Upgrading To 24.10.1 Rendered Management VLAN Inaccessible

isaacthekind · June 18, 2025, 11:26pm

I'm using an Archer C7 v5 as a dummy AP in my network.

This is my topology:

This is my /etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option ports '0t 2t'

config switch_vlan
        option device 'switch0'
        option vlan '6'
        option ports '0t 2t'

config switch_vlan
        option device 'switch0'
        option vlan '7'
        option ports '0t 2t'

config switch_vlan
        option device 'switch0'
        option vlan '8'
        option ports '0t 2t'

config device
        option name 'br_printer'
        option type 'bridge'
        list ports 'eth0.5'

config device
        option name 'br_guest'
        option type 'bridge'
        list ports 'eth0.6'

config device
        option name 'br_skynet'
        option type 'bridge'
        list ports 'eth0.8'

config interface 'printer'
        option device 'br_printer'
        option proto 'none'

config interface 'guest'
        option device 'br_guest'
        option proto 'none'

config interface 'management'
        option device 'eth0.7'
        option proto 'static'
        option ipaddr '10.0.7.2'
        option netmask '255.255.255.0'
        option gateway '10.0.7.1'
        option dns '10.0.7.1'

config interface 'skynet'
        option device 'br_skynet'
        option proto 'none'

This is my /etc/config/wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option disabled '0'

config wifi-iface 'radio0_skynet'
        option device 'radio0'
        option network 'skynet'
        option mode 'ap'
        option ssid 'skynet'
        option encryption 'sae'
        option key <some-password>
        option hidden '1'

config wifi-iface 'radio0_guest'
        option device 'radio0'
        option network 'guest'
        option mode 'ap'
        option ssid 'skynet-guest'
        option encryption 'sae'
        option key <some-password>

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '0'

config wifi-iface 'radio1_printer'
        option device 'radio1'
        option network 'printer'
        option mode 'ap'
        option ssid 'skynet-printer'
        option encryption 'sae'
        option key <some-password>
        option hidden '1'

And these are the relevant port configurations on the switch that sits between OPNsense and OpenWRT:

interface GigabitEthernet1/0/1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 99
 switchport trunk allowed vlan 2-10
 switchport mode trunk
!
interface GigabitEthernet1/0/2
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 99
 switchport trunk allowed vlan 5-8
 switchport mode trunk
!
interface GigabitEthernet1/0/3
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 99
 switchport trunk allowed vlan 3
 switchport mode trunk
 spanning-tree portfast trunk
!
interface GigabitEthernet1/0/4
 switchport access vlan 4
 switchport mode access
!
interface GigabitEthernet1/0/5
 switchport access vlan 2
 switchport mode access

There's some slight deviation between the code and diagram, but it shouldn't be problematic as it's not on the path that I'm having trouble getting data to travel. That deviation is just that the laptop and phone have their own VLANs in the diagram but share a VLAN in the config file, and also the port to my business server is a trunk in the switch config but not in the diagram. Probably not relevant, just noting.

Today I updated to OpenWRT 24.10.1, initially by using auc but that did something very weird. It locked me out of the OpenWRT management VLAN (7) yet left the rest of the network intact. I spent many hours trying to get the management VLAN back to no avail. Then I had a look around online and noticed auc is being phased out for owut as well as opkg for apk. At this point I worried that maybe I was doing things in a way that's no longer recommended, so I figured I'd manually flash to 24.10.1, so I did that via failsafe mode and scp. Still the problem persistent. At this point I've cut my config down to something very minimal, no wireless and just a management VLAN:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '7'
        option ports '0t 2t'

config interface 'management'
        option device 'eth0.7'
        option proto 'static'
        option ipaddr '10.0.7.2'
        option netmask '255.255.255.0'
        option gateway '10.0.7.1'
        option dns '10.0.7.1'

But still I can't access the management VLAN. I'm also sure my firewall rules in OPNsense aren't blocking anything, as I can see with the OPNsense packet capture tool that when I ping from a device with appropriate firewall rules packets show up on VLAN 7.

If anyone can give me some advice on how to troubleshoot regaining access to VLAN 7, that would be helpful.

psherman · June 19, 2025, 1:05am

It's not the firewall in OPNsense that is your problem... it is the one in OpenWrt.

I'm going to guess that you previously had disabled the firewall service, but you didn't explicitly configure the management network such that it is associated with a zone that accepts input. When you ran the upgrade, the firewall became re-enabled and the fact that the management network was not explicitly allowed input meant that it administration becomes impossible.

The fix is simple -- put the network in a zone and then set the zone input rule to ACCEPT. Restart and you should be in business.

isaacthekind · June 19, 2025, 7:20am

Thanks for the reply.

I entered the device in failsafe mode and modified the firewall config as you suggested:

config zone
    option name 'management'
    list network 'management'
    option input 'ACCEPT'

On reboot I still don't seem to have access over VLAN 7.

psherman · June 19, 2025, 3:19pm

That is an incomplete zone definition. Add this:

	option output 'ACCEPT'
	option forward 'ACCEPT'

isaacthekind · June 19, 2025, 4:46pm

Sorry about that. I can confirm that adding the following and rebooting still does not give me access to VLAN 7.

config zone
    option name 'management'
    list network 'management'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

psherman · June 19, 2025, 5:13pm

Let's see the complete config again:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

isaacthekind · June 19, 2025, 9:02pm

Sure.

ubus doesn't seem to be available in failsafe mode, so I had this interaction:

root@OpenWrt-failsafe:~# mount_root
switching to jffs2 overlay
root@OpenWrt-failsafe:~# ubus call system board
Failed to connect to ubus
root@OpenWrt-failsafe:~# which ubus
/bin/ubus
root@OpenWrt-failsafe:~# ubusd &
root@OpenWrt-failsafe:~# ubus call system board
Command failed: Not found

/etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '7'
        option ports '0t 2t'

config interface 'management'
        option device 'eth0.7'
        option proto 'static'
        option ipaddr '10.0.7.2'
        option netmask '255.255.255.0'
        option gateway '10.0.7.1'
        option dns '10.0.7.1'

/etc/config/firewall:

config zone
    option name 'management'
    list network 'management'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

psherman · June 19, 2025, 9:09pm

Let’s reset the device to defaults and then rebuild the config.

firstboot -y && reboot

isaacthekind · June 21, 2025, 6:02am

Thanks. I ran that command then ended up rebuilding from scratch. It's working now,

system · July 1, 2025, 6:03am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.