Hello all,
I'm redoing my network at the moment but I ran into something strange.
Connected devices to a certain SSID/VLAN are not getting IP addresses served.
The SSID is however associated to the correct VLAN interface.
Changing the VLAN interface on that SSID to another VLAN interface is working.
In fact, some are, some aren't.
Even if I clone a working a VLAN/SSID setup and only change the name, it's not working anymore.
Btw, wired is everything working as expected.
I use a router (no wireless enabled) and several dump AP's connected to it. All running OpenWrt 24.10.1.
Does someone have any idea?
Thanks in advance.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
Let's start by reviewing your config from your router. Then we can look downstream.
System:
{
"kernel": "6.6.86",
"hostname": "Router",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi 4 Model B Rev 1.2",
"board_name": "raspberrypi,4-model-b",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.1",
"revision": "r28597-0425664679",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 24.10.1 r28597-0425664679",
"builddate": "1744562312"
}
}
Network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd2e:97d5:75b::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
config interface 'WAN'
option proto 'dhcp'
option device 'eth0.20'
option hostname '*'
option peerdns '0'
config interface 'LAN'
option proto 'static'
option device 'br-lan.999'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
list dns '192.168.0.68'
list dns '192.168.0.70'
list dns '192.168.0.72'
config interface 'WAN6'
option proto 'dhcpv6'
option device 'eth0.20'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
config device
option type '8021q'
option ifname 'eth0'
option vid '20'
option name 'eth0.20'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'eth1:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'eth1:t'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'eth1:t'
config interface 'VLAN10_GUEST'
option proto 'static'
option device 'br-lan.10'
option ipaddr '10.0.10.1'
option netmask '255.255.255.0'
config device
option type '8021q'
option ifname 'br-lan'
option vid '20'
option name 'br-lan.20'
config interface 'VLAN20_MEDIA'
option proto 'static'
option device 'br-lan.20'
option ipaddr '10.0.20.1'
option netmask '255.255.255.0'
config interface 'VLAN30_IOT'
option proto 'static'
option device 'br-lan.30'
option ipaddr '10.0.30.1'
option netmask '255.255.255.0'
config interface 'VLAN100_DMZ'
option proto 'static'
option device 'br-lan.100'
option ipaddr '10.0.100.1'
option netmask '255.255.255.0'
config bridge-vlan
option device 'br-lan'
option vlan '86'
list ports 'eth1:t'
config bridge-vlan
option device 'br-lan'
option vlan '100'
list ports 'eth1:t'
config bridge-vlan
option device 'br-lan'
option vlan '999'
list ports 'eth1:t*'
config interface 'VLAN86_MGMT'
option proto 'static'
option device 'br-lan.86'
option ipaddr '10.0.86.1'
option netmask '255.255.255.0'
config bridge-vlan
option device 'br-lan'
option vlan '5'
list ports 'eth1:t'
config device
option name 'br-lan.86'
option type '8021q'
option ifname 'br-lan'
option vid '86'
DHCP:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'LAN'
option interface 'LAN'
option start '11'
option limit '150'
option leasetime '12h'
list dhcp_option '6,192.168.0.68,192.168.0.70,192.168.0.72'
CONFIG HOSTS REDACTED
config dhcp 'VLAN10_GUEST'
option interface 'VLAN10_GUEST'
option start '11'
option limit '150'
option leasetime '12h'
config dhcp 'VLAN20_MEDIA'
option interface 'VLAN20_MEDIA'
option start '11'
option limit '150'
option leasetime '12h'
config dhcp 'VLAN30_IOT'
option interface 'VLAN30_IOT'
option start '11'
option limit '150'
option leasetime '12h'
config dhcp 'VLAN100_DMZ'
option interface 'VLAN100_DMZ'
option start '11'
option limit '150'
option leasetime '12h'
config dhcp 'VLAN86_MGMT'
option interface 'VLAN86_MGMT'
option start '11'
option limit '150'
option leasetime '12h'
list dhcp_option '6,192.168.0.70'
CONFIG HOSTS REDACTED
Firewall:
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'LAN'
list network 'WireGuard0'
list device 'tun+'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'WAN'
list network 'WAN6'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'VLAN100_DMZZone'
option target 'DNAT'
option name 'npm-http'
option src 'wan'
option src_dport '80'
option dest_ip '10.0.100.2'
option dest_port '80'
list reflection_zone 'lan'
list reflection_zone 'VLAN86_MgmtZone'
config redirect
option target 'DNAT'
option name 'npm-https'
option src 'wan'
option src_dport '443'
option dest_ip '10.0.100.2'
option dest_port '443'
option dest 'VLAN100_DMZZone'
list reflection_zone 'lan'
list reflection_zone 'VLAN86_MgmtZone'
config zone
option name 'VLAN10_GuestZone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'VLAN10_GUEST'
config forwarding
option src 'VLAN10_GuestZone'
option dest 'wan'
config rule
option src 'VLAN10_GuestZone'
option name 'VLAN10_GUEST: Allow DHCP & DNS'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option src 'VLAN200_MEDIA'
option name 'VLAN200_MEDIA: Allow DHCP & DNS'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option src 'VLAN20_MediaZone'
option name 'VLAN20_MEDIA: Allow DHCP & DNS'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option src 'VLAN20_MediaZone'
option dest 'wan'
option name 'VLAN20_MEDIA: Allow NTP'
option dest_port '123'
option target 'ACCEPT'
list proto 'udp'
config rule
option src 'VLAN20_MediaZone'
option dest 'wan'
option name 'VLAN20_MEDIA: Allow storage01 to WAN'
list src_ip '10.0.20.100'
option target 'ACCEPT'
config rule
option src 'VLAN30_IoTZone'
option name 'VLAN30_IOT: Allow DHCP & DNS'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option src 'VLAN86_MgmtZone'
option name 'VLAN86_MGMT: Allow DHCP & DNS'
option dest_port '53 67 68 5353'
option target 'ACCEPT'
config rule
option src 'VLAN100_DMZZone'
option name 'VLAN100_DMZ: Allow DHCP & DNS'
option dest_port '53 67 68'
option target 'ACCEPT'
config zone
option name 'VLAN20_MediaZone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'VLAN20_MEDIA'
config forwarding
option src 'lan'
option dest 'VLAN20_MediaZone'
config zone
option name 'VLAN30_IoTZone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'VLAN30_IOT'
config forwarding
option src 'lan'
option dest 'VLAN30_IoTZone'
config zone
option name 'VLAN100_DMZZone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'VLAN100_DMZ'
config forwarding
option src 'VLAN100_DMZZone'
option dest 'wan'
config zone
option name 'VLAN86_MgmtZone'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'VLAN86_MGMT'
option masq '1'
config forwarding
option src 'VLAN86_MgmtZone'
option dest 'lan'
config forwarding
option src 'VLAN86_MgmtZone'
option dest 'wan'
config rule
option src 'VLAN100_DMZZone'
option dest 'VLAN20_MediaZone'
option name 'VLAN100_DMZ: Allow qBittorrent to storage01'
option target 'ACCEPT'
list src_ip '10.0.100.75'
list dest_ip '10.0.20.100'
option dest_port '445'
list proto 'tcp'
config forwarding
option src 'lan'
option dest 'VLAN100_DMZZone'
config rule
option src 'VLAN30_IoTZone'
option dest 'wan'
option name 'VLAN30_IOT: Allow HB2 to WAN'
list proto 'tcp'
list src_ip '10.0.30.20'
option target 'ACCEPT'
option enabled '0'
config rule
option src 'lan'
option dest 'lan'
option name 'Restrict HB2'
list src_ip '192.168.0.43'
option target 'REJECT'
list proto 'all'
config forwarding
option src 'VLAN86_MgmtZone'
option dest 'VLAN10_GuestZone'
config forwarding
option src 'VLAN86_MgmtZone'
option dest 'VLAN20_MediaZone'
config forwarding
option src 'VLAN86_MgmtZone'
option dest 'VLAN30_IoTZone'
config forwarding
option src 'VLAN86_MgmtZone'
option dest 'VLAN100_DMZZone'
I would recommend restructuring your config, but first, do you actually have eth2? I only see you using eth0 (for the wan) and eth1 (for the lans). Is there really another ethernet adapter?
eth0 is the Raspberry's onboard NIC - used for WAN.
And there is an 2 ethernet port USB3 NIC attached to it, being eth1 and eth2.
eth2 is not in use for now.
I'm aware of eth0 (on board) being used as the wan, and I see that eth1 (usb adapter) is being used for the lan.
Is there a 2nd USB-ethernet adapter (eth2) on your Pi (for a total of 3 ethernet ports)?
I see you edited your previous response... thanks.
Do you plan to use eth2 at this point, or will that be a spare for other purposes later?
Not planning to, but if I do I might remove it from the bridge.
I recommend cleaning up the config as follows:
Delete all of this:
And this:
And this:
And this:
Now, go into each of the network interfaces and adjust them like this (changing the device):
config interface 'LAN'
option proto 'static'
option device 'eth1.999'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
...
config interface 'VLAN10_GUEST'
option proto 'static'
option device 'eth1.10'
option ipaddr '10.0.10.1'
option netmask '255.255.255.0'
...
config interface 'VLAN20_MEDIA'
option proto 'static'
option device 'eth1.20'
option ipaddr '10.0.20.1'
option netmask '255.255.255.0'
config interface 'VLAN30_IOT'
option proto 'static'
option device 'eth1.30'
option ipaddr '10.0.30.1'
option netmask '255.255.255.0'
config interface 'VLAN100_DMZ'
option proto 'static'
option device 'eth1.100'
option ipaddr '10.0.100.1'
option netmask '255.255.255.0'
...
config interface 'VLAN86_MGMT'
option proto 'static'
option device 'eth1.86'
option ipaddr '10.0.86.1'
option netmask '255.255.255.0'
Since VLAN200 is not defined anywhwere, this can be removed:
Restart the router and see if those changes help. If not, we'll probably want to start looking downstream.
Did clean up the config and restarted the router.
Unfortunelaty, the issue remains.
So I guess it must have something to do with AP's.
Yes, now it's time to look downstream.
What is connected to the router? Is it an AP, or a switch? Is the switch managed?
Let's see the configs from the APs.
So the router is connected to a managed switch, the switch is serving 15 AP's and a bunch of other stuff. The WiFI config base for all AP's is exactly the same.
Network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd35:3d5c:ff20::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'wan'
config interface 'LAN'
option device 'br-lan.999'
option proto 'static'
option ipaddr '192.168.0.240'
option netmask '255.255.255.0'
option defaultroute '0'
config device
option type '8021q'
option ifname 'br-lan'
option vid '10'
option name 'br-lan.10'
config device
option type '8021q'
option ifname 'br-lan'
option vid '999'
option name 'br-lan.999'
config interface 'VLAN10_GUEST'
option proto 'none'
option device 'br-lan.10'
option defaultroute '0'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'wan:t'
config interface 'VLAN20_MEDIA'
option proto 'none'
option device 'br-lan.20'
option defaultroute '0'
config interface 'VLAN30_IOT'
option proto 'none'
option device 'br-lan.30'
option defaultroute '0'
config bridge-vlan
option device 'br-lan'
option vlan '86'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '999'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'wan:t*'
config interface 'VLAN86_MGMT'
option proto 'dhcp'
option device 'br-lan.86'
config device
option type '8021q'
option ifname 'br-lan'
option vid '200'
option name 'br-lan.200'
Wireless:
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option band '2g'
option channel '8'
option htmode 'HT40'
option cell_density '0'
option country 'NL'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'LAN'
option mode 'ap'
option ssid 'intranet'
option encryption 'sae-mixed'
option key 'redacted'
option ieee80211r '1'
option ft_over_ds '0'
option ocv '0'
option macfilter 'allow'
option mobility_domain 'ee99'
MAC LIST REDACTED
option dtim_period '3'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option band '5g'
option channel 'auto'
option htmode 'VHT160'
option cell_density '0'
option country 'NL'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'LAN'
option mode 'ap'
option ssid 'intranet'
option encryption 'sae-mixed'
option key 'redacted'
option ieee80211r '1'
option mobility_domain 'ee99'
option ft_over_ds '0'
option ocv '0'
MAC LISTS REDACTED
option macfilter 'allow'
option dtim_period '3'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'Guest WiFi'
option encryption 'sae-mixed'
option isolate '1'
option key 'redacted'
option ocv '0'
option network 'VLAN10_GUEST'
option ieee80211r '1'
option mobility_domain 'ee11'
option ft_over_ds '0'
option dtim_period '3'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'Guest WiFi'
option encryption 'sae-mixed'
option isolate '1'
option key 'sr59gc13'
option ocv '0'
option network 'redacted'
option ieee80211r '1'
option mobility_domain 'ee11'
option ft_over_ds '0'
option dtim_period '3'
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid 'intranet_media'
option encryption 'sae-mixed'
option key 'redacted'
option ieee80211r '1'
option ft_over_ds '0'
option ocv '0'
option network 'VLAN20_MEDIA'
option dtim_period '3'
config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'x'
option encryption 'sae'
option macfilter 'allow'
MAC LIST REDACTED
option key 'redacted'
option ieee80211r '1'
option mobility_domain 'f9f9'
option ft_over_ds '0'
option ocv '0'
option network 'VLAN86_MGMT'
config wifi-iface 'wifinet6'
option device 'radio0'
option network 'LAN'
option mode 'ap'
option ssid 'intranet_iot'
option encryption 'sae-mixed'
option key 'redacted'
option ieee80211r '1'
option ft_over_ds '0'
option ocv '0'
option dtim_period '3'
option mobility_domain 'cc55'
So if I change lets say the network option for intranet_media from VLAN20_MEDIA to let's say LAN or VLAN10_GUEST, it's working like a charm. Changing it to VLAN30_IOT or VLAN86_MGMT isn't. Same with VLAN200_MEDIA (just for testing).
I would suggest that you check the managed switch to ensure that the trunk ports are properly configured.
A pro-tip for this is to setup access ports for each of the VLANs on that switch. Then, connect a computer via ethernet to each of those access ports, in turn, and make sure that they get the desired connectivity. This is a really fast way to make sure that the router + switch are configured properly.
Meanwhile, I don't think this is going to make a difference, but let's clean up the config here just to be sure.
Delete all of the 802.1q stanzas:
Remove the defaultroute lines on the unmanaged interfaces:
As a general rule, I highly recommend:
- Avoiding
sae-mixed as it tends to cause more problems that it solves. Use WPA2 or WPA3, but not mixed mode.
- Removing all 802.11r configs unless there is a demonstrated need for them. Again, this tends to cause problems.
There are client devices that just don't work well with WPA2/WPA3 mixed mode and/or 802.11r, so these are typically things to stay away from. However, this environment has 15 APs, so I would imagine that there are lots of other considerations here and it would also be a bit painful to adjust all 15 APs, so let's table those two items -- hopefully they are not relevant here.
Thank you for your response.
I'll try the adjustments and let you know the results.
I need most of the ports on the switch trunked. Almost all AP devices are also used as switch in the particular rooms. Not all, but most. And adjusting the AP's is just a matter of a few clicks as I use Ansible to control/adjust them.
But I also have a few AP's on the side as spare and test devices. I always test my configs before deploying them on all other AP's.
So, it did not have the desired results.
Tried something different as well:
- Made a new SSID (media) on the 2.4GHz radio.
- Assigned VLAN20_MEDIA.
- No encryption
Devices show up in the Associated Stations list of the AP connected to but
not receiving IP addresses (tried with Android device, a Chromecast and 2 notebooks (Linux and Windows)).
As soon as I change the "option network" to let's say LAN or VLAN10_GUEST it's all working like a charm. That makes me thinking it's a firewall issue, but I cannot find anything in the firewall config that could make the connection behave like it does on that VLAN.
Changing it to VLAN30_IOT has the same (not receiving IP) issue.
According to the (AP) logs it is connected.
daemon.info hostapd: phy0-ap3: STA <MAC:ADDRESS> IEEE 802.11: authenticated
daemon.info hostapd: phy0-ap3: STA <MAC:ADDRESS> IEEE 802.11: associated (aid 1)
daemon.notice hostapd: phy0-ap3: AP-STA-CONNECTED <MAC:ADDRESS> auth_alg=open
daemon.info hostapd: phy0-ap3: STA <MAC:ADDRESS> RADIUS: starting accounting session C6FC9634054CF547
daemon.info hostapd: phy0-ap3: STA <MAC:ADDRESS> WPA: pairwise key handshake completed (RSN)
daemon.notice hostapd: phy0-ap3: EAPOL-4WAY-HS-COMPLETED <MAC:ADDRESS>
What am I missing here?
I had a short look at your config after applying the cleanup that @psherman suggested. The resulting config looks like this:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd35:3d5c:ff20::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'wan'
config interface 'LAN'
option device 'br-lan.999'
option proto 'static'
option ipaddr '192.168.0.240'
option netmask '255.255.255.0'
config interface 'VLAN10_GUEST'
option proto 'none'
option device 'br-lan.10'
config interface 'VLAN20_MEDIA'
option proto 'none'
option device 'br-lan.20'
config interface 'VLAN30_IOT'
option proto 'none'
option device 'br-lan.30'
config bridge-vlan
option device 'br-lan'
option vlan '86'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '999'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'wan:t*'
config interface 'VLAN86_MGMT'
option proto 'dhcp'
option device 'br-lan.86'
What I think is missing here is the bridge-vlan config for your other VLANs. IIRC, you mentioned a VLAN trunk somewhere, so I assume that this device is connected via the WAN port to the switch. On the switch, all required VLANs should be marked as tagged as well.
I would try to add the following bridge-vlan stanzas to tag the VLANs on the WAN port:
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'wan:t'
You can easily check this assignment with LuCI if you edit the br-lan device on the Devices tab in Network -> Interfaces. All VLANs should be tagged on the WAN port and 999 is untagged on all LAN ports.
If this doesn't work, I would try to change the protocol of your interfaces to DHCP (instead of none) to see if you receive a valid IP on the device.
1 Like
What you suggested is already the case. All VLAN's are trucked on the AP's WAN port.
Now I tried creating a new VLAN (21) and it works as expected.
All settings are exactly the same.
Sorry, somehow I missed that part, of course it was already there.
Do you get an IP on your interfaces if you change the protocol to DHCP?
I think so, but the router needs to be the only DHCP server in this network.
Wired it's all good, it's just the wireless part.
Just not getting why most VLAN's are getting IP's served, and others don't.