VLAN help with Promox/OPNsense/OpenWrt dump AP

Hello,

I would like to implement VLANs to separate IOT devices and guests from my main LAN. My network is pretty simple. Internet -> OPNsense(running as a Proxmox VM) -> E8450 dumb AP meshed to another E8450 (802.11s).

Whenever I try to use the configuration enclosed, I lose my wifi and have to wait for luci to revert changes.

The Proxmox LAN linux bridge is set to VLAN aware and I have VLANs configured in OPNsense as children of the LAN interface. lan4 has been separated from br-lan as its own management port for each dumb AP.

I want to be able to plug anything into either AP and have access to LAN
I want to be able to attach IOT and guest wifi networks to br-lan.20 and br-lan.30 interfaces respectfully.

I'm assuming I've done something wrong in OpenWrt as Proxmox and OPNsense seem to be pretty straightforward.

Thanks for your help! This has been driving me nuts.

System log:

Fri Mar  8 08:15:04 2024 daemon.notice netifd: Interface 'lan' is disabled
Fri Mar  8 08:15:04 2024 daemon.warn dnsmasq[1]: no servers found in /tmp/resolv.conf.d/resolv.conf.auto, will retry
Fri Mar  8 08:15:04 2024 daemon.notice netifd: VLAN 'br-lan.1' link is down
Fri Mar  8 08:15:04 2024 daemon.notice netifd: Interface 'lan' has link connectivity loss
Fri Mar  8 08:15:04 2024 daemon.notice netifd: bridge 'br-lan' link is down
Fri Mar  8 08:15:04 2024 daemon.notice netifd: Network device 'wan' link is down
Fri Mar  8 08:15:04 2024 daemon.notice netifd: lan (17230): udhcpc: SIOCGIFINDEX: No such device
Fri Mar  8 08:15:04 2024 daemon.notice netifd: lan (17230): udhcpc: received SIGTERM
Fri Mar  8 08:15:04 2024 daemon.notice netifd: lan (17230): udhcpc: unicasting a release of 192.168.10.14 to 192.168.10.1
Fri Mar  8 08:15:04 2024 daemon.notice netifd: lan (17230): udhcpc: sending release
Fri Mar  8 08:15:04 2024 daemon.notice netifd: lan (17230): udhcpc: can't bind to interface br-lan.1: No such device
Fri Mar  8 08:15:04 2024 daemon.notice netifd: lan (17230): udhcpc: bindtodevice: No such device
Fri Mar  8 08:15:04 2024 daemon.notice netifd: lan (17230): udhcpc: entering released state
Fri Mar  8 08:15:04 2024 daemon.notice netifd: lan (17230): Command failed: ubus call network.interface notify_proto { "action": 0, "link-up": false, "keep": false, "interface": "lan" } (Permission denied)
Fri Mar  8 08:15:04 2024 daemon.notice netifd: Interface 'lan' is now down


Would you mind sharing your /etc/config/network file here?

At a minimum, I would recommend changing your bridge interfaces to have static IP addresses instead of DHCP, unless you're doing a DHCP reservation for this AP on OPNsense.

When I get back home I will switch the bridge interfaces to static or make a reservation. I am unable to send the network file after my configuration as I lose wifi when I try to apply and have to revert. In the meantime here is my current network file. Thanks for your help!

root@e8450:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2b:9035:9a00::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'
	option acceptlocal '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config interface 'management'
	option proto 'static'
	option device 'lan4'
	option ipaddr '192.168.69.1'
	option netmask '255.255.255.0'

I have added the DHCP reservation.

I run three VLANs in my configuration, one for "LAN", one for Guest, and one for IoT. Each of these VLANs is trunked to my WAPs. I then have three SSIDs, one for each VLAN. So it sounds like we're pretty similar in configuration.

Let me share with you my network and wireless configs to show you how I have this set up in my working environment.

Network Config

Summary
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option stp '1'
	option igmp_snooping '1'
	option ipv6 '0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	list ports 'eth1'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.XX.20'
	option gateway '192.168.XX.5'
	list dns '192.168.XX.5'
	list dns_search 'home.arpa'
	option delegate '0'
	option device 'br-lan.1'
	option force_link 'yes'

config interface 'LAN6'
	option proto 'dhcpv6'
	option reqprefix 'no'
	option device 'br-lan.1'
	option reqaddress 'try'
	option delegate '0'

config interface 'GUEST'
	option proto 'static'
	option device 'br-lan.9'
	option ipaddr '192.168.YY.20'
	option netmask '255.255.255.0'
	option force_link 'yes'

config interface 'IOT'
	option proto 'static'
	option device 'br-lan.99'
	option ipaddr '192.168.ZZ.20'
	option netmask '255.255.255.0'
	option force_link 'yes'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	list ports 'eth1:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '9'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'eth1:t'

Wireless Config

Summary
config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option htmode 'HT40'
	option country 'US'
	option cell_density '0'
	option log_level '1'
	option channel '1'
	option txpower '20'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option band '5g'
	option country 'US'
	option cell_density '0'
	option he_bss_color '20'
	option htmode 'HE80'
	option log_level '1'
	option channel '153'
	option txpower '30'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option key '<redacted>'
	option dtim_period '3'
	option ieee80211r '1'
	option ft_over_ds '0'
	option reassociation_deadline '20000'
	option ieee80211k '1'
	option time_advertisement '2'
	option wnm_sleep_mode '1'
	option bss_transition '1'
	option encryption 'sae'
	option max_inactivity '15'
	option ssid '<redacted>'
	option mbo '1'
	option time_zone 'EST5EDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode_no_keys '1'
	option proxy_arp '1'
	option ieee80211w '2'
	option na_mcast_to_ucast '1'
	option pmk_r1_push '0'
	option ft_psk_generate_local '0'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option key '<redacted>'
	option dtim_period '3'
	option ssid '<redacted>'
	option ieee80211r '1'
	option ft_over_ds '0'
	option reassociation_deadline '20000'
	option ieee80211k '1'
	option time_advertisement '2'
	option wnm_sleep_mode '1'
	option bss_transition '1'
	option encryption 'sae'
	option max_inactivity '15'
	option mbo '1'
	option time_zone 'EST5EDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode_no_keys '1'
	option proxy_arp '1'
	option ieee80211w '2'
	option na_mcast_to_ucast '1'
	option pmk_r1_push '0'
	option ft_psk_generate_local '0'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option network 'GUEST'
	option mode 'ap'
	option key '<redacted>'
	option dtim_period '3'
	option ieee80211r '1'
	option ft_over_ds '0'
	option reassociation_deadline '20000'
	option ieee80211k '1'
	option time_advertisement '2'
	option wnm_sleep_mode '1'
	option bss_transition '1'
	option encryption 'sae'
	option max_inactivity '15'
	option ssid '<redacted>'
	option mbo '1'
	option time_zone 'EST5EDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode_no_keys '1'
	option proxy_arp '1'
	option ieee80211w '2'
	option na_mcast_to_ucast '1'
	option pmk_r1_push '0'
	option ft_psk_generate_local '0'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option network 'GUEST'
	option mode 'ap'
	option key '<redacted>'
	option dtim_period '3'
	option ssid '<redacted>'
	option ieee80211r '1'
	option ft_over_ds '0'
	option reassociation_deadline '20000'
	option ieee80211k '1'
	option time_advertisement '2'
	option wnm_sleep_mode '1'
	option bss_transition '1'
	option encryption 'sae'
	option max_inactivity '15'
	option mbo '1'
	option time_zone 'EST5EDT,M3.2.0,M11.1.0'
	option wnm_sleep_mode_no_keys '1'
	option proxy_arp '1'
	option ieee80211w '2'
	option na_mcast_to_ucast '1'
	option pmk_r1_push '0'
	option ft_psk_generate_local '0'

config wifi-iface 'wifinet5'
	option device 'radio0'
	option mode 'ap'
	option ssid '<redacted>'
	option key '<redacted>'
	option dtim_period '3'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'IOT'
	option reassociation_deadline '20000'
	option ieee80211k '1'
	option time_advertisement '2'
	option wnm_sleep_mode '1'
	option bss_transition '1'
	option encryption 'psk2+ccmp'
	option max_inactivity '15'
	option mbo '0'
	option time_zone 'EST5EDT,M3.2.0,M11.1.0'
	option ieee80211w '0'
	option wnm_sleep_mode_no_keys '1'
	option proxy_arp '1'
	option na_mcast_to_ucast '1'
	option pmk_r1_push '1'

Take a look over these configs and let me know if they help, or if you have more questions after reviewing.

Thanks. I'll take a look and follow up! Thanks again!

1 Like

Hope you were able to get things sorted and working!

Hi

you are making changes on first (in chain) AP or on second ?

I think I have it figured out now! I wanted to use my wan that was already in br-lan in a separate bridged device br-vlans. From there the plan was to attach my wireless networks to br-vlan. For some reason I thought one could do this. Things started working once I enabled vlan filtering on br-lan itself and removed br-vlans

I also had to use Proxmox to feed the vlans into OPNsense using tagged network interfaces in the VM configuration. Initially I thought I could set vmbr0 to be vlan aware and the vlans would feed into OPNsense and I would set it up there. Further research seems to suggest it is easier and more performant to handle the vlans at the hypervisor level instead.

I'm now working on setting up vlans over 802.11s and setting up floating rules so I can lock the vlans from each other in one place with less configuration on each interface. I've seen videos on using GRE or Batman-adv for vlans over 802.11s. Is Batman-adv still the best way to do this?

Thanks @_FailSafe and @NPeca75 for your responses!

1 Like