Try creating your VLANs like this (I'm calling it guest for now... not sure what your VLAN is for, feel free to rename of course):
config device
option name 'br-guest'
option type 'bridge'
list ports 'eth0.114'
config interface 'guest'
option device 'br-guest'
option proto 'none'
Then tie the guest network to an SSID.
It doesn't work.
Here's the new network file :
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
option ipv6 '0'
config device
option name 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.114.1'
option ipaddr '192.168.114.60'
option delegate '0'
config device
option name 'br-guest'
option type 'bridge'
list ports 'eth0.116'
config interface 'guest'
option device 'br-guest'
option proto 'none'
I use VLAN 116 to distinguish it from the 114 subnet. I use the 114 subnet to connect to manage the AP, and would like the guest traffic to go through the 116 VLAN.
I restart the network using :
/etc/init.d/network restart
The new wifi network is bind to guest. Here's the content of /etc/config/wireless :
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/a000000.wifi'
option band '2g'
option cell_density '0'
option htmode 'HT40'
option channel 'auto'
option country 'FR'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option encryption 'psk2'
option ssid 'aaa'
option key 'bbb'
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/a800000.wifi'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
option channel 'auto'
option country 'FR'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option encryption 'psk2'
option ssid 'ccc'
option key 'ddd'
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'eee'
option encryption 'psk2'
option key 'fff'
option network 'guest'
When connecting to the guest wifi network, I see traffic on the access point, on the eth0.116 interface (DHCP requests).
However, on the main router, nothing comes in from the eth0.116 interface. VLAN 116 is set as tagged on the port of the main router.
Do you have a switch between the router and the AP?
Have you verified that the router and DHCP server are properly configured and providing services and connectivity on VLAN 116?
Here ya go buddy:
On one of my computers I change the network card settings and add VLAN 116. I then connected it to the port where the DAP-2610 access point is connected. It immediately got it's IP address with DHCP, which was in the 192.168.116 subnet. I could browse the internet without any problem.
So, VLAN configuration for that port on the main router seems OK.
That's what I did. I did the same of several other OpenWRT devices, and it works fine. Except for that D-link DAP-2610 access point using an ipq40xx chipset.
I think there's something wrong with that chipset when using VLANs :
https://forum.openwrt.org/t/d-link-dap-2610-first-steps-with-vlans/123024
https://forum.openwrt.org/t/dlink-dap-2610-cant-get-vlans-running/68382
https://forum.openwrt.org/t/vlan-of-wan-on-ipq40xx-avm-4040-solved/84354
https://forum.openwrt.org/t/d-link-dap-2160-vlans-and-wifi-newbie/84051/6
I have Asus Lyra with that chipset, works fine afaik. I could check it later.
I couldn't get it working on my D-Link DAP-2610 which looks like this :
I tried with another access point : a D-Link DAP-2660 which looks like this :
It immediately worked on the DAP-2660.
Here's the /etc/config/network file of the DAP-2660 :
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxxxxxxxxxxxxxxxxx'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config device
option name 'eth0'
option macaddr 'xxxxxxxxxxxxxxxxx'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.114.63'
option gateway '192.168.114.1'
config interface 'IOT'
option proto 'none'
option device 'br-iot'
config device
option type '8021q'
option ifname 'eth0'
option vid '116'
option name 'eth0.116'
option ipv6 '0'
config device
option type 'bridge'
option name 'br-iot'
option bridge_empty '1'
option ipv6 '0'
list ports 'eth0.116'
Just tried to set up 3 vlans from the wan port of my Asus Lyra ( IPQ4019) to another router with likewise configuration. Worked just fine.
config device
option type 'bridge'
option name 'mainbridge'
list ports 'wan'
option bridge_empty '1'
option igmp_snooping '1'
config bridge-vlan
option device 'mainbridge'
option vlan '10'
list ports 'wan:t'
config bridge-vlan
option device 'mainbridge'
option vlan '20'
list ports 'wan:t'
config bridge-vlan
option device 'mainbridge'
option vlan '30'
list ports 'wan:t'
config interface 'admin'
option proto 'none'
option device 'mainbridge.10'
option type 'bridge'
config interface 'guest'
option proto 'none'
option device 'mainbridge.20'
option type 'bridge'
config interface 'iot'
option proto 'none'
option device 'mainbridge.30'
option type 'bridge'
I also tried adding a fourth vlan, vlan 50 untagged, set up dhcp and added it to lan zone. Could plug in my pc to the same port and get an ip. No problems.
That's my DAP-2610 config working fine with VLAN:
root@DAP2610:/etc/config# cat network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxxxxxxxxxxx'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan'
config device
option name 'lan'
option macaddr 'xxxxxxxxxxxxx'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.5'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
option ip6assign '60'
option delegate '0'
list dns '192.168.1.1'
option device 'br-lan'
config device
option name 'br-vlan10'
option type 'bridge'
list ports 'lan.10'
config interface 'vlan10'
option stp '1'
option device 'br-vlan10'
option proto 'static'
option ipaddr '192.168.10.5'
option netmask '255.255.255.0'
option gateway '192.168.10.1'
list dns '192.168.10.1'
config route
option interface 'lan'
option target '0.0.0.0/0'
option gateway '192.168.1.1'
config route
option interface 'vlan10'
option target '0.0.0.0/0'
option gateway '192.168.10.1'
root@DAP2610:/etc/config#
My setup is Router ER605 -- TP-LINK PoE Switch -- DAP2610
Router and Switch running with stock firmware (with vlan10 tagged and br-lan untagged)
DAP-2610 running OpenWRT.
root@DAP2610:/etc/config# uname -a
Linux DAP2610 5.15.105 #0 SMP Sun Apr 2 00:25:16 2023 armv7l GNU/Linux
root@DAP2610:/etc/config#
My DHCP/Firewall blocking between networks config comes from Router ER605
Thanks to all of you for your help.
I'll try again with the DAP-2610 this WE, using your conf files as a template, and come here to tell the result.
I hope the problem isn't located between the chair and the keyboard !!!
I'm not sure, but I think that's a config file for a non-DSA device.
You have for example :
config bridge-vlan
while I think it should be, for a DSA device :
config device
...
option type 'bridge'
I tried again with the DAP-2610.
To this /etc/config/network file :
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
option ipv6 '0'
config device
option name 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.114.1'
option ipaddr '192.168.114.60'
option delegate '0'
I add :
config device
option name 'br-vlan116'
option type 'bridge'
list ports 'eth0.116'
config interface 'vlan116'
option stp '1'
option device 'br-vlan116'
option proto 'static'
option ipaddr '192.168.116.60'
option netmask '255.255.255.0'
option gateway '192.168.116.1'
The VLAN 116 is defined as tagged on the port of the router to which the AP is connected (the same way the DAP-2660, currently connected to the same router and working).
When restarting the network, I can't access the DAP-2610 anymore.
No, it’s on latest snapshot and DSA.
(Besides the point but the bridge vlan filtering is not neccesarily exclusive to dsa)
Looking your config, it does not seem like what you did?
Why don’t you try doing it the way I described?
I tried again, without success...
1st try :
/etc/config/network :
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxxxxxxxx'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config device
option name 'eth0'
option macaddr 'xxxxxxxxxx'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.114.60'
option gateway '192.168.114.1'
config device
option type '8021q'
option ifname 'br-lan'
option vid '114'
option name 'br-lan.114'
option ipv6 '0'
Changes applied :
uci set network.lan.device='br-lan.114'
-> no access to the device using vlan 114
2nd try :
/etc/config/network :
...
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxxxxxxxx'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config device
option name 'eth0'
option macaddr 'xxxxxxxxxx'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
...
Changes applied :
...
uci del dhcp.lan.ra_slaac
uci add network bridge-vlan # =cfg06a1b0
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='114'
uci add_list network.@bridge-vlan[-1].ports='eth0:t*'
uci set network.lan.device='br-lan.114'
uci set network.lan.ipaddr='192.168.114.60'
uci set network.lan.gateway='192.168.114.1'
...
-> no access to the device using vlan 114
The access point is connected to a port of an OpenWRT router, with only VLAN 114 untagged on it. I connect to several other OpenWRT routers and switches using VLAN using that router. I don't think there's a problem with the router.
Anyway, I stop here the tests with that DAP-2610.
There should be an interface called "lan". You need to use that one instead of "eth0" (which is used internally by DSA for the connection between the switch and the CPU).
/etc/config/network before change :
...
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fde9:47e1:f650::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config device
option name 'eth0'
option macaddr '0c:0e:76:35:be:00'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
...
Changes made :
...
uci del dhcp.lan.ra_slaac
uci add network bridge-vlan # =cfg06a1b0
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='114'
uci add_list network.@bridge-vlan[-1].ports='eth0:t*'
uci set network.lan.ipaddr='192.168.114.60'
uci set network.lan.gateway='192.168.114.1'
...
That didn't change anything : I can't access the device via vlan 114 when the changes are applied.
To be clear, I meant the actual Linux interface called "lan", not the config section with the same name in "/etc/config/network".
You need to replace all occurences of "eth0" in "/etc/config/network" by "lan". If you start from a fresh config on a snapshot image, that should actually already be the case. (I assume you ended up with the current state by keeping your config from a stable release, which is not supported for devices which migrated to DSA.)
I did :
firstboot && reboot now
and here's the content of /etc/config/network :
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxxxxxxxxxxxxxxxxx'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config device
option name 'eth0'
option macaddr 'xxxxxxxxxxxxxxxxx'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
If I replace the 2 occurences of "eth0" by "lan" in that network file, and restart the network, I can't access the access point anymore (its IP address being 192.168.1.1).