Hi everyone,
I'm hitting a wall trying to set up a UniFi AP AC Pro running OpenWrt 25 as a Dumb AP with isolated SSIDs for my LAN, IoT, and Guest networks.
The Problem: My management network (VLAN 10) works flawlessly. I can SSH into the AP at its static IP. However, when wireless clients connect to the openwrt-iot or openwrt-guest SSIDs, they fail to get their isolated IPs from the firewall. Instead, they get dumped straight into the main Management network subnet (VLAN 10) and pull a management IP address. It seems like OpenWrt is ignoring or stripping the VLAN tags at the bridge layer.
My Network Topology:
- Firewall: OPNsense handling all routing, inter-VLAN blocking, and DHCP pools for VLAN 10, 20, and 30.
- Switch: HP ProCurve managed switch. The AP is plugged into Port 21, which is configured as:
-
- VLAN 10: Untagged (Native/PVID)
- VLAN 20: Tagged
- VLAN 30: Tagged
- Uplink: The trunk port from the HP switch to the OPNsense box also tags 20 and 30, and untags 10.
My /etc/config/network Configuration:
# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'
config globals 'globals'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan.10'
option proto 'static'
option ipaddr '192.168.55.7'
option netmask '255.255.255.0'
option gateway '192.168.55.1'
option dns '192.168.55.1'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'eth0.1:u*'
list ports 'local:u*'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'eth0.1:t'
list ports 'local:t'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'eth0.1:t'
list ports 'local:t'
config interface 'iot'
option proto 'none'
option device 'br-lan.20'
option multipath 'off'
config interface 'guest'
option proto 'none'
option device 'br-lan.30'
option multipath 'off'
My /etc/config/wireless Configuration:
# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option band '5g'
option channel '36'
option htmode 'VHT80'
option country 'CA'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt-lan'
option encryption 'psk2'
option key '***'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option band '2g'
option channel '1'
option htmode 'HT20'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
option disabled '1'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt-iot'
option encryption 'psk2'
option network 'lan'
option vlan '20'
option key '***'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt-guest'
option encryption 'psk2'
option network 'lan'
option vlan '30'
option key '***'
What I've Done So Far:
- Hard factory reset (
firstboot ) to clear old legacy swconfig remnants.
- Disabled local DHCP (
dnsmasq ) and firewall services to ensure it behaves purely as a transparent bridge.
- Attempted using the alternative
option network 'lan' + option vlan '20' method inside the wireless configurations, but the clients still get a VLAN 10 management IP address.
Is there a known issue with ath79 targets or the UniFi AC Pro's internal hardware bridge where wireless interfaces fail to attach cleanly to software-defined filtering sub-interfaces (br-lan.20 )? What am I missing to force the AP to egress these wireless frames with explicit 802.1Q tags to the HP switch?
Appreciate any insights!
There are tons of errors here. You've mixed swconfig and DSA/bridge-VLANs (the two methods are generally mutually exclusive, ath79 is still swconfig based), and the wireless config doesn't have the concept of VLANs (these are instead handled by the network field).
The fastest way to get where you want to go is to reset to defaults. Once that is done, you'll make add the following to the network file:
config device
option name 'br-iot'
option type 'bridge'
list ports 'eth0.20'
config device
option name 'br-gurest'
option type 'bridge'
list ports 'eth0.30'
config interface 'iot'
option proto 'none'
option device 'br-iot'
config interface 'guest'
option proto 'none'
option device 'br-guest'
Then you'll create your new SSIDs to use the network guest or iot. For example:
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt-iot'
option encryption 'psk2'
option network 'iot'
option key '***'
Obviously follow that same method for the other SSID stanzas.
Assuming the upstream is configured properly, this should work without issue once you've reset to defaults and made the changes I've suggested here.
Thank you so much for your reply. I'll give it a try after I get back to my openwrt box again Saturday.
Great. Let us know how it goes.
Also, it should go without saying that after the reset you also need to set your lan ip on the device again and turn off the dhcp server by adding the ignore option.
That's right. I've done that part a few times already. Lol
I'm not sure if I get it right. Here is the updated network. I did factory reset and then added the recommended block. Android connected to Openwrt-iot or Openwrt-guest still couldn't get ip.
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'
config globals 'globals'
option dhcp_default_duid '0004ce23500440d1414fb79799a336da6535'
option ula_prefix 'fd36:51b6:7e48::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config device
option name 'br-iot'
option type 'bridge'
list ports 'eth0.20'
config device
option name 'br-guest'
option type 'bridge'
list ports 'eth0.30'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.55.7'
option netmask '255.255.255.0'
option gateway '192.168.55.1'
option dns '192.168.55.1'
config interface 'iot'
option proto 'none'
option device 'br-iot'
config interface 'guest'
option proto 'none'
option device 'br-guest'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 0t'
Here is the wireless.
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option band '5g'
option channel '36'
option htmode 'VHT80'
option country 'CA'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt-lan'
option encryption 'psk2'
option key '***'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option band '2g'
option channel '1'
option htmode 'HT20'
option country 'CA'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'guest'
option mode 'ap'
option ssid 'OpenWrt-guest'
option encryption 'psk2'
option key '***'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt-iot'
option encryption 'psk2'
option key '***'
option network 'iot'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt-guest'
option encryption 'psk2'
option key '***'
option network 'guest'
I forgot about the switch...
What you have looks good, but you need to add this (to /etc/config/network):
config switch_vlan
option device 'switch0'
option vlan '20'
option ports '2t 0t'
config switch_vlan
option device 'switch0'
option vlan '30'
option ports '2t 0t'
Reboot and test again.
Thank you so much Peter! It works!
Just want to understand something deeper. Why the following wouldn't work?
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.10'
You need a config switch_vlan stanza for each vlan with these swconfig devices where you Tag packets for the CPU (port 0) and set the (access/real physical) ports as tagged or untagged.
Second you need a device for each of these defined vlans. See this default example. This device references the vlan by its name.
And then optional you need an an (IP) interface. Could also use protocol none if no addresses are needed like with dumb ap
Hope it helps to clarify.
Edit ps. Again this is the case for (legacy) devices which still use swconfig and not DSA to configure the switch hardware/NIC.
Thank you so much. That's clear now.
I've tried to get help from Gemini, Xlaude, and Grok and none of them could get this AC Pro work with vlans.
That is not a surprise. That's why we constantly advise that people don't even attempt to use AI for OpenWrt.
Glad it's working now.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 
Though I’ve marked the issue as solved and everything is working now, I still want to paste my settings here in case Peter or any other guru notices something I could improve — or so it can serve as a reference for future folks.
# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'
config globals 'globals'
option dhcp_default_duid '0004ce23500440d1414fb79799a336da6535'
option ula_prefix 'fd36:51b6:7e48::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.10'
config device
option name 'br-iot'
option type 'bridge'
list ports 'eth0.20'
config device
option name 'br-guest'
option type 'bridge'
list ports 'eth0.30'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.55.7'
option netmask '255.255.255.0'
option gateway '192.168.55.1'
option dns '192.168.55.1'
config interface 'iot'
option proto 'none'
option device 'br-iot'
config interface 'guest'
option proto 'none'
option device 'br-guest'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2 3'
option vid '10'
option description 'lan'
config switch_vlan
option device 'switch0'
option vlan '20'
option ports '0t 2t'
option vid '20'
option description 'iot'
config switch_vlan
option device 'switch0'
option vlan '30'
option ports '0t 2t'
option vid '30'
option description 'guest'
Here is the wireless.
# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option band '5g'
option channel '36'
option htmode 'VHT80'
option country 'CA'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt-lan'
option encryption 'psk2'
option key '***'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option band '2g'
option channel '1'
option htmode 'HT20'
option country 'CA'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'guest'
option mode 'ap'
option ssid 'OpenWrt-guest'
option encryption 'psk2'
option key '***'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt-iot'
option encryption 'psk2'
option key '***'
option network 'iot'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt-guest'
option encryption 'psk2'
option key '***'
option network 'guest'
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid 'OpenWrt-lan'
option encryption 'psk2'
option key '***'
option network 'lan'
Thank you folks for the help and attention.