VLAN configuration with dumb AP

r7eyes · April 12, 2021, 4:20am

I apologize if this is asked a lot, but I can't seem to find a solution to the problem I'm having after searching in the forums.

I have 2 devices with OpenWrt installed: a router (R) that provides access to the Internet, and a dumb access point (AP) that is connected to R via LAN.

I have set up R with 2 VLANs, one for private usage (VLAN 1) and one for guest usage (VLAN 10), which are working fine on R's side. R is providing DHCP/DNS for both VLANs, firewall as well as Internet access.

However, while configuring the VLANs for AP, only VLAN 1 is working on AP, while VLAN 10 is not. Other than the VLANs, I've followed the instructions for setting up a dumb AP here (DHCP and firewall are disabled on AP).

Here's the network configuration on R (loopback and WAN ommited). Port 0 is CPU and port 4 is connected to AP.

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'
        option ifname 'eth0.1'
        option type 'bridge'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option description 'LAN'
        option vid '1'
        option ports '0t 2 4t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '10'
        option description 'LAN Guest'
        option ports '0t 1 3 4t'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        option ifname 'eth0.10'
        option type 'bridge'

Here's the firewall configuration on R (default rules omitted):

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'guest'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option src 'guest'
        option target 'ACCEPT'
        option dest_port '53'
        option name 'Allow-Guest-DNS'
        option family 'ipv4'

config rule
        list proto 'udp'
        option src 'guest'
        option dest_port '67'
        option target 'ACCEPT'
        option name 'Allow-Guest-DHCP'
        option family 'ipv4'

Here's the network configuration on AP (loopback omitted). Port 6 is CPU and port 1 is connected to R.

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.0.5'
        option netmask '255.255.255.0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '1t 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '10'
        option ports '1t 2 3 6t'

config interface 'guest'
        option type 'bridge'
        option ifname 'eth0.10'
        option proto 'static'
        option ipaddr '192.168.5.5'
        option netmask '255.255.255.0'

My PC is currently connected to AP on port 4, which successfully gets an IP address from R and can connect to the internet. However, when I connect to either port 2 or 3 of AP, the PC fails to connect to the network.

Any help is much appreciated.

Stefan1 · April 12, 2021, 5:41am

I would assume that you have to specify R as gateway on your lan and guest configs on ap.

r7eyes · April 12, 2021, 6:03am

I've edited the network config on AP as you suggested:

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.0.5'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'

config interface 'guest'
        option type 'bridge'
        option ifname 'eth0.10'
        option proto 'static'
        option ipaddr '192.168.5.5'
        option netmask '255.255.255.0'
        option gateway '192.168.5.1'

Still doesn't seem to be working though. Only VLAN1 connects to R.

Stefan1 · April 12, 2021, 9:06am

Can you run the following commands on your PC and publish the results ?

traceroute 8.8.8.8

nslookup www.google.com

r7eyes · April 12, 2021, 9:25am

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  _gateway (192.168.0.1)  0.475 ms  0.652 ms  0.771 ms
 2  175.143.159.254 (175.143.159.254)  6.213 ms  6.325 ms  6.542 ms
 3  10.55.74.53 (10.55.74.53)  13.070 ms  13.418 ms  13.453 ms
 4  10.55.135.49 (10.55.135.49)  12.593 ms  12.689 ms 10.55.68.59 (10.55.68.59)  10.611 ms
 5  10.55.48.56 (10.55.48.56)  12.991 ms  13.000 ms 10.55.48.58 (10.55.48.58)  11.529 ms
 6  72.14.198.56 (72.14.198.56)  124.462 ms 72.14.194.152 (72.14.194.152)  10.967 ms  10.937 ms
 7  10.23.195.30 (10.23.195.30)  11.220 ms 108.170.249.225 (108.170.249.225)  12.603 ms 108.170.250.17 (108.170.250.17)  9.830 ms
 8  dns.google (8.8.8.8)  9.330 ms 108.170.230.79 (108.170.230.79)  11.103 ms 108.170.225.237 (108.170.225.237)  12.660 ms

Server:		192.168.0.1
Address:	192.168.0.1#53

Non-authoritative answer:
Name:	www.google.com
Address: 172.217.166.132
Name:	www.google.com
Address: 2404:6800:4001:804::2004

Stefan1 · April 12, 2021, 9:59am

This is, when the PC is connected to lan. What if the PC is connected to guest ?

r7eyes · April 12, 2021, 10:17am

DHCP fails on guest. Checked logread on R and there were no DHCPREQUEST from PC.

Setting a static IP on PC while connected to guest also does not connect it to the network. Both traceroute and nslookup just times out:

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  PC (192.168.5.253)  2203.120 ms !H  2203.102 ms !H  2203.094 ms !H

;; connection timed out; no servers could be reached

Stefan1 · April 12, 2021, 10:55am

Can you try the following:
Temporarily set an untagged port at your router to the guest vlan, and connect your PC there. Does this work ?

Edit: looks like port 1 and 3 of R are assigned to guest. Does the PC work there ?

If not, traceroute and nslookup for that ?

BTW, what Hardware do you use ? Do both router and ap support vlans ?

r7eyes · April 12, 2021, 11:33am

Yup, the guest ports on R works fine. I've got a couple of devices connected to them (a TV for example) that can receive IPs on the 192.168.5.0/24 range and connect to the Internet no problem. WiFi on R is also using the guest bridge interface, which works fine.

As for hardware, R is a D-Link DIR-842 C2 and AP is a TP-Link TL-WR840N v6. Both devices' original firmware supports VLAN, albeit without much customization options.

I did custom-compile the firmware for AP based on the 19.07 branch since the device is not officially supported, so this could have ultimately been the reason I'm having this problem if there seems to be no alternative causes. Hopefully that is not the case though.

mk24 · April 12, 2021, 12:57pm

Run swconfig dev switch0 show on both devices to confirm the switches are properly configured. Also you should plug and unplug cables and confirm that the port that goes down is the one that you expect, as port numbering is often different between the logical ports and the manufacturer's writing on the box.

In the AP, communication between port 2 and port 4 would be strictly hardware switching. That functionality doesn't need a software network at all.

Guest AP networks are usually built as an unmanaged bridge because all it has to do is layer 2 forward packets between wifi and ethernet. Giving the guest network an IP on the AP is an opportunity for guests to hack the AP. (However, since it does have an IP on the guest network it is an opportunity to test pinging the AP from the router on the guest interface).

r7eyes · April 12, 2021, 1:21pm

I'd already done swconfig dev switch0 show previously to confirm the port numbers, which was how I realized that the CPU on AP is port 6 and not port 0 (was very confused when I stopped being able to ssh to AP when configuring the VLANs).

By unmanaged bridge, do you mean to set proto of the guest interface on AP to 'none'? Do I need other configuration to forward the packets correctly?

With the current configuration, pinging AP from R using ping -I br-guest 192.168.5.5 fails. Pinging other devices on the guest network from R works fine.

Stefan1 · April 12, 2021, 1:40pm

first of all I somehow remember that in another post I read about switching on vlan filtering in order to process vlans correctly between tagged and untagged ports, but maybe that was only related to DSA.

Another option to get your problem fixed would be to have a separate guest network on the AP (that has nothing to do with the guest network of R). This is possible via https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap, and of course you can also add untagged ports to the guest network there.

In that case the guest network of R would not be exposed to AP via a tagged port, but the AP would open its own guest network independently.

r7eyes · April 12, 2021, 1:54pm

That would be undesirable, since I would like to reuse the DHCP/DNS server that's already running on R. I would also need to recompile the firmware for AP with dnsmasq included.

I'll keep this option in mind as a last resort though, if nothing else works.

Stefan1 · April 12, 2021, 3:31pm

Can you please also post the dhcp config of R ? How is the static address of AP reflected there ?

mk24 · April 12, 2021, 4:54pm

If it works from a port on the R router, it should work through the switched port on the AP and the trunk cable. Again that is all going to be handled by hardware switching. The packets never touch the CPU in the AP, so the software configuration of AP (other than the switch) won't affect it. Examine the bottom of the swconfig show to confirm the VLANs have been loaded into the switches properly.

r7eyes · April 13, 2021, 12:29am

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '1.1.1.1'
        list server '1.0.0.1'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '1h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '1h'
        option force '1'

It's not. The static IP is set on the AP and not as a static lease on R.

swconfig of R:

Global attributes:
        enable_vlan: 1
        ar8xxx_mib_poll_interval: 500
        ar8xxx_mib_type: 0
        enable_mirror_rx: 0
        enable_mirror_tx: 0
        mirror_monitor_port: 0
        mirror_source_port: 0
        arl_age_time: 300
        arl_table: address resolution table
Port 0: MAC [omitted]
Port 0: MAC [omitted]
Port 1: MAC [omitted]
Port 2: MAC [omitted]
Port 4: MAC [omitted]
Port 5: MAC [omitted]

        igmp_snooping: 0
        igmp_v3: 0
Port 0:
        mib: MIB counters
RxGoodByte  : 415198510609 (386.6 GiB)
TxByte      : 476279003217 (443.5 GiB)

        enable_eee: ???
        igmp_snooping: 0
        vlan_prio: 0
        pvid: 0
        link: port:0 link:up speed:1000baseT full-duplex txflow rxflow
Port 1:
        mib: MIB counters
RxGoodByte  : 51990270 (49.5 MiB)
TxByte      : 63241109 (60.3 MiB)

        enable_eee: 0
        igmp_snooping: 0
        vlan_prio: 0
        pvid: 2
        link: port:1 link:up speed:1000baseT full-duplex auto
Port 2:
        mib: MIB counters
RxGoodByte  : 20155091225 (18.7 GiB)
TxByte      : 19791539130 (18.4 GiB)

        enable_eee: 0
        igmp_snooping: 0
        vlan_prio: 0
        pvid: 1
        link: port:2 link:up speed:100baseT full-duplex auto
Port 3:
        mib: No MIB data
        enable_eee: 0
        igmp_snooping: 0
        vlan_prio: 0
        pvid: 2
        link: port:3 link:down
Port 4:
        mib: MIB counters
RxGoodByte  : 50787796851 (47.2 GiB)
TxByte      : 309815077741 (288.5 GiB)

        enable_eee: 0
        igmp_snooping: 0
        vlan_prio: 0
        pvid: 0
        link: port:4 link:up speed:100baseT full-duplex auto
Port 5:
        mib: MIB counters
RxGoodByte  : 404864873274 (377.0 GiB)
TxByte      : 83188426020 (77.4 GiB)

        enable_eee: 0
        igmp_snooping: 0
        vlan_prio: 0
        pvid: 0
        link: port:5 link:up speed:1000baseT full-duplex txflow rxflow auto
Port 6:
        mib: No MIB data
        enable_eee: ???
        igmp_snooping: 0
        vlan_prio: 0
        pvid: 0
        link: port:6 link:up speed:10baseT half-duplex
VLAN 1:
        vid: 1
        ports: 0t 2 4t
VLAN 2:
        vid: 10
        ports: 0t 1 3 4t

swconfig of AP:

Global attributes:
        enable_vlan: 1
        alternate_vlan_disable: 0
        bc_storm_protect: 0
        led_frequency: 0
Port 0:
        disable: 0
        doubletag: 0
        untag: 0
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 0
        link: port:0 link:down
Port 1:
        disable: 0
        doubletag: 0
        untag: 0
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 64417
        tr_bad: 0
        tr_good: 60877
        pvid: 0
        link: port:1 link:up speed:100baseT full-duplex
Port 2:
        disable: 0
        doubletag: 0
        untag: 1
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 177
        tr_bad: 0
        tr_good: 0
        pvid: 2
        link: port:2 link:down
Port 3:
        disable: 0
        doubletag: 0
        untag: 1
        led: 5
        lan: 1
        recv_bad: 0
        recv_good: 156
        tr_bad: 0
        tr_good: 0
        pvid: 2
        link: port:3 link:down
Port 4:
        disable: 0
        doubletag: 0
        untag: 1
        led: 5
        lan: 1
        recv_bad: 1
        recv_good: 60981
        tr_bad: 0
        tr_good: 41371
        pvid: 1
        link: port:4 link:up speed:100baseT full-duplex
Port 5:
        disable: 1
        doubletag: 0
        untag: 0
        led: ???
        lan: 1
        recv_bad: 0
        recv_good: 0
        tr_bad: 0
        tr_good: 0
        pvid: 0
        link: port:5 link:down
Port 6:
        disable: 0
        doubletag: 0
        untag: 0
        led: ???
        lan: ???
        recv_bad: ???
        recv_good: ???
        tr_bad: ???
        tr_good: ???
        pvid: 0
        link: port:6 link:up speed:1000baseT full-duplex
VLAN 1:
        ports: 1t 4 6t
VLAN 2:
        ports: 1t 2 3 6t

It does look like the VLANs are loaded properly on both switches.

Stefan1 · April 13, 2021, 6:15am

Summarizing:

R is unable to ping the guest ip of AP
The guest vlan does not work on AP
switch config on both devices is ok
Correct port numbers have been checked

My guess would be:
Either there is a component between R and AP that is not vlan-capable, or the vlans are incompatible between tp-link and dlink.

Ups, on the AP swconfig we do not see vids, only vlans numbered. Is that normal ? I would try to set vid = vlan number.

r7eyes · April 13, 2021, 3:33pm

I checked swconfig dev switch0 help, and the switch in AP does not have the vid attribute for vlans:

    --vlan
        Attribute 1 (ports): ports (VLAN port mapping)

On R:

    --vlan
        Attribute 1 (int): vid (VLAN ID (0-4094))
        Attribute 2 (ports): ports (VLAN port mapping)

I'm not sure if this is due to hardware differences or due to different versions of OpenWrt. R is running a snapshot build from a few weeks ago and AP is running a fork of 19.07.

swconfig dev switch0 help also shows for R:

switch0: mdio.0(Atheros AR8337), ports: 7 (cpu @ 0), vlans: 4096

And for AP:

switch0: rt305x(rt305x-esw), ports: 7 (cpu @ 6), vlans: 4096

If that might help.

Stefan1 · April 13, 2021, 4:19pm

From googling around it looks like rt305x does not support vids at all. I really would change the config and replace vid 10 with vid 2 in both, R and AP and see what happens.

See: https://github.com/8devices/carambola/issues/15
The config there does not contain vids. I think this is the reason tgat in your case the vid 10 packages do not arrive at AP.

r7eyes · April 13, 2021, 9:49pm

Ahhh. That makes total sense now why it wasn't working.

I changed both VLAN config to vid 2, and R can now successfully ping AP on br-guest. I'll update you in a couple days whether the physical ports and WLAN on AP will connect to R, but I don't see why it wouldn't now.

On a side note, as @mk24 suggested earlier, would it be better to have the guest bridge interface on AP be unmanaged?