VLAN configuration issues on 21.02 Mikrotik device (non-DSA switch setup)

I'm trying to properly setup VLAN filtering on my device (Mikrotik CapAC) that is using OpenWrt v21.02 as dump AP.

My goal is to have VLAN9 as management with static IP, and VLAN11 as IoT.
I've tried to copy configuration from others who successfully managed to install OpenWRT on the same device, but couldn't make it to work.

I have OpnSense router with VLAN9 and VLAN11 DHCP configuration. I also have HP Switch which has VLAN9 and VLAN11 as tagged on the port where I connect my AP.

My current issues are:

  1. Unable to connect to OpenWRT UI when the device is connected to the network and router won't see it connected to the network either.
  2. When I connect to my test Wifi SSID, the device won't receive IP address

Is there something obvious that I'm missing from my configuration?

Below is my current test configuration:

network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd3d:3841:21d2::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'
        list ports 'eth0.2'

config device
        option name 'eth0.1'
        option macaddr 'cc:2d:e0:a6:d0:4d'

config bridge-vlan
        option device 'br-lan'
        option vlan '9'
        list ports 'eth0.1:u*'
        list ports 'eth0.2:u'

config interface 'lan'
        option device 'br-lan.9'
        option proto 'static'
        option ipaddr '192.168.88.11'
        option netmask '255.255.255.0'
        option gateway '192.168.88.1'
        option ip6assign '60'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '11'
        list ports 'eth0.2:t'

config device
        option name 'eth0.2'
        option macaddr 'cc:2d:e0:a6:d0:4c'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '4 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

config interface 'IoT'
        option proto 'none'
        option device 'br-lan.11'

wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'IOT'
        option isolate '1'
        option encryption 'psk2+ccmp'
        option key 'myiotpassword'
        option network 'IoT'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

the only think that looks odd in your setup (compared to mine - but on a different device, so take this with a grain of salt) is that you have both bridge-vlan's (VLANS 9 and 11) ... and switch_vlan's (VLANS 1 and 2) ... all my DSA capable OpenWRT devices only have bridge-vlan

Interesting. I will try to remove switch VLANs to see if that helps. This is what I had on stock setup.

Just tried it without switch_vlan configuration but unfortunately that didn't help.

Current network configuration

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd3d:3841:21d2::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'
        list ports 'eth0.2'

config device
        option name 'eth0.1'
        option macaddr 'cc:2d:e0:a6:d0:4d'

config bridge-vlan
        option device 'br-lan'
        option vlan '9'
        list ports 'eth0.1:u*'
        list ports 'eth0.2:t'

config interface 'lan'
        option device 'br-lan.9'
        option proto 'static'
        option ipaddr '192.168.88.11'
        option netmask '255.255.255.0'
        option gateway '192.168.88.1'
        option ip6assign '60'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '11'
        list ports 'eth0.2:t'

config device
        option name 'eth0.2'
        option macaddr 'cc:2d:e0:a6:d0:4c'

config interface 'IoT'
        option proto 'none'
        option device 'br-lan.11'

your bridge-vlan ports still look wrong - the fact that you have eth0.1 etc

I don't know what ports your device has, but on mine, the ports are lan1 lan2 etc or eth1, eth2 etc - you're bridge-vlans are attempting to assign tags to vlan devices rather than network devices

again, I have no idea what network devices your device has ... look in the devices tab to find out

ipq40xx devices do not yet have as DSA driver in OpenWrt.
You can still use the bridge-vlan style config, but will still need to use switch_vlans to configure the switch.
Furthermore VLANs can be strange for Qualcomm's less-than-ideal EDMA network driver and fake eth1, but thankfully it looks like your build has most of this disabled.

If you reset the network to default, and show us that, we will have something better to start from.

As jaro mentioned, it looks like your configuration here has mixed up the new vlan-aware-bridge bridge-vlan configs. You should not have the vlan tag listed as part of the ports in this new config.

You will need to use switch_vlans (because this device does not have a DSA driver) to configure how the device's hardware switch tags and bridges ports (switch hardware ports 4 & 5, cpu port: 0 (eth0)).
By default, OpenWrt assigns the first interface (usually LAN) with VLAN 1, the next with 2 (usually WAN).

Some ideas to start with for parts of /etc/config/network
Assuming you want both ports as part of both VLAN tagged networks, and with single-vlan-aware-bridge type config.
Untested, and not sure which network you want your wifi client to connect to…
Might get errors for alias / interface names being too long (change or shorten them),
or vlan numbering (ipq40xx EDMA quirk), use a different vlan in switch_vlan, but vid is your actual VLAN TAG ID.

# tag vlan 9 on the hardware switch
config switch_vlan
	option device 'switch0'
	option vlan '9'
	option vid '9'
	option ports '4t 5t 0t'
	# both ports, and the cpu port

config switch_vlan
	option device 'switch0'
	option vlan '11'
	# by default, vid == vlan
	option ports '4t 5t 0t'

# build your vlan aware bridge
config device
	option name 'br0'
	option type 'bridge'
	option vlan_filtering '1'
	list ports 'eth0'

# configure a vlan on the bridge
config bridge-vlan
	option device 'br0'
	option vlan '9'
	option alias 'management'
	list ports 'eth0:t'
# only eth0 (switch cpu port), because no DSA driver

config bridge-vlan
	option device 'br0'
	option vlan '11'
	option alias 'iot'
	list ports 'eth0:t'

config interface 'management'
	option device 'br0.management'
	# $bridge-name.$bridge-vlan-alias
	option proto 'static'
	# ... your management network details go here

Let us know how you go.
You may need to add firewall settings for new interfaces as well.

Do you want the cap ac to do any routing / DHCP / default LAN OpenWrt config? If so, leave the switch_vlan vlan 1 config sections alone. If you want to stay single-bridge, you could change remove the lan device bridge, add a bridge-vlan (for lan) with vlan 1, then change the lan interface device. Untagged and default pvid would be list ports 'eth0:u*'

Thank you very much for all the details!
Going to try to this later today.

I wanted to use my OPNsense box as a router/dhcp/firewall instead of my cap ac units.

I also reset my AP to the default configuration too:
network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4b:2bb0:565f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config device
        option name 'eth0.1'
        option macaddr 'cc:2d:e0:a6:d0:4d'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'cc:2d:e0:a6:d0:4c'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '4 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

johnth@ thank you for this suggestion. I was able to get my iot VLAN working for my test wireless devices. I was so excited that also added the other vlans into my current configuration :slight_smile:

So far this is my current configuration for network. Still need to try your suggestion on configuring it into a single-bridge device.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4b:2bb0:565f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config device
        option name 'eth0.1'
        option macaddr 'cc:2d:e0:a6:d0:4d'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'cc:2d:e0:a6:d0:4c'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 4'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '9'
        option vid '9'
        option ports '0t 4t 5t'
        option description 'Management'

config switch_vlan
        option device 'switch0'
        option vlan '11'
        option ports '0t 4t 5t'
        option vid '11'
        option description 'IoT'

config switch_vlan
        option device 'switch0'
        option vlan '10'
        option ports '0t 4t 5t'
        option vid '10'
        option description 'Private'

config switch_vlan
        option device 'switch0'
        option vlan '12'
        option ports '0t 4t 5t'
        option vid '12'
        option description 'Guest'

config device
        option name 'br0'
        option type 'bridge'
        option vlan_filtering '1'
        list ports 'eth0'

config bridge-vlan
        option device 'br0'
        option vlan '9'
        option alias 'management'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br0'
        option vlan '11'
        option alias 'iot'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br0'
        option vlan '10'
        option alias 'private'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br0'
        option vlan '12'
        option alias 'guest'
        list ports 'eth0:t'

config interface 'management'
        option device 'br0.management'
        option proto 'dhcp'

config interface 'iot'
        option device 'br0.iot'
        option type 'bridge'
        option proto 'none'

config interface 'private'
        option device 'br0.private'
        option type 'bridge'
        option proto 'none'

config interface 'guest'
        option device 'br0.guest'
        option type 'bridge'
        option proto 'none'

Perhaps the title of this thread should be changed, since DSA is irrelevant :smiley:

Yeah, good idea as it is no longer DSA related. Thank you for adjusting the thread's subject.

I was able to add proper wireless networks per VLAN and test them quickly successfully.
Below is my latest network configuration:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4b:2bb0:565f::/48'

config device
        option name 'eth0.1'
        option macaddr 'cc:2d:e0:a6:d0:4d'

config device
        option name 'eth0.2'
        option macaddr 'cc:2d:e0:a6:d0:4c'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '9'
        option vid '9'
        option ports '0t 4t 5t'
        option description 'Management'

config switch_vlan
        option device 'switch0'
        option vlan '11'
        option ports '0t 4t 5t'
        option vid '11'
        option description 'IoT'

config switch_vlan
        option device 'switch0'
        option vlan '10'
        option ports '0t 4t 5t'
        option vid '10'
        option description 'Private'

config switch_vlan
        option device 'switch0'
        option vlan '12'
        option ports '0t 4t 5t'
        option vid '12'
        option description 'Guest'

config device
        option name 'br0'
        option type 'bridge'
        option vlan_filtering '1'
        list ports 'eth0'

config bridge-vlan
        option device 'br0'
        option vlan '9'
        option alias 'management'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br0'
        option vlan '11'
        option alias 'iot'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br0'
        option vlan '10'
        option alias 'private'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br0'
        option vlan '12'
        option alias 'guest'
        list ports 'eth0:t'

config interface 'management'
        option device 'br0.management'
        option proto 'dhcp'

config interface 'iot'
        option device 'br0.iot'
        option type 'bridge'
        option proto 'none'

config interface 'private'
        option device 'br0.private'
        option type 'bridge'
        option proto 'none'

config interface 'guest'
        option device 'br0.guest'
        option type 'bridge'
        option proto 'none'

Not 100% sure is this is the right approach, but I've completely removed vlan1 and vlan2 along with LAN interface as I'm not going to connect any additional devices over lan port to my AP.

Thank you very much for helping me set this up! I will test it for a couple of days more and then roll it out to my other AP.