Using VLANs on ipq40xx device and DSA

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello,

I try to define VLANs (guest and non-guest) on a D-Link DAP-2610 access point. I'd like to use its unique ethernet port as a trunk port (no untagged data at all on that port).

After saving the configuration, I can't access the access point anymore. The access point doesn't reply to ARP requests.

The configuration is done in Luci.

The other OpenWRT to which the access point is connected is set to accept tagged data coming from the access point. That main router is connected to other devices using VLANs and it works fine except for the DAP-2610.

I read there's a problem with the ipq40xx chipset which that device uses. I found a lot of posts on the Openwrt forum about that issue, but the solutions relate to old versions of OpenWRT.

I don't find how to adapt those solutions for the latest version of OpenWRT which on that device uses DSA.

Is there a way to use VLANs on that ipq40xx DAP-2610 device with OpenWRT now that it's converted to DSA ?

Thanks for the help.

2

Let’s see the default configuration of this device.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
3

Here is my /etc/config/network file :

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option ipv6 '0'

config device
	option name 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.114.1'
	option ipaddr '192.168.114.60'
	option delegate '0'

Here are the changes :

uci add network bridge-vlan # =cfg06a1b0
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='114'
uci add_list network.@bridge-vlan[-1].ports='eth0:t'
uci set network.lan.device='br-lan.114'

After applying those changes, I can't access the access point anymore.
It's directly connected to an OpenWRT router on a port accepting both tagged and untagged traffic for VLAN 114.

It's a POE access point. To exclude any potential issue related to the removal of the VLAN tags by a POE injector or a switch, I used the original power supply for those tests.

4

Try creating your VLANs like this (I'm calling it guest for now... not sure what your VLAN is for, feel free to rename of course):

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.114'

config interface 'guest'
	option device 'br-guest'
	option proto 'none'

Then tie the guest network to an SSID.

5

It doesn't work.

Here's the new network file :

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'

config device
        option name 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.114.1'
        option ipaddr '192.168.114.60'
        option delegate '0'

config device
        option name 'br-guest'
        option type 'bridge'
        list ports 'eth0.116'

config interface 'guest'
        option device 'br-guest'
        option proto 'none'

I use VLAN 116 to distinguish it from the 114 subnet. I use the 114 subnet to connect to manage the AP, and would like the guest traffic to go through the 116 VLAN.

I restart the network using :
/etc/init.d/network restart

The new wifi network is bind to guest. Here's the content of /etc/config/wireless :

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option band '2g'
        option cell_density '0'
        option htmode 'HT40'
        option channel 'auto'
        option country 'FR'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option ssid 'aaa'
        option key 'bbb'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option channel 'auto'
        option country 'FR'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option ssid 'ccc'
        option key 'ddd'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'eee'
        option encryption 'psk2'
        option key 'fff'
        option network 'guest'

When connecting to the guest wifi network, I see traffic on the access point, on the eth0.116 interface (DHCP requests).

However, on the main router, nothing comes in from the eth0.116 interface. VLAN 116 is set as tagged on the port of the main router.

6

Do you have a switch between the router and the AP?
Have you verified that the router and DHCP server are properly configured and providing services and connectivity on VLAN 116?

7

Here ya go buddy:

8

On one of my computers I change the network card settings and add VLAN 116. I then connected it to the port where the DAP-2610 access point is connected. It immediately got it's IP address with DHCP, which was in the 192.168.116 subnet. I could browse the internet without any problem.
So, VLAN configuration for that port on the main router seems OK.

9

That's what I did. I did the same of several other OpenWRT devices, and it works fine. Except for that D-link DAP-2610 access point using an ipq40xx chipset.

I think there's something wrong with that chipset when using VLANs :
https://forum.openwrt.org/t/d-link-dap-2610-first-steps-with-vlans/123024
https://forum.openwrt.org/t/dlink-dap-2610-cant-get-vlans-running/68382
https://forum.openwrt.org/t/vlan-of-wan-on-ipq40xx-avm-4040-solved/84354
https://forum.openwrt.org/t/d-link-dap-2160-vlans-and-wifi-newbie/84051/6

10

I have Asus Lyra with that chipset, works fine afaik. I could check it later.

11

I couldn't get it working on my D-Link DAP-2610 which looks like this :

DAP_2610_Image_front_2
DAP_2610_Image_front_21664×936 91.2 KB

and uses a Qualcomm IPQ4018 chipset.

I tried with another access point : a D-Link DAP-2660 which looks like this :

DAP-2660_A1_Image-L(Front1)
DAP-2660_A1_Image-L(Front1)1664×936 54.9 KB

(well it looks the same!) but uses a different chipset : a Qualcomm Atheros QCA9557

It immediately worked on the DAP-2660.

Here's the /etc/config/network file of the DAP-2660 :


config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxxxxxxxxxxxxxxxxx'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config device
        option name 'eth0'
        option macaddr 'xxxxxxxxxxxxxxxxx'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.114.63'
        option gateway '192.168.114.1'

config interface 'IOT'
        option proto 'none'
        option device 'br-iot'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '116'
        option name 'eth0.116'
        option ipv6 '0'

config device
        option type 'bridge'
        option name 'br-iot'
        option bridge_empty '1'
        option ipv6 '0'
        list ports 'eth0.116'
12

Just tried to set up 3 vlans from the wan port of my Asus Lyra ( IPQ4019) to another router with likewise configuration. Worked just fine.

config device
	option type 'bridge'
	option name 'mainbridge'
	list ports 'wan'
	option bridge_empty '1'
	option igmp_snooping '1'

config bridge-vlan
	option device 'mainbridge'
	option vlan '10'
	list ports 'wan:t'

config bridge-vlan
	option device 'mainbridge'
	option vlan '20'
	list ports 'wan:t'

config bridge-vlan
	option device 'mainbridge'
	option vlan '30'
	list ports 'wan:t'

config interface 'admin'
	option proto 'none'
	option device 'mainbridge.10'
	option type 'bridge'

config interface 'guest'
	option proto 'none'
	option device 'mainbridge.20'
	option type 'bridge'

config interface 'iot'
	option proto 'none'
	option device 'mainbridge.30'
	option type 'bridge'

I also tried adding a fourth vlan, vlan 50 untagged, set up dhcp and added it to lan zone. Could plug in my pc to the same port and get an ip. No problems.

13

That's my DAP-2610 config working fine with VLAN:

root@DAP2610:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxxxxxxxxxxx'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config device
        option name 'lan'
        option macaddr 'xxxxxxxxxxxxx'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.5'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option ip6assign '60'
        option delegate '0'
        list dns '192.168.1.1'
        option device 'br-lan'

config device
        option name 'br-vlan10'
        option type 'bridge'
        list ports 'lan.10'

config interface 'vlan10'
        option stp '1'
        option device 'br-vlan10'
        option proto 'static'
        option ipaddr '192.168.10.5'
        option netmask '255.255.255.0'
        option gateway '192.168.10.1'
        list dns '192.168.10.1'

config route
        option interface 'lan'
        option target '0.0.0.0/0'
        option gateway '192.168.1.1'

config route
        option interface 'vlan10'
        option target '0.0.0.0/0'
        option gateway '192.168.10.1'

root@DAP2610:/etc/config#

My setup is Router ER605 -- TP-LINK PoE Switch -- DAP2610

Router and Switch running with stock firmware (with vlan10 tagged and br-lan untagged)

DAP-2610 running OpenWRT.

root@DAP2610:/etc/config# uname -a
Linux DAP2610 5.15.105 #0 SMP Sun Apr 2 00:25:16 2023 armv7l GNU/Linux
root@DAP2610:/etc/config#

My DHCP/Firewall blocking between networks config comes from Router ER605

14

Thanks to all of you for your help.

I'll try again with the DAP-2610 this WE, using your conf files as a template, and come here to tell the result.

I hope the problem isn't located between the chair and the keyboard !!!

15

I'm not sure, but I think that's a config file for a non-DSA device.
You have for example :

config bridge-vlan

while I think it should be, for a DSA device :

config device
        ...
        option type 'bridge'
16

I tried again with the DAP-2610.

To this /etc/config/network file :

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option ipv6 '0'

config device
	option name 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.114.1'
	option ipaddr '192.168.114.60'
	option delegate '0'

I add :

config device
        option name 'br-vlan116'
        option type 'bridge'
        list ports 'eth0.116'

config interface 'vlan116'
        option stp '1'
        option device 'br-vlan116'
        option proto 'static'
        option ipaddr '192.168.116.60'
        option netmask '255.255.255.0'
        option gateway '192.168.116.1'

The VLAN 116 is defined as tagged on the port of the router to which the AP is connected (the same way the DAP-2660, currently connected to the same router and working).

When restarting the network, I can't access the DAP-2610 anymore.

17

No, it’s on latest snapshot and DSA.

(Besides the point but the bridge vlan filtering is not neccesarily exclusive to dsa)

18

Looking your config, it does not seem like what you did?
Why don’t you try doing it the way I described?

19

I tried again, without success...

1st try :
/etc/config/network :

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxxxxxxxx'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config device
        option name 'eth0'
        option macaddr 'xxxxxxxxxx'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.114.60'
        option gateway '192.168.114.1'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '114'
        option name 'br-lan.114'
        option ipv6 '0'

Changes applied :

uci set network.lan.device='br-lan.114'

-> no access to the device using vlan 114

2nd try :
/etc/config/network :
...
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'xxxxxxxxxx'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'

config device
option name 'eth0'
option macaddr 'xxxxxxxxxx'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
...

Changes applied :
...

/etc/config/dhcp

uci del dhcp.lan.ra_slaac

/etc/config/network

uci add network bridge-vlan # =cfg06a1b0
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='114'
uci add_list network.@bridge-vlan[-1].ports='eth0:t*'
uci set network.lan.device='br-lan.114'
uci set network.lan.ipaddr='192.168.114.60'
uci set network.lan.gateway='192.168.114.1'
...

-> no access to the device using vlan 114

The access point is connected to a port of an OpenWRT router, with only VLAN 114 untagged on it. I connect to several other OpenWRT routers and switches using VLAN using that router. I don't think there's a problem with the router.

Anyway, I stop here the tests with that DAP-2610.

20

There should be an interface called "lan". You need to use that one instead of "eth0" (which is used internally by DSA for the connection between the switch and the CPU).

2 Likes