I'm trying to get a pair of GL.inet GL-MT6000 routers setup for my home network using VLANs. I know enough to be dangerous but an by no means an expert. Any help would be greatly appreciated.
My setup sort of works, but some devices are failing to communicate reliably. Network is alive, but not working well. Internet access available, but I have constant intermittent issues in performance and connectivity that often resolve with a simple "retry". Often connections (file xfers, other network traffic, etc) just arbitrarily time-out and then weirdly just work when re-tried. When testing using Iperf3, tests between devices and MainRouter seem to work fine and saturate expected bandwidth.
I noticed I have issues in brctl where same MAC appears multiple times (see output attached below)
Network Hardware summary:
Hardware setup is 2 @ GL.inet GL-MT6000 OpenWRT v24
MainRouter -
- Handles all DNS/DHCP
- Connects to internet via WAN port
- Trunked to
DumbAP on lan1 port
- Handles incoming firewall and port forwarding rules
- Has lan/guest/iot wireless networks
- Has lan/guest/iot firewall zones
DumbAP
- Trunked to
MainRouter on WAN port (eth1)
- Has same lan/guest/iot wireless networks as
MainRouter
- Has same lan/guest/iot firewall zones as
MainRouter
#########################################################
#NOTE: This is a build for GL-MT6000 based on roughly OpenWRT 24.10.3
#########################################################
# cat /etc/os-release
NAME="OpenWrt"
VERSION="SNAPSHOT"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt SNAPSHOT"
VERSION_ID="snapshot"
HOME_URL="https://openwrt.org/"
BUG_URL="https://bugs.openwrt.org/"
SUPPORT_URL="https://forum.openwrt.org/"
FIRMWARE_URL="https://downloads.openwrt.org/"
BUILD_ID="r31571-3ac023616f"
OPENWRT_BOARD="mediatek/filogic"
OPENWRT_ARCH="aarch64_cortex-a53"
OPENWRT_TAINTS="busybox"
OPENWRT_DEVICE_MANUFACTURER="OpenWrt"
OPENWRT_DEVICE_MANUFACTURER_URL="https://openwrt.org/"
OPENWRT_DEVICE_PRODUCT="Generic"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="OpenWrt SNAPSHOT r31571-3ac023616f"
OPENWRT_BUILD_DATE="1756923424"
My wish list:
- Don't need/want IPv6 on internal network so disabling to simplify things
- Wanted 192.168.1.0/24 network to exist on VLAN 1 across both
MainRouter and DumbAP because I'm a simple person and previous non-VLAN setup was done that way so minimize IP address rearranging and associated brain tax
See here for GL-MT6000 port layout:
Output of brctl showing duplicate MACs
root@OpenWrt-Office:~# brctl showmacs br-lan | ./anonymize-macs.sh
port no mac addr is local? ageing timer
...[snippet]...
12 --:MA:SK:ED:--:11 no 3.03
8 --:MA:SK:ED:--:12 no 4.25
14 --:MA:SK:ED:--:13 yes 0.00
14 --:MA:SK:ED:--:13 yes 0.00
10 --:MA:SK:ED:--:14 yes 0.00
10 --:MA:SK:ED:--:14 yes 0.00
1 --:MA:SK:ED:--:15 no 0.57
1 --:MA:SK:ED:--:16 yes 0.00
1 --:MA:SK:ED:--:16 yes 0.00
2 --:MA:SK:ED:--:17 yes 0.00
2 --:MA:SK:ED:--:17 yes 0.00
7 --:MA:SK:ED:--:18 yes 0.00
7 --:MA:SK:ED:--:18 yes 0.00
8 --:MA:SK:ED:--:19 yes 0.00 <------ HERE
8 --:MA:SK:ED:--:19 yes 0.00 <------ HERE
13 --:MA:SK:ED:--:1a yes 0.00 <------ HERE
13 --:MA:SK:ED:--:1a yes 0.00 <------ HERE
9 --:MA:SK:ED:--:1b yes 0.00 <------ HERE
9 --:MA:SK:ED:--:1b yes 0.00 <------ HERE ...etc
16 --:MA:SK:ED:--:1c yes 0.00
16 --:MA:SK:ED:--:1c yes 0.00
12 --:MA:SK:ED:--:1d yes 0.00
12 --:MA:SK:ED:--:1d yes 0.00
15 --:MA:SK:ED:--:1e yes 0.00
15 --:MA:SK:ED:--:1e yes 0.00
11 --:MA:SK:ED:--:1f yes 0.00
11 --:MA:SK:ED:--:1f yes 0.00
4 --:MA:SK:ED:--:20 no 0.57
1 --:MA:SK:ED:--:21 no 0.33
16 --:MA:SK:ED:--:22 no 62.85
2 --:MA:SK:ED:--:23 no 0.00
...[snippet]...
MainRouter /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'
config globals 'globals'
option ula_prefix 'aaaa:aaaa:aaaa::/48'
option packet_steering '0'
config device #wan1 to internet
option name 'eth1'
option macaddr 'AA:BB:CC:DD:EE:FF'
option ipv6 '0'
config device #lan1 acting as trunk
option name 'lan1'
config device
option name 'lan2'
config device
option name 'lan3'
config device
option name 'lan4'
config device
option name 'lan5'
config device #device bridge
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config bridge-vlan #VLAN=1
option device 'br-lan'
option vlan '1'
option local '1'
list ports 'lan1:t'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
list ports 'lan5:u*'
config bridge-vlan #VLAN=20
option device 'br-lan'
option vlan '20'
option local '1'
list ports 'lan1:t'
config bridge-vlan #VLAN=30
option device 'br-lan'
option vlan '30'
option local '1'
list ports 'lan1:t'
config bridge-vlan #VLAN Trunk
option device 'br-lan'
option vlan '999'
option local '0'
list ports 'lan1:u*'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
list ipaddr '192.168.1.1/24'
config interface 'guest'
option device 'br-lan.20'
option proto 'static'
list ipaddr '10.10.20.1/24'
config interface 'iot'
option device 'br-lan.30'
option proto 'static'
list ipaddr '10.10.30.1/24'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option reqaddress 'none'
option reqprefix 'auto'
option norelease '1'
option disabled '1'
DumbAP /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'
config globals 'globals'
option ula_prefix 'bbbb:bbbb:bbbb::/48'
option packet_steering '0'
config device #orignal WAN acting as upstream trunk
option name 'eth1'
option macaddr 'BB:CC:DD:EE:FF:AA'
option ipv6 '0'
config device
option name 'lan1'
config device
option name 'lan2'
config device
option name 'lan3'
config device
option name 'lan4'
config device
option name 'lan5'
config device #device bridge
option name 'br-lan'
option type 'bridge'
list ports 'eth1' #include upstream trunk on this bridge
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config bridge-vlan #VLAN=1
option device 'br-lan'
option vlan '1'
option local '1'
list ports 'eth1:t'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
list ports 'lan5:u*'
config bridge-vlan #VLAN=20
option device 'br-lan'
option vlan '20'
option local '1'
list ports 'eth1:t'
config bridge-vlan #VLAN=30
option device 'br-lan'
option vlan '30'
option local '1'
list ports 'eth1:t'
config bridge-vlan #VLAN Trunk
option device 'br-lan'
option vlan '999'
option local '0'
list ports 'eth1:u*'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
list ipaddr '192.168.1.2/24'
option gateway '192.168.1.1'
list dns '192.168.1.1'
config interface 'guest'
option device 'br-lan.20'
option proto 'static'
list ipaddr '10.10.20.2/24'
option gateway '10.10.20.1'
list dns '10.10.20.1'
config interface 'iot'
option device 'br-lan.30'
option proto 'static'
list ipaddr '10.10.30.2/24'
option gateway '10.10.30.1'
list dns '10.10.30.1'
Remove the local lines from all of the bridge-vlan statements on both devices.
On the ap, change the guest and iot networks to unmanaged.
Change the above to:
config interface 'guest'
option device 'br-lan.20'
option proto 'none'
config interface 'iot'
option device 'br-lan.30'
option proto 'none'
Let’s see your other config files (firewall, dhcp, wireless) from both devices.
I'll work on the vlan local tweak here shortly.
OK, what about the trunk? I thought adding the trunk to non-local was supposed to prevent vlan hopping and improve security? The exact link where I found this escapes me right now, but thought it was in Openwrt docs somewhere
In every config I have done myself or assisted, I always recommend omitting the line altogether. No security issues.
Every time I've had issues with VLANs and openwrt is when I've forgotten to turn off the firewall, dnsmasq and the IPv6 version of that on the dumb AP.
I disable DHCP/DNS in startup script on DumbAP
#Disable dnsmasq on Dumb AP in Office ONLY!!
service dnsmasq stop
service dnsmasq disable
#Disable DHCP on Dumb AP in Office ONLY!!
service odhcpd stop
service odhcpd disable
but not firewall. I wouldn't anticipate that is causing my intermittent issues as it's either on or off, shouldn't sometimes work
This is not the recommended method. It is fine to disable the services, but it is still critical to configure the services such that they are disabled by means of the configs themselves because they can become re-enabled in certain scenarios.
Please share the remainder of the configs from both devices as requested.
Got it.
Working on posting other configs - have to redact a few things in them
MainRouter
/etc/config/firewall
(I removed some external port forwards for privacy)
config defaults
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option family 'ipv4'
option target 'ACCEPT'
list icmp_type 'echo-request'
option limit '10/second'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option limit '1000/sec'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
list network 'guest'
config zone
option name 'iot'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
list network 'iot'
config forwarding
option src 'lan'
option dest 'guest'
config forwarding
option src 'lan'
option dest 'iot'
config forwarding
option src 'guest'
option dest 'wan'
config forwarding
option src 'iot'
option dest 'wan'
config rule
option src 'guest'
option name 'zone-guest-Allow-DHCP-DNS'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option src 'iot'
option name 'zone-iot-Allow-DHCP-DNS'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option name 'zone-guest-Allow-Ping'
option src 'guest'
option proto 'icmp'
option family 'ipv4'
option target 'ACCEPT'
list icmp_type 'echo-request'
option limit '10/second'
list dest_ip '10.10.20.1'
config rule
option name 'zone-iot-Allow-Ping'
option src 'iot'
option proto 'icmp'
option family 'ipv4'
option target 'ACCEPT'
list icmp_type 'echo-request'
option limit '10/second'
list dest_ip '10.10.30.1'
/etc/config/wireless:
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option band '2g'
option channel 'auto'
option htmode 'HE20'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
option wpa_disable_eapol_key_retries '1'
option ieee80211r '1'
option mobility_domain 'REDACTED'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option dtim_period '3'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option band '5g'
option channel 'auto'
option htmode 'HE80'
option cell_density '0'
option itxbfen '1'
option background_radar '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
option dtim_period '3'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
option network 'guest'
option ieee80211r '1'
option mobility_domain 'REDACTED'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option dtim_period '3'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
option network 'guest'
option ieee80211r '1'
option mobility_domain 'REDACTED'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option dtim_period '3'
config wifi-iface 'wifinet5'
option device 'radio0'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
option network 'iot'
option ieee80211r '1'
option mobility_domain 'REDACTED'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option dtim_period '3'
config wifi-iface 'wifinet6'
option device 'radio1'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
option network 'iot'
option ieee80211r '1'
option mobility_domain 'REDACTED'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option dtim_period '3'
config wifi-iface 'wifinet7'
option device 'radio0'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
option network 'iot'
option ieee80211r '1'
option mobility_domain 'REDACTED'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option dtim_period '3'
config wifi-iface 'wifinet8'
option device 'radio1'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
option network 'iot'
option ieee80211r '1'
option mobility_domain 'REDACTED'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option dtim_period '3'
config wifi-iface 'wifinet9'
option device 'radio0'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'lan'
option dtim_period '3'
config wifi-iface 'wifinet10'
option device 'radio1'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option hidden '1'
option key 'REDACTED'
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'lan'
option dtim_period '3'
/etc/config/dhcp:
I removed the cnames and static leases, etc.
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option domain 'lan'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option sequential_ip '1'
option allservers '1'
list server '/*.lan/192.168.1.1'
list server '/*.local/192.168.1.1'
list server '/*.internal/192.168.1.1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '9h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option force '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain
option name 'router.lan'
option ip '192.168.1.1'
config domain
option name 'router2.lan'
option ip '192.168.1.2'
config dhcp 'guest'
option interface 'guest'
option start '10'
option limit '240'
option leasetime '2h'
config dhcp 'iot'
option interface 'iot'
option start '100'
option limit '150'
option leasetime '6h'
DumbAP
/etc/config/firewall
config defaults
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'guest'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
list network 'guest'
config zone
option name 'iot'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
list network 'iot'
config forwarding
option src 'lan'
option dest 'guest'
config forwarding
option src 'lan'
option dest 'iot'
config forwarding
option src 'guest'
option dest 'wan'
config forwarding
option src 'iot'
option dest 'wan'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option band '2g'
option channel 'auto'
option htmode 'HE20'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
option ieee80211r '1'
option mobility_domain 'REDACTED'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option dtim_period '3'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option band '5g'
option channel 'auto'
option htmode 'HE80'
option cell_density '0'
option itxbfen '1'
option background_radar '1'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
option network 'guest'
option ieee80211r '1'
option mobility_domain 'REDACTED'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option dtim_period '3'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
option ieee80211r '1'
option mobility_domain 'REDACTED'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'lan'
option dtim_period '3'
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
option network 'guest'
option ieee80211r '1'
option mobility_domain 'REDACTED'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option dtim_period '3'
config wifi-iface 'wifinet5'
option device 'radio0'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
option network 'iot'
option ieee80211r '1'
option mobility_domain 'REDACTED'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option dtim_period '3'
config wifi-iface 'wifinet6'
option device 'radio1'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
option network 'iot'
option ieee80211r '1'
option mobility_domain 'REDACTED'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option dtim_period '3'
config wifi-iface 'wifinet7'
option device 'radio0'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
option network 'iot'
option ieee80211r '1'
option mobility_domain 'REDACTED'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option dtim_period '3'
config wifi-iface 'wifinet8'
option device 'radio1'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
option network 'iot'
option ieee80211r '1'
option mobility_domain 'REDACTED'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option dtim_period '3'
config wifi-iface 'wifinet9'
option device 'radio0'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'lan'
option dtim_period '3'
config wifi-iface 'wifinet10'
option device 'radio1'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'lan'
option dtim_period '3'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option logdhcp '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
Remove all of this from the bridged AP:
And on the wireless — both devices — remove all of the 802.11r fast roaming related configs entirely.
Will do
I updated the network config for VLAN changes as described in your initial post & rebooted both routers. I still see dups in brctl showmacs br-lan but haven't tested beyond that.
I'll make the changes to firewall & wireless here shortly
Sorry for dumb question, but Don't I still need the guest and iot zones on DumbAP to segregate that traffic from lan or is that handled transparently by MainRouter?
How does MainRouter firewall keep track that it's from guest/iot on DumbAP and prevent traffic to lan? Is it assumed because traffic comes across trunk from the guest/iot VLAN=br-lan.20 or br-lan.30 instead of zones?
The bridged AP performs simple bridging of Ethernet to WiFi on a per-vlan. Asks. No routing.
All routing is handled on the main router.
The main router has network interfaces for each network and firewall rules to govern the allowed routing between them. Each interface is connected to a device using the 802.1q VLANs to keep the flows separated and accounted for.
psherman knows loads more than me on this stuff, but if you want a good intro to a load of the principles behind this stuff and why I turn off firewall on my dumb APs I'd recommend these two videos in order…
OneMarcFifty - YouTube - Configure Openwrt Firewall
Followed by - OneMarcFifty - YouTube - extend vLANs to dumb AP
Warning - this shows stuff on older version of openwrt where some options have clearly changed, but I found his explanations really useful.
Yeah I don't get the intermittent issues, but that's how it presented with me in the past and disabling firewalls on the dumb APs only just fixed a lot of problems for me.
The firewall on the ap should be largely passive since it isn’t routing any traffic. It should not be the cause of intermittent issues unless there are other misconfigurations.
OK, I made all the changes suggested so far, but still see similar issues some transfers between two of the computers are stalling but then sometimes working.
Should there be any duplicate MACs when running this:
brctl showmacs br-lan | sort | uniq -d
I still have some:
~# brctl showmacs br-lan | sort | uniq -d | ./anonymize-macs.sh
2 --:MA:SK:ED:--:01 yes 0.00
7 --:MA:SK:ED:--:02 yes 0.00
8 --:MA:SK:ED:--:03 yes 0.00
9 --:MA:SK:ED:--:04 yes 0.00
10 --:MA:SK:ED:--:05 yes 0.00
FYI - my ./anonymize-macs.sh script just masks all instances of the same MAC with the same masked name
Using my memory, which is sadly lacking, I think the main issue was I didn't setup the firewall with all the same rules, or even include all the zones, on the dumb APs which led to various things then getting blocked. The intermittent side of it might have just been me not registering what was broken until I tried to access something that was then blocked by the firewall on whichever AP I was then using for access. A heady mix of tardiness, poor time management and incompetence often leads to a cluster. Still, keeps things interesting.
1 Like
This could be causing problems. Why do you think this is necessary?
