VLAN in AP + pfSense

Hi everyone,

I've read every vlan thread in this forums, reddit and the webs, but I just can't seem to figure it out. My current setup is pfSense router with all the vlan config already done, then a Linksys managed switch with the proper config, an then OepnWRT AP with SSD. Right now, I'm just trying to run the IoT vlan, which is the least intrusive vlan within my network, but OpenWRT can't connect to DHCP server to give IP (yes, the DHCP Server in pfSense is up and running).

The other thing I've noticed is that from my laptop I can ping every VLAN (from LANSSID), but the AP can't ping any VLAN, and it's on the same LAN.

This is my network config:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fdd9:be92:fdc0::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'wan'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option ipaddr '192.168.1.3'
        option gateway '192.168.1.1' <--- Main Router
        list dns '192.168.1.1'
        option netmask '255.255.255.0'

config device
        option name 'wan'
        option macaddr 'SOMEMACADD'

config interface 'IoT'
        option type 'bridge'
        option proto 'none'
        option device 'br-lan.7'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '7'
        option name 'br-lan.7'

This is my wireless config:

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option band '2g'
        option htmode 'HE40'
        option country 'MX'
        option cell_density '0'
        option channel '4'
        option txpower '5'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option band '5g'
        option cell_density '0'
        option country 'MX'
        option txpower '9'
        option channel '149'
        option htmode 'HE80'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'LANSSID_2.4Ghz'
        option encryption 'psk2'
        option key 'SOMEPASSWORD'
        option ieee80211r '1'
        option mobility_domain '1708'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option network 'lan'

config wifi-iface 'wifinet1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'LANSSID_5Ghz'
        option encryption 'psk2'
        option key 'SOMEPASSWORD'
        option ieee80211r '1'
        option mobility_domain '1708'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option network 'lan'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'IoT'
        option key 'ANOTHERPASSWORD'
        option network 'IoT'
        option encryption 'psk2'

DHCP and Firewall are disable (this is a dumb AP).

Please, any help would be appreciated.

Regards.

Assuming that these are the correct port names, we will build bridge-VLANs for your setup.

First, delete this:

Then add these (I’m assuming your lan is untagged):

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0:u*'
        list ports 'wan:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '7'
        list ports 'eth0:t'
        list ports 'wan:t'

Then edit the lan to use br-lan.1 like this:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ip6assign '60'
        option ipaddr '192.168.1.3'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'
        option netmask '255.255.255.0'

Then restart and test again.

Thanks for answering, the good news is that the AP can now ping all the other vlans, but the wifi clients still can't get an IP. Should I change the interface type to dhcp static or something???

Let's review the latest config.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless

And it should go without saying that you need to make sure that the swtich is configured properly for both its uplink and the downlink to the AP (on the downlink: untagged + PVID for VLAN 1, tagged for vlan 7).

no.... leave the proto as none (unmanaged)

This is the output of the commands:

ubus call system board

{
        "kernel": "5.10.176",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Netgear WAX202",
        "board_name": "netgear,wax202",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.4",
                "revision": "r20123-38ccc47687",
                "target": "ramips/mt7621",
                "description": "OpenWrt 22.03.4 r20123-38ccc47687"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'SOMEIPV6PREFIX/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'wan'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ip6assign '60'
        option ipaddr '192.168.1.3'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'
        option netmask '255.255.255.0'

config device
        option name 'wan'
        option macaddr 'SOMEMACADDR'

config interface 'IoT'
        option type 'bridge'
        option proto 'none'
        option device 'br-lan.7'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0:u*'
        list ports 'wan:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '7'
        list ports 'eth0:t'
        list ports 'wan:t'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option band '2g'
        option htmode 'HE40'
        option country 'MX'
        option cell_density '0'
        option channel '4'
        option txpower '5'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option band '5g'
        option cell_density '0'
        option country 'MX'
        option txpower '9'
        option channel '149'
        option htmode 'HE80'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'LANSSID_2.4Ghz'
        option encryption 'psk2'
        option key 'SOMEPASSWORD'
        option ieee80211r '1'
        option mobility_domain '1708'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option network 'lan'

config wifi-iface 'wifinet1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'LANSSID_5Ghz'
        option encryption 'psk2'
        option key 'SOMEPASSWORD'
        option ieee80211r '1'
        option mobility_domain '1708'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option network 'lan'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'IoT'
        option key 'SOMEPASSWORD'
        option network 'IoT'
        option encryption 'psk2'

As for the switch, this is the config (there's the other vlans, but right now they're unused):

Captura de pantalla 2023-12-05 1723571453×452 17.6 KB

Remove the option type bridge line below:

As for the switch -- what port is the uplink to the router and which port is connected to the AP?

I removed the option type bridge, but still no ip to the clients.

The current AP I'm testing (if successfull I have to do the others) is connected to port 3, the uplink is connected to por 1.

I see that the uplink is not a member of the vlan, I've added port 1 to the vlan 7, but still not giving ip. The AP can ping to any vlan.

Yeah... that was going to be my advice. The uplink (port 1) must have VLAN 7 tagged.

Also, to rule out an issue on the wired side (prior to the AP), take one of the ports on the switch and make it VLAN 7 untagged + PVID. This way you can plug in a device and make sure it gets an IP from your router. If it does, we'll continue to look in to the AP configuration. If it doesn't, check your pfsense system and your switch configuration in more detail.

this is related to your router config and will happen if your firewall allows it. This does not indicate a proper VLAN configuration from the router > switch > AP.

I put port 10 under vlan 7 and pvid 7. My laptop gets an IP (within the vlan subnet) and firewall rules from pfsense are working fine (can't access LAN, nor ping anyother vlans).

ok... so we can now confirm that the router and swtich are working properly.

Since you're running an older version of OpenWrt, I'd recommend upgrading to the latest (23.05.2 as of now). Make a backup first, but go ahead an let the process reset to defaults (uncheck the "keep settings" box).

Then, post your new (default) network config file and I'll recommend the changes necessary again.

Oks... I've upgraded the switch as per your instructions, and now I have the following:

ubus call system board

{
        "kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Netgear WAX202",
        "board_name": "netgear,wax202",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd80:5387:16ba::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config device
        option name 'lan1'
        option macaddr '34:98:b5:13:0b:dc'

config device
        option name 'lan2'
        option macaddr '34:98:b5:13:0b:dc'

config device
        option name 'lan3'
        option macaddr '34:98:b5:13:0b:dc'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr '34:98:b5:13:0b:dd'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

cat /etc/config/firewall

config defaults
        option syn_flood        1
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

This is quite different than what you had before where there was eth0 and wan. So... let's make changes:

Since you're not using the wan network interface, you can delete these:

Then, add the wan port to br-lan like this:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'wan'

Now we'll create the bridge-VLANs (here, I'm going to make the wan the trunk port, then lan1-lan2 connected to the normal lan, and lan3 connected to the iot vlan):

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'wan:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '7'
        list ports 'lan3:u*'
        list ports 'wan:t'

Next, edit the lan interface to use br-lan.1 and configure this device to the desired address like this (same as before):

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.3'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'
        option netmask '255.255.255.0'

And make the IoT network interface:

config interface 'IoT'
        option proto 'none'
        option device 'br-lan.7'

We also need to disable the lan interface DHCP server by addubg option ignore '1' to that stanza and turnign off the DHCPv6 stuff like this:

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

Finally, setup the SSIDs accordingly. Before even dealing with the SSIDs, you shoudl be able to verify that the bridge-VLAN is working by connecting a computer to ports lan1 (or lan2) and then lan3 and making sure they get a DHCP lease in the desired network).

Ok, I'll get it done, and report back.

This is because I disabled the wired ports, so they don't give ips nor nohing, but when I get the vlans ready, I'm thinking of adding a "isolated" vlan, and adding those port there, and then log if anyone connects to the ports.

sure... we can remove those ports later. Let's implement as I have suggested for the moment, and once that is working we can adjust if desired.

Shouldn't this be

config bridge-vlan
        option device 'br-lan.1'

config bridge-vlan
        option device 'br-lan.7'

???

Nope. You're using DSA syntax now... the bridge-vlan statements I suggested are the correct syntax.

P.S. For your reading:

I do have internet connection, I can ping everyone on lan and every vlan. But I can't see the AP in the network nor log into the webadmin page. If I change the ports I don't get a vlan7 IP address, only IP I get is from LAN.

I'm going to reset the AP, to gain access to it.

Looking at the older configs, I think we missed the "eth0" port. I'm switching the uplink to ports 1/2 but I still can't see nor ping the AP.

eth0 may not exist -- it wasn't in the default config after you upgraded.

Try using failsafe mode to regain access without resetting (for now)... let's see the config files as they exist now:

Sorry... Got a few VC, then helping the mrs... But thanks for all your help... its working now, I think we forgot to stop the firewall... I did a reset, loaded the config, then just before rebooting I stopped the firewall, dnsmasq and odhcpd services... And it's up and running.

VLAN's are working as expected.

My follow up questions would be... How do I remove the lan ports to an isolated VLAN (99) and how do I keep adding more vlans for wireless SSID (guests and users)???