Did you already check if this is a pfsense issue or a OpenWRT issue? So did you connect a PC to pfSense to the port where Archer C7v2 is and set in Ethernet Controller VLAN115?
If there is no IP from Guests network, then error is on pfSense.
I can see multiple entries both from swconfig and DSA.
Also clean up the stale entries.
I am not sure I understand what you call stale entries.
While @VLANMaster had only VLAN19, I want to have two VLANS, one for private users and another one for guests. Those 2 entries highlighted in blue are different bridges.
Is it more visible now?
config bridge-vlan
option device 'br-guests'
list ports 'eth1.4:t'
config bridge-vlan
option device 'br-wifi'
list ports 'eth1.3:t'
config bridge-vlan
option device 'br-guests'
config bridge-vlan
option device 'br-wifi'
Oh yes! My bad.
1 Like
I made quite a cleanup.
Just a reminder of what I am trying to achieve.
- pfSense is my router handling DHCP server
- managed devices are under 10.0.0.0, no specified VLAN
- Wifi (private addresses) is VLAN110, subnet 10.0.110.0/24
- Guests Wifi is VLAN115, subnet 172.16.115.0/24
- Archer C7v2 is a Wireless access point, not handling any wired hosts
- the ethernet cable is connected in port 1
Now, my /etc/config/network looks like:
#
##::[[--- Archer C7v2 Config ---]]::##
################################################
# Globals #
#----------------------------------------------
config globals 'globals'
option ula_prefix 'fd0f:50c2:91df::/48'
# Loopback #
#----------------------------------------------
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
# LAN: Regular #
#---------------------------------------------
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.0.0.11'
option gateway '10.0.0.1'
# LAN: Wifi private addresses #
#--------------------------------------------
config device
option type 'bridge'
option name 'br-wifi'
list ports 'eth1.1 eth1.3'
option ipv6 '0'
config interface 'WIFI'
option device 'br-wifi'
option proto 'dhcp'
option netmask '255.255.255.0'
option gateway '10.0.110.1'
option dns '10.0.110.1'
# LAN: Guests #
#-------------------------------------------
config device
option type 'bridge'
option name 'br-guests'
list ports 'eth1.1 eth1.4'
option ipv6 '0'
config interface 'GUESTS'
option device 'br-guests'
option proto 'dhcp'
option netmask '255.255.255.0'
option gateway '172.16.115.1'
option dns '172.16.115.1'
###########################################
##----- Virtual Switches -----##
###########################################
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2 3 4 5'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1t 6'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '0t 1t 2t'
option vid '3'
option description 'Wifi(110)'
option pvid '110'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '0t 1t 2t'
option vid '4'
option description 'Guest(115)'
option pvid '115'
[EDIT 17:00]
Once I added the radios in LuCI, all my comments ##### are gone in /etc/config/network but the file is basically the same.
My bridge between LAN and WIFI must not be working because I get this:
root@OpenWrt:~# brctl show
bridge name bridge id STP enabled interfaces
br-guests 7fff.9aded0f9d1ea no wlan0-1
wlan1-1
br-wifi 7fff.98ded0f9d1ea no wlan0
wlan1
br-lan 7fff.98ded0f9d1eb no eth1.1
And
I can't get a lease on my phone on vlan Guests
I can get a lease on Wifi but it's still in 10.0.0.0 subnet
What I am missing here ?
[EDIT 19h]
So before anyone lose any time on this, I just realised there is a mismatch on the port shown in LuCI vs CLI so I am turning in circles with /etc/config/network
I have started another thread just to get some help in identifying my ports and once I get this resolved, I'll come back here: Mismatch between LuCi en CLI to ask further help if required.
So I solved my logical ports problem.
Here is my latest output
{
"kernel": "5.4.143",
"hostname": "OpenWrt",
"system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
"model": "TP-Link Archer C7 v2",
"board_name": "tplink,archer-c7-v2",
"release": {
"distribution": "OpenWrt",
"version": "21.02.0",
"revision": "r16279-5cc0535800",
"target": "ath79/generic",
"description": "OpenWrt 21.02.0 r16279-5cc0535800"
}
}
package network
config globals 'globals'
option ula_prefix 'fd0f:50c2:91df::/48'
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.0.0.11'
option gateway '10.0.0.1'
config device
option type 'bridge'
option name 'br-wifi'
list ports 'eth1.1 eth1.3'
option ipv6 '0'
config interface 'wifi'
option device 'br-wifi'
option proto 'dhcp'
option netmask '255.255.255.0'
option gateway '10.0.110.1'
option dns '10.0.110.1'
option type 'bridge'
config device
option type 'bridge'
option name 'br-guests'
list ports 'eth1.1 eth1.4'
option ipv6 '0'
config interface 'guests'
option device 'br-guests'
option proto 'dhcp'
option netmask '255.255.255.0'
option gateway '172.16.115.1'
option dns '172.16.115.1'
option type 'bridge'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 6t 2t 3 4 5'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '0t 6t 2t'
option vid '3'
option description 'Wifi(110)'
option pvid '110'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '0t 6t 2t'
option vid '4'
option description 'Guest(115)'
option pvid '115'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0'
option htmode 'VHT80'
option cell_density '0'
option channel '157'
option country 'CA'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'sae-mixed'
option key 'nnn'
option ieee80211w '1'
option network 'lan WIFI wifi'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'platform/ahb/18100000.wmac'
option htmode 'HT20'
option cell_density '0'
option channel '6'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'sae-mixed'
option key 'nnn'
option ieee80211w '1'
option network 'lan WIFI wifi'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt_Invites'
option encryption 'sae-mixed'
option key 'nnn'
option ieee80211w '1'
option network 'GUESTS guests lan'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'OpenWrt_Invites'
option encryption 'sae-mixed'
option key 'nnn'
option ieee80211w '1'
option network 'GUESTS guests lan'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ignore '1'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
SSID Guest does connect but get a lease from 10.0.0.0
SSID Wifi does not connect
I am stuck
Since this is a dumbAP, you don't need to assign multiple IPs.
Use static IP or DHCP on one interface for management, and the rest can be unmanaged.
In the network configuration I still see a mix of swconfig and DSA.
For example:
config device
option type 'bridge'
option name 'br-guests'
list ports 'eth1.1 eth1.4'
option ipv6 '0'
and
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '0t 6t 2t'
option vid '4'
option description 'Guest(115)'
option pvid '115'
Furthermore you are bridging the eth1.1 on all bridges.
I suggest you reset the device and follow the dumbAP guide. After that works successfully you can add the other 2 wifi and vlans.
1 Like
swconfig vs DSA is not clear.
In the docs I read, one is not supposed to use list ports but rather "ifname". I tried that believing it could be a problem in my situation. I got locked out both SSH and GUI because the /etc/network could not load properly.
Once I did the mininal setup in LuCI, I reused the same "options" that I saw to be working in order to complete my config.
My two APs are working. Thanks.
Here it is:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd54:7407:331c::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.0.0.11'
option gateway '10.0.0.1'
list dns '10.0.0.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 1 2 3 4 5 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '110'
option pvid '110'
option ports '0t 1t 6t'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '115'
option pvid '115'
option ports '0t 1t 6t'
config device
option type 'bridge'
option name 'br-wifi'
option ipv6 '0'
list ports 'eth1'
list ports 'eth1.110'
config interface 'wifi'
option proto 'static'
option ipaddr '10.0.110.2'
option netmask '255.255.255.0'
option gateway '10.0.110.1'
option device 'br-wifi'
list dns '10.0.110.1'
config device
option type 'bridge'
option name 'br-guests'
list ports 'eth1'
list ports 'eth1.115'
option ipv6 '0'
config interface 'guests'
option proto 'static'
option device 'br-guests'
option netmask '255.255.255.0'
option ipaddr '172.15.116.2'
option gateway '172.15.116.1'
list dns '172.15.116.1'
config device
option name 'eth1.110'
option type '8021q'
option ifname 'eth1'
option vid '110'
option ipv6 '0'
config device
option name 'eth1.115'
option type '8021q'
option ifname 'eth1'
option vid '115'
option ipv6 '0'
I'll make a thread for a step by step : Archer C7v2 dual WAP (VLAN) downstream pfSense for those it might help.
I suggest that you use the Luci to configure the network configuration. I don't see why the option ipv6 '0' is part of the device configuration, it should be under the interface.
Furthermore you insist on having multiple IPs and default gateways on a dumbAP. Although this might seem to work fine, it can have unexpected issues in the future. There is no need to have a managed interface on guest vlan or wifi if you manage the device from the lan.
I believe when I started over, all was done entirely in the LuCi.
The only reason why I am doing that is to see what's going on from only on interface, namely pfSense. It's how I managed to do it from what I gathered but it may not be kosher...
What would be your suggestion ?
This is the thread I posted once I got it working. Wifi Access Point on 21.02 | 2 SSIDs using vlan 802.1q (Archer C7v2)
Only one interface with static IP, the one you are using for management. The other 2 interfaces will be unmanaged, no IP, just a vlan to trunk to the pfsense.
Did you start clean or did you migrate from an older version of OpenWrt? Under device configuration should be layer 2 and bridge configuration, while ipv6 is layer 3.
Thanks! It works. I though that it did not make any sense to have 3 static IPs for a single device. Plus I had the experience of setting a Unify AP for someone who is not in recycling old devices like I do and it needed only one adress for the managing interface.
Brand new. I migrated from DD-WRT that had been running for at least 5 years. And each time I locked myself out until I figured I got the port mapping wrong, I started from scratch.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
Thanks. Now it works with your configuration.
To get this done via LuCI without editing config files with VLAN19 example:
- Add vlan19 device
Go to Network --> Interfaces --> Tab Interfaces. Click "Add new interface"
Type eth0.19 and hit enter, then click "Create interface" and then "Save and apply". BTW: eth0.19 is only a common convention for establishing a VLAN with id 19. eth0.19 could also access vlan id 42, see https://wiki.archlinux.org/title/VLAN#Create_the_VLAN_device
So OpenWRT just interprets eth0.19 asip link add link eth0 name eth0.19 type vlan id 19
- Now go to tab device and click "Add device configuration"
Select "Bridge Device" as device type, give a name like "br-vlan19" and bridge port eth0.19, click Save and then "Save and Apply"
- Now go to interfaces again, you see now a VLAN19 interface.
- Click Edit button and change device to "br-vlan19".
- Now you have a br-vlan19 interface (that was the missing step)
- Now you can choose vlan19 at your SSID as Network and it will work. If not enabling and disabling SSID helps.
These pictures may be used for an official Wiki article.
Important security information:
a) Even interface is unmanaged, there is a default link local IPv6 adress. With this the device can be accessed! This is not a bug in OpenWRT but solely related to this kind of configuration.
Make sure to disable IPv6 on that interface to be sure no one can access from VLAN19 your OpenWRT device.
/etc/config/network
config device
option type 'bridge'
option name 'br-vlan19'
list ports 'eth0.19'
option ipv6 '0'
Each wireless interface also has its own IPv6 address by default. However I was not able to connect to that address.
If you want to be really sure not having any security issue and don't need accessing your OpenWRT device by IPv6 use in custom firewall rules
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
ip6tables -I INPUT -j DROP
b) Also OpenWRT is even on an Access Point by default configured to route traffic. So traffic can flow from VLAN19 to normal LAN when there is an ip(v6) address on br-vlan19. Usally clients don't know how to route the traffic back to the source IP-address, so traffic can't flow and OpenWRT isn't configured to do NAT on that interface by default.
But your router can be accessed by default by any of it's addresses from VLAN. So to make sure there is no access from an unmanaged VLAN interface to your OpenWRT Access Point: make sure VLANs are really separated and disable routing by:
sysctl -w net.ipv4.ip_forward=0
and make this change permanent in /etc/sysctl.conf
net.ipv4.ip_forward = 0
Removing IPv6 address should be sufficient to be safe, but in theory a client with a modified ARP table could use your OpenWRT device as router even without an IP address an br-vlan19 interface. I've never tested this, but this kind of attack sounds feasible. So really make sure that routing is disabled.
If you need routing prevent with firewall rules (table FORWARD) on VLAN19 interface.
2 Likes
Why did we open this tread for this?
If had been better to handle this as a new tread.
Anyway, you control/secure the device access through uhttpd listening ports, dropbear listening interface and firewall INPUT rules.
Have you done that to begin with?
Turning of IPv6 works for them that don’t have IPv6 but the others can’t really use that solution.
In this thread is a step by step tutorial how set this thing up, so it is important to have this security information in this thread. I'll test a few things more and then this thread can be closed.
Yea, but you actually write in bold so do we have a real security bug with specifically vlan19 that short circuit the firewall settings or does this apply to all vlan numbers?
If we have that big security bug we need to scramble the code writers to do something fast.
Or are you trying to do a manual for hardening standard multi interface/multi vlan setup to access the router?
If so, have you read what I just wrote in my last post how to control the router access.
And why is both your interfaces light green? LuCi should if they are separated give them different colors.
Or grey if they don’t belong to a firewall zone.
Sorry that was I misunderstanding. I've edited the post to make it clear that this is only an issue with the configuration but not a bug in OpenWRT.
For this tutorial it was indeed in the same firewall zone that's why interface is green.