VLAN Config makes AP inaccessible - TL-WDR3500 v1

Greetings All,

After bashing my head against a wall for the last couple of days I am turning to the forum for assistance. Please bear with me as I am new to the VLAN setup and I can't identify where I am going wrong. I am also very new to OpenWRT and as such I might have a config wrong that is causing the issue.

On the Sophos XG-125 firewall I have created the VLAN details with the VLAN ID as 100 and it is bound to the LAN port. I have also created a DHCP server for this on the firewall and bound it to the VLAN interface.

On the Ubiquiti EdgeSwitch the TL-WDR3500 is plugged into port 20 and I have tagged port 20 and port 21 is then connected to firewall so I have tagged port 21. I do not know if this is correct so if it is not please let me know.

Onto the TL-WDR3500. I have created "Guest" interface that has a static IP with DHCP disabled as the Sophos will take care of that. In "Physical Settings" of the interface the following are ticked: Bridge Interfaces and then Interfaces VLAN eth0.100, Wireless Network "Guest Network". I have tried ticking Ethernet Switch eth0 as well but it made no difference. On firewall I have created a "Guest" rule with "Input = Reject", "Output = Accept" and "Forward = Reject". On the switch tab I have the following:

VLAN ID = 1 CPU = Tagged Port 4 = Tagged.
VLAN ID = 100 CPU = Tagged Port 4 = Tagged. /Cable is plugged into LAN Port 1 so don't know why it shows Port 4 has connected.

As soon as I click "Save & Apply" it does what it needs to and then the working wireless loses Internet connection, the guest has no connection and can't get DHCP and I am unable to access the AP GUI. I then have to do a firstboot command from Putty in order to get myself working again.

I am at my wits end and am in need of some help. Any idea where I could have gone wrong?


Don't know if it makes a difference but version of OpenWRT is OpenWrt Chaos Calmer 15.05

Can we see your network config file, before and after, please?

1 Like

Version 15.05 is long obsolete. Upgrade to the 19.07.6 build in the ath79 directory.

Configure a wifi AP on lan then log into the router via wifi so you don't lose access while setting up Ethernet.

The switch chip in that model doesn't directly support VLAN ID numbers higher than 16. It is possible to use higher numbers, but that requires CLI configuration. When setting up your own network choose numbers 1-15 to keep it simple.

On some models, the manufacturer's marking on the case doesn't match the numbers in the chip. Plug and unplug the cable and watch the connected icon to determine which chip port you are actually connected to. That is what matters. You may want to make a new label for the case with the real numbers.

1 Like
 uci export network
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr ''
        option netmask ''

config globals 'globals'
        option ula_prefix 'fdc2:f982:741e::/48'

config interface 'lan'
        option ifname 'eth0'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask ''
        option ip6assign '60'
        option gateway ''
        option ipaddr ''

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 4'

config interface 'guest'
        option type 'bridge'
        option proto 'static'
        option netmask ''
        option ipaddr ''
        option _orig_ifname 'wlan0-1'
        option _orig_bridge 'true'
        option ifname 'eth0.100'

Thats the network config.

I have now updated the firmware (don't know why I missed that) and will make changes so that the VLAN ID is less than 16, I was not aware of that limitation so learning new things :). Power has cut out at work so it might be awhile until I can try changes.

You will need to convert the CPU port (0) to tagged. In the lan section, change eth0 to eth0.1. In the switch, set up VLAN 1 with ports 0t 1 2 3 4t.

The LAN packets going to the main router from port 4 are now tagged with 1, so configure that router accordingly.

A guest network should not hold an IP on your AP. This makes it fundamentally impossible for guests to hack into the AP with IP-based protocol. The guest should be a layer 2 bridge from wifi to tagged packets on the cable.

Create a new network "guest" of proto none and type bridge. The ifname is eth0.2. In the switch, create a new VLAN numbered 2 with ports 0t and 4t. In wireless, create an AP for guests and attach it to network guest.

When a guest connects, everything they do will be served by the main router on vlan 2.

1 Like

Sorry for my delayed response, things have been hectic on my side. Today I have finally managed to try again and first things first, I am an idiot. <_< I forgot to tag the port VLAN 1 hence the reason why I could not access it after making the changes. My new problem to work out is why the DHCP server that I created on the firewall is not assigning an IP to the devices that connect to the guest AP. Somewhere, somehow I have gone wrong and I am not quite sure where...

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

I got it working, was a stupid config error on my end. Marked mk24's post as the solution because without it I would still be bashing my head against the wall. :smiley:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.