Cannot connect to MR, neither get an IP connected to the device on LAN nor per WLAN, seems no DHCP addresses. Did only change network.
Need to reset and load old config
Was required to reset MR and AP2 cause wasn´t able to connect.
Means MR and AP2 are back to the config I started with.
AP2 was exactly the same config as AP1 - exeption line list ports 'lan2:t' for VLAN 3 was deleted.
Checked port connections again, the only thing to mention is port 2 on MR isn´t connected yet, means is empty.
Can I somehow go step by step and identify the bug?
AP1 VLAN config is
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan.2'
option proto 'static'
option ipaddr '192.168.2.7'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.2.1'
list dns '192.168.2.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option disabled '1'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option disabled '1'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
config interface 'guest'
option proto 'none'
option device 'br-lan.3'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan1:t'
list ports 'lan2:t'
and AP3 (as said not yet directly connected)
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config device
option name 'br-guest'
option type 'bridge'
list ports 'eth0.3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.9'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.2.1'
list dns '192.168.2.1'
config interface 'guest'
option device 'br-guest'
option proto 'none'
Hmmmm I remember that I somewhere read something about port mismatch ... now I checked the OWRT documentation for that router and I am confused.
Does this hit us here?
The configs for AP1 and AP3 look correct.
Let's verify AP2 and the main router (which might be back to the previous/known good config now??).
Not an issue here -- that affects only older swconfig based devices/targets. With DSA, the ports are referenced directly at the user-level config (the underlying architectures abstract away the hardware switch and the internal-to-external port mapping).
Yes AP2 and MR are back where I started, config as given further above.
Do I really only need to configure network nothing with DHCP?
AP2 is somehow at the end of the queue can that be the fault, I think this is at MR cause that wasn't reachable at all, ok AP2 as well...
I'm thinking we'll make the changes to AP2 first and make sure that it's working in general (if it breaks things, just reset and restore with a known good backup... if you don't have one, make that now).
Then we'll do the main router after that.
Not sure what you're asking here, but if you're talking about the guest network on the APs being setup as unmanaged, yes, that's normal. They do have addresses on your trusted/main network, which is all that is needed.
Not working
Did re-configure AP2 reboot, Gone!
LEDs are flashing correctly but not accessible neither LAN on the device nor WLAN. Rest of network is working
Reset and back to the last good one config.
What confuses me a bit after reset when I connect only the PC to router LAN standalone I would expect to reach the router on 192.168.2.8 the given static IP. But it isn´t working only when I connect the AP2 again to network on LAN1 I can reach it on 192.168.2.8 as expected, is this standard behavior?
Ok. Letâs see the config once it is edited, but before you reboot. We will see if there is an error or typo (possibly my fault if such an error was in my directions).
I will position the AP2 next to MR for easy play and test and can connect its port1 to MR port2 (which is intended being connected to AP3 later) and is configured already on MR I think.
OK AP2 has the same config as AP1 besides the last line in VLAN3 what is deleted, the ula_prefix and the different static IP which is 2.8
Full config of AP2 is in post 3 above for Dumb AP.
network config for AP2 before saving and reboot
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan.2'
option proto 'static'
option ipaddr '192.168.2.8'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.2.1'
list dns '192.168.2.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option disabled '1'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option disabled '1'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
config interface 'guest'
option proto 'none'
option device 'br-lan.3'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan1:t'
Now AP2 with VLAN config connected directly to MR port2 without VLAN config -> AP2 is coming up and running OK.
I will plug AP2 now again behind AP1 and check what happens.
BTW: Should DNS and gateway IP always pointing to MR?
Surprise AP2 behind AP1 both VLAN config now up and running 
That is strange I applied the same settings the 3rd time to AP2 "nothing" else and now it is working...
OK the missing is now the MR which is still without VLAN config.
How to proceed now? Can we check something before applying the config or somehow apply config in pieces, what do you suggest?
Also what comes in my mind, the guest network I setup before on MR there are firewall settings as well as DHCP and SSID already available, is this something what can disturb maybe change back/delete these settings?
Everything looks good so far.
Letâs do the main router now. Post the updated config before you reboot it and Iâll take a look.
This is the config I prepared now. Please have a look.
But again what about the current guest setup, the SSID is linked to guest, should I adapt this?
Also AP3 is now directly connected, and you said that we need to test that and see if it works, but how can I test that?
type or paste code hereconfig interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxx'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan.2'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'pppoe'
option ipv6 'auto'
option username 'xxx'
option password 'xxx'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'guest'
option proto 'static'
option device 'br-lan.3'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan1:t'
list ports 'lan2:t'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
This is one reason why it broke:
it should be just lan for the interface, and device should be br-lan.2. This was my fault -- typo above (I'll correct in a moment). Sorry!!!
Here's what it should look like:
config interface 'lan'
option device 'br-lan.2'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
In addition, the bridge-VLAN for VLAN 3 is incorrect... delete the last two lines:
Post the updated config (before you restart) and I'll double check it.
OK, No problem
That will be the config I will apply
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxx'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan.2'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'pppoe'
option ipv6 'auto'
option username 'xxx'
option password 'xxx'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'guest'
option proto 'static'
option device 'br-lan.3'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan1:t'
list ports 'lan2:t'
This looks good. Go ahead and apply that.
OK, That was it - Up and running 
-
Guest is already available for the MR cause was existing already before.
Now I will create that for the APs.
For AP3 (only one Lane port/outdoor) you said there are two possibilities and we try that one, I can see there are no VLAN configured, right? -
And for the firewall settings I applied before already some changes will they still work or need adjustments?
I allowed traffic from LAN to Guest cause I will have there some IoT devices and I need access there.
- Next I will setup Wireguard client&server.
The WG client I would like to use from the APs as well.
Is that also requiring VLAN to get access from the APs to the WG client fucntionality?
If AP3 is configured as shown in this earlier post, I think it should work once you add the SSID. The VLAN is there, but just in a different syntax.
However, if AP3's guest network doesn't actually function properly, we'll make a few modifications (should be quick and easy). Let me know.
The screenshot doesn't tell me the whole story, but at least in general, that looks fine. Give it a test to make sure that the firewall is achieving your goals.
This depends on how you're planning to use WG. When you mention that you'll be setting up client and server, does that mean you'll be:
a) Configuring WG to connect to a commercial VPN provider?
b) Configuring WG to connect in a site-to-site context?
c) Configuring WG to allow inbound connections to your network (aka: Road Warrior) for remote access and/or continuity of services when you travel (it can look like you are at home even when you're abroad)
d) something else?
Any combination of these is fine, too, but if a or b, we also need to know what networks will be connected to the VPN and which will not.
One other little issue I just notice and don´t know how to overcome that!
In LUCI I am just trying to add the Guest SSID to the APs and I would like to assign that to the guest network - I can select guest from the dropdown but the "Save" button isn´t accepted, just cannot save when I select guest network - What is wrong here? Should that stay on unspecified?
Wireguard scenario
a) and c) is my approach. User "ecg" already provided me some documents for setting up WG client and server but I don´t know if I would need VLAN for getting access from each computer to WG client (outbound commercial VPN provider).
I assume WG server (inbound connection) will work cause I am just connected to my local network.
There was another user with a similar issue (couldnât add network via LuCI), but not sure why that was happening.
Try creating the ssid and then adding/editing the network line in the config file itself (/etc/config/wireless) to associate the ssid with the guest network.
Letâs cover this in a thread specifically for the wireguard configs and considerations.
1 Like