the UI should be set such that ports 21 and 22 have:

Port VLAN: 1
Ingress Filtering: checked
Ingress Acceptance: Tagged and Untagged
Egress Tagging: Untag Port VLAN
Allowed VLANs: 1, 2
Forbidden VLANs: (none)

user4385 · May 17, 2024, 4:53pm

OK. I have set it up for one of the Unifi AC-Lite.
I can furthermore reach the LuCI

user4385 · May 17, 2024, 4:54pm

Now i have to ad a new interface here?

psherman · May 17, 2024, 4:59pm

The new interface should be unmanaged.

let's see the output of:

cat /etc/config/network

user4385 · May 17, 2024, 5:00pm

Now i ad a new br-guest2 and a interface guest2, correct?

psherman · May 17, 2024, 5:02pm

I'm not really sure what you're doing right now... there should be a bridge that is used as the device for the guest network.

Please post the config file contents as I requested above.

user4385 · May 17, 2024, 5:11pm

cat /etc/config/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxxxxxxxxx'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option ipv6 '0'
	option multicast '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.7'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.0.1'
	list dns '192.168.0.201'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'
	option ipv6 '0'
	option multicast '0'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.100.1'
	option netmask '255.255.255.0'
	list dns '192.168.0.201'

config device
	option name 'eth0'
	option ipv6 '0'
	option multicast '0'

config device
	option name 'phy0-ap0'
	option ipv6 '0'
	option multicast '0'

config device
	option name 'phy0-ap1'
	option ipv6 '0'
	option multicast '0'

config device
	option type 'bridge'
	option name 'br-guest2'
	option bridge_empty '1'

config interface 'guest2'
	option proto 'none'
	option device 'br-guest2'

psherman · May 17, 2024, 5:14pm

delete all of this:

user4385:

config device
	option name 'phy0-ap0'
	option ipv6 '0'
	option multicast '0'

config device
	option name 'phy0-ap1'
	option ipv6 '0'
	option multicast '0'

config device
	option type 'bridge'
	option name 'br-guest2'
	option bridge_empty '1'

config interface 'guest2'
	option proto 'none'
	option device 'br-guest2'

Edit br-guest so that it looks like this:

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'eth0.2'

Edit the guest interface so that it looks like this:

config interface 'guest'
	option proto 'none'
	option device 'br-guest'

Reboot the device and try it out.

user4385 · May 17, 2024, 5:40pm

psherman:

Edit br-guest so that it looks like this:
config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'eth0.2'
Edit the guest interface so that it looks like this:
config interface 'guest'
	option proto 'none'
	option device 'br-guest'

No it looks like you said and it works!!! I get an IP from the GUEST LAN of the Fritzbox (192.168.179.0/24)
Thank you very much!!!

The mistake i made the whole time was that i had not assigned eth.02 to the "list ports" in the device section.
2024-05-17_19-38

I will play arround a little bit an come back the next days.

psherman · May 17, 2024, 5:42pm

awesome. glad it is working.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

user4385 · May 18, 2024, 6:40am

Update:

In the "HOME WLAN" everything is working. Even 802.11r Fast Transition over all FLOOR´s
In the "GUEST WLAN" everything is working. Even 802.11r Fast Transition over all FLOOR´s

This is a setup i can go with, if there is no more optimation possible.

However, what was better with the Unifi FW so far was that the IP address range 192.168.0.0/24 was used in the "GUEST WLAN" and thus all DNS queries could also be assigned to the respective client in my pihole.

With this the setup now, all DNS queries of the clients in the GUEST WLAN are shown with ip 192.168.179.1. This means that I cannot distinguish which client has made which DNS requests

So is it possible to change this behavior? For example in the GUEST WLAN the devices will use the IP Range 192.168.0.0/24 but get isolated from all other Clients. I dont know how this can configured with openwrt, but with the unifi FW it was possible to use.

psherman · May 18, 2024, 3:39pm

Are you using a PiHole? I just answered a similar question here (obviously adapt as necessary for your zone names and IP addresses):

This also assumes that you are using DHCP option 6 to advertise the Pihole to the clients in question.

user4385 · May 18, 2024, 5:07pm

This will not work, because the pihole is in subnet 192.168.0.0/24 and the GUEST WLAN from the Fritzbox is in 192.168.179.0/24. In the Fritzbox it is configured to use the pihole (192.168.0.201) for all networks, also the GUEST Lan and GUEST WLAN.

psherman · May 18, 2024, 5:23pm

Ah, yes. I forgot we were dealing with the Fritz guest network.

Probably not possible, then.