Using BATMAN VLAN for "guest" network

Hi guys, I've attempted this a couple of weeks ago to no avail. I think the idea is straightforward, I'm using meshed APs and need to extend the signal of "guest" networks. What should I do with node config if the main is correctly configured?

Here`s my current config:
Main:

  • Network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd6b:6462:bb1c::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.2'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option dns '::1'
	option ifname '@wan'
	option peerdns '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option description 'LAN'
	option ports '0t 1 2 4'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5'
	option vid '2'
	option description 'WAN'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option description 'Horcrux'
	option ports '0t 3'

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.10.10.1'
	option device 'br-guest'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.3'

config interface 'bat0'
	option proto 'batadv'
	option routing_algo 'BATMAN_IV'
	option aggregated_ogms '1'
	option ap_isolation '0'
	option bonding '0'
	option fragmentation '1'
	option gw_mode 'off'
	option log_level '0'
	option orig_interval '1000'
	option bridge_loop_avoidance '1'
	option distributed_arp_table '1'
	option multicast_mode '1'
	option network_coding '0'
	option hop_penalty '30'
	option isolation_mark '0x00000000/0x00000000'

config interface 'nwi_mesh0'
	option mtu '2304'
	option proto 'batadv_hardif'
	option master 'bat0'

config interface 'MESHguest'
	option stp '1'
	option proto 'none'
	option auto '1'
	option delegate '0'
	option device 'br-MESHguest'

config interface 'MESHlan'
	option stp '1'
	option proto 'none'
	option auto '1'
	option delegate '0'
	option device 'br-MESHlan'

config device
	option name 'br-MESHguest'
	option type 'bridge'
	list ports 'eth0.3'
	list ports 'bat0.102'

config device
	option name 'br-MESHlan'
	option type 'bridge'
	list ports 'eth0.1'
	list ports 'bat0.101'



  • Wireless
config wifi-device 'radio0'
	option hwmode '11g'
	option noscan '1'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option cell_density '0'
	option country 'AW'
	option htmode 'HT20'
	option channel 'auto'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option network 'lan'
	option key 'XXX'
	option ssid '2.4ghz'
	option ieee80211w '1'
	option encryption 'psk2'

config wifi-device 'radio1'
	option htmode 'VHT80'
	option hwmode '11a'
	option noscan '1'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option cell_density '0'
	option country 'AW'
	option channel '64'

config wifi-iface 'mesh0'
	option device 'radio1'
	option ifname 'mesh0'
	option disabled '0'
	option mode 'mesh'
	option mesh_id 'MESH'
	option mesh_rssi_threshold '0'
	option encryption 'sae'
	option key 'XXX'
	option mesh_fwding '0'
	option network 'nwi_mesh0'

config wifi-device 'radio2'
	option type 'mac80211'
	option hwmode '11a'
	option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option channel 'auto'
	option cell_density '0'
	option txpower '23'
	option country 'AW'

config wifi-iface 'wifinet2'
	option device 'radio2'
	option mode 'ap'
	option ssid '5ghz'
	option key 'XXX'
	option ieee80211w '1'
	option network 'lan'
	option encryption 'psk2'

config wifi-iface 'guest'
	option mode 'ap'
	option device 'radio0'
	option key 'XXX'
	option encryption 'psk2'
	option network 'guest'
	option ssid 'Horcrux ☢'

  • Firewall
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'
	option flow_offloading '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option mtu_fix '1'
	option input 'DROP'
	option forward 'DROP'
	option masq '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	list icmp_type 'echo-request'
	option target 'DROP'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone 'guest'
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

Node:

  • Network
config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fdf5:9a83:763c::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.3'
	option device 'br-lan'
	option gateway '192.168.0.2'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'bat0'
	list ports 'eth0'

config interface 'Lan'
	option proto 'dhcp'
	option device 'eth0'

config interface 'bat0'
	option proto 'batadv'
	option routing_algo 'BATMAN_IV'
	option aggregated_ogms '1'
	option ap_isolation '0'
	option bonding '0'
	option fragmentation '1'
	option gw_mode 'off'
	option log_level '0'
	option orig_interval '1000'
	option bridge_loop_avoidance '1'
	option distributed_arp_table '1'
	option multicast_mode '1'
	option network_coding '0'
	option hop_penalty '30'
	option isolation_mark '0x00000000/0x00000000'

config interface 'nwi_mesh0'
	option mtu '2304'
	option proto 'batadv_hardif'
	option master 'bat0'
  • Wireless
config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option cell_density '0'
	option htmode 'VHT80'
	option channel '64'
	option country 'US'
	option txpower '23'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/ahb/18100000.wmac'
	option cell_density '0'
	option country 'US'
	option channel '6'
	option htmode 'HT20'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option key 'XXX'
	option ssid '2.4ghz'
	option encryption 'sae-mixed'
	option ieee80211r '1'
	option nasid 'Unifi_2.4'
	option mobility_domain '8f51'
	option ft_over_ds '1'
	option ft_psk_generate_local '1'
	option ieee80211w '1'
	option wps_pushbutton '1'

config wifi-iface 'wifinet3'
	option mesh_rssi_threshold '0'
	option device 'radio0'
	option mode 'mesh'
	option mesh_fwding '0'
	option mesh_id 'mesh'
	option key 'XXX'
	option encryption 'sae'
	option network 'nwi_mesh0'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid '5ghz'
	option key 'XXX'
	option ieee80211r '1'
	option ft_psk_generate_local '1'
	option ft_over_ds '1'
	option network 'lan'
	option nasid 'Unifi_5'
	option mobility_domain '9d24'
	option encryption 'sae-mixed'
	option ieee80211w '1'
	option disabled '1'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option encryption 'sae-mixed'
	option key 'XXX'
	option ieee80211w '1'
	option ssid 'Guest'
	option disabled '1'
  • Firewall
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config include
	option path '/etc/firewall.user'

What hardware and OpenWrt version are you running? Does it have an Ethernet switch? Is the switch driver DSA or swconfig?

1 Like

EA8300 and Unifi AP AC Lite for now, both are using DSA 21.02 RC4. EA8300 has a switch and unifi has one ethernet that I'm using.

There's a bunch of swconfig stuff in the main config which is now just confusion. On a DSA device you have three layers of config:

the bridge device, specifying which DSA ports will be used in some way
one or more bridge-vlans on the bridge device, specify whether a port is tagged, untagged, or not a member of that VLAN
one or more network interfaces which refer to a single vlan on the bridge device, i.e. br-lan.3

Now I'm not sure how to put a batman or other non-Ethernet interface into this, I think you do it at the network interface i.e. option device 'br-lan.3 bat0.3'

On the AP since the Ethernet port is directly connected to the CPU, VLAN tagged packets may be placed on the Ethernet cable simply with the notation eth0.3 etc in a regular bridge not a bridge-vlan (bridge-vlan is essential to define hardware switching between Ethernet ports in devices with a hardware switch -- using port.X sort of works in very simple cases but packets can't travel between two external Ethernet devices). Tag all the VLANs you want to send-- that means don't have a plain eth0 anywhere in the config trying to mix tagged and untagged on the same cable.

1 Like

Ok so I think my first step to take is converting everything to DSA, I didn't realize that NoTengoBattery's build had both DSA and SWCONFIG. As far as i understand my config is ok? Why isn't the ports being recognized?

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd6b:6462:bb1c::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'bat0'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.2'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option dns '::1'
	option ifname '@wan'
	option peerdns '0'

config device
	option type 'bridge'
	option name 'br0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config bridge-vlan
	option device 'br0'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br0'
	option vlan '2'
	list ports 'wan:u*'

config bridge-vlan
        option device 'br0'
        option vlan '3'
        list ports 'lan3:u*'

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.10.10.1'
	option device 'br-guest'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.3'

config interface 'bat0'
	option proto 'batadv'
	option routing_algo 'BATMAN_IV'
	option aggregated_ogms '1'
	option ap_isolation '0'
	option bonding '0'
	option fragmentation '1'
	option gw_mode 'off'
	option log_level '0'
	option orig_interval '1000'
	option bridge_loop_avoidance '1'
	option distributed_arp_table '1'
	option multicast_mode '1'
	option network_coding '0'
	option hop_penalty '30'
	option isolation_mark '0x00000000/0x00000000'

config interface 'nwi_mesh0'
	option mtu '2304'
	option proto 'batadv_hardif'
	option master 'bat0'

There is no eth0 in a DSA. The CPU port is basically hidden. Connecting an interface to a bridge is done directly either with option device br-xxx if its a non VLAN bridge or br-xxx.N if there are bridge-vlans defined, to pick out the VLAN that applies to that network.

Since you've put all the Ethernet ports into one big VLANed bridge you should not have separate bridges like br-lan. Also it would be good to rename your br0 beginning with br- as is convention and may be coded in some places.