Vlan on Asus Onhub No Internet

I have been using multiple Asus Onhubs as mesh devices setup using Openwrt after Google discontinued support but not happy with speed finally decided to move Omada 670 AP but still want to use Onhub as the router with wifi in standalone mode no mesh and boost the wifi singal using Omada AP.

My issue is that I am trying to setup VLANS using the Interfaces->Network->Switch and was able to successfully setup Guest and IOT vlans but the guest vlan is unable to use the internet.

Then I looked at OneMarcFifty's video here : https://www.youtube.com/watch?v=qeuZqRqH-ug but the issue is unlike his example Onhub has only one Lan port in addition to a wan port so I don't have a fallback port where I can keep the vlan untagged for admin.

Can someone guide me how I can safely setup a couple of vlans for Onhub?

I can provide the config I used for my first approach which I used without using br-lab Enable Vlan Filtering which works to the extent that I am able to get IP's in the correct subnets but the Guest does not get the internet.
It's possible that the approach I took is wrong and may be I do need to use the option Enable Vlan Filtering.

Note: I also installed adguard home on the openwrt

Please help as I don't want to throw away the Onhub and create more e-waste

Would appreciate any help!!!

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "ASUS OnHub",
        "board_name": "asus,onhub",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ipq806x/chromium",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}


root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf9:a8cc:8990::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'br-wan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth0.2'

config interface 'wan'
        option device 'br-wan'
        option proto 'dhcp'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '6t 1'
        option vid '1'
        option description 'lan'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 2'
        option vid '2'
        option description 'wan'

config device
        option type 'bridge'
        option name 'br-iot'
        list ports 'eth1'
        list ports 'eth1.4'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'eth1'
        list ports 'eth1.3'

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option device 'br-guest'

config interface 'iot'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'
        option device 'br-iot'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '6t 1t'
        option description 'guest'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '6t 1t'
        option vid '4'
        option description 'iot'


root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option disabled '1'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'soc/1b900000.pci/pci0002:00/0002:00:00.0/0002:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'LAN_SSID'
        option encryption 'sae-mixed'
        option key '****'
        option wpa_disable_eapol_key_retries '1'
        option network 'lan'
        option disabled '1'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'IOT'
        option encryption 'sae-mixed'
        option key '****'
        option wpa_disable_eapol_key_retries '1'
        option network 'iot'
        option disabled '1'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Guests'
        option encryption 'sae-mixed'
        option key '*****'
        option wpa_disable_eapol_key_retries '1'
        option network 'guest'
        option disabled '1'
        option isolate '1'


root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '0'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option port '54'
        list server '192.168.1.1'
        option nohosts '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,192.168.1.1'
        list dhcp_option '3,192.168.1.1'
        option dns_service '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'iot'
        option interface 'iot'
        option start '100'
        option limit '150'
        option leasetime '12h'


root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option name 'guest'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config zone
        option name 'iot'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot'

config forwarding
        option src 'lan'
        option dest 'iot'

config rule
        option name 'Guest DHCP & DNS'
        option src 'guest'
        option dest_port '53 67 68'
        option target 'ACCEPT'

There are many errors in the /etc/config/network configuration. In order to understand the way it should be, I need to see the default configuration.

Please make a backup and then reset to defaults. Post the default network config file and we can help you from there.

Thank you so much for helping.

Below is the default network config after reset

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdaf:93cb:d680::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'br-wan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth0.2'

config interface 'wan'
        option device 'br-wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'br-wan'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '2 0t'

Sorry for the delay in my response...

There are some really unusual things in this config -- specifically the two bridges. It's extremely rare to see the wan bridged, but also in both cases we see effectively 2 vlans bridged, as well.

So, I'll make some recommendations for changes to do first (to straighten this out), and then if that works, continue with the rest.

Remove the list ports 'eth1' line from below:

Delete this entire bridge:

Change br-wan to eth0.2 for both wan and wan6.

Reboot and test. If all is still okay, we'll do the following:

Add these switch config stanzas (same as you had before):

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '6t 1t'
        option description 'guest'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '6t 1t'
        option vid '4'
        option description 'iot'

Then create bridges for these networks (a bit different than before)

config device
        option type 'bridge'
        option name 'br-iot'
        list ports 'eth1.4'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'eth1.3'

And now your networks (same as before):

config interface 'guest'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option device 'br-guest'

config interface 'iot'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'
        option device 'br-iot'

In your DHCP file, add the DHCP servers as you had previously, but don't make any of the other changes that we saw before -- keep this file as default but just adding the following:

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'iot'
        option interface 'iot'
        option start '100'
        option limit '150'
        option leasetime '12h'

And now you can add the following to your firewall (again, same as you had previously):

config zone
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option name 'guest'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config zone
        option name 'iot'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot'

config forwarding
        option src 'lan'
        option dest 'iot'

config rule
        option name 'Guest DHCP & DNS'
        option src 'guest'
        option dest_port '53 67 68'
        option target 'ACCEPT'

Finally, you can create SSIDs and tie them against each of the networks. Don't use sae-mixed (WPA2/WPA3 mixed mode) -- use either WPA2 or WPA3, but avoid mixed mode because a lot of devices just don't work well with it. For now, don't add any other options to the wireless network config. Reboot and test.

If it doesn't work, post the updated config for review.

Thank you for helping me out.

I will try this out and come back but could you also confirm the br-lan that is now using eth1.1 will be accessible via the PC using the cable?

Just confirming since I don't see any untagged ports config u*

if not, you can always press the reset button

Everything is working as expected now!!!

Really appreciate all the help from you.

Vlans on openwrt could be tricky to navigate as there are multiple ways to do it. Just wish there was a better documentation available

Regards