Using VLANs across a wireless backhaul with batman-adv on TP Link Deco M5

nc26327 · October 22, 2025, 9:57pm

Hi all,

My setup looks like this:
Opnsense --(wired)--> Deco M5 running OpenWrt (24.10.3) --wireless--> Second Deco M5 running OpenWrt (24.10.3). Deco M5 snapshot was from this topic. The two decos were set up identically by copying a backup and restoring it on the other.

I wanted to create a home VLAN on VLAN10 and a guest one on VLAN20, and extending those VLANs wirelessly to another access point to serving WIFI per VLAN. DHCP, DNS and firewalling is all done on the opnsense. There is a LAN and WAN port on the deco's - LAN would be the trunk port and the WAN port would be a wired appliance on VLAN10

At some point, I had the batman-adv mesh running without VLANs by creating the bat0 device and bridging that with the LAN port, and the batmesh interface linked to the 802.11s mesh on the 5Ghz. User WIFI is served on the 2.4Ghz.

Problem is after adding the VLANs and bridging the bat0 and br-lan vlans together, the second access point no longer gets internet access or DHCP. Swapping the deco units around confirms that the wired unit always works but the wirelessly connected one doesn't connect, even though I can see the units are connected through the "associated stations" part of the status screen. No batman errors are visible in the system log which reference VLANs.

Below are the config files (same for both units except for the hostname / static IP), I've disabled DHCP and firewall on the APs but included them anyway:

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4b:f45f:6ee4::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'bat0'
	list ports 'lan'
	list ports 'wan'
	option ipv6 '0'

config interface 'bat0'
	option proto 'batadv'
	option bridge_loop_avoidance '1'
	option gw_mode 'off'

config interface 'batmesh'
	option proto 'batadv_hardif'
	option master 'bat0'
	option mtu '1536'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'bat0:t'
	list ports 'lan:t'
	list ports 'wan:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'bat0:t'
	list ports 'lan:t'

config device
	option type 'bridge'
	option name 'br-home'
	list ports 'bat0.10'
	list ports 'br-lan.10'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'bat0.20'
	list ports 'br-lan.20'
	option ipv6 '0'

config interface 'home'
	option proto 'static'
	option device 'br-home'
	option ipaddr '192.168.10.2'
	option netmask '255.255.255.0'
	option gateway '192.168.10.1'
	list dns '192.168.10.1'
	option delegate '0'

config interface 'guest'
	option proto 'none'
	option device 'br-guest'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option band '2g'
	option channel '11'
	option htmode 'HT20'
	option country 'AU'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'home'
	option mode 'ap'
	option ssid 'homewifi'
	option encryption 'sae'
	option key 'secretpassword'
	option ieee80211r '1'
	option mobility_domain '1234'
	option ft_over_ds '0'
	option ocv '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option band '5g'
	option channel '149'
	option htmode 'VHT40'
	option country 'AU'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'batmesh'
	option mode 'mesh'
	option encryption 'sae'
	option mesh_id 'mymesh'
	option mesh_fwding '0'
	option mesh_rssi_threshold '0'
	option key 'secretmeshpassword'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'guestwifi
	option encryption 'psk2'
	option key 'secretguestpassword'
	option network 'guest'
	option ieee80211r '1'
	option mobility_domain '5678
	option ft_over_ds '0'
	option ft_psk_generate_local '1'

Not too sure where to go from here as I feel like I'm missing just a small config change somewhere to get this all working. Any tips or advice would be greatly appreciated!

brada4 · October 23, 2025, 6:04am

That never works, both devices have identical MAC addresses and ip6 sla after. Just change those and it will start working.

nc26327 · October 23, 2025, 10:38am

This was it! Thank you so much, one little change and everything is working!

system · November 2, 2025, 10:39am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.