VLAN with 2 routers - 2 WLANs with roaming

Ryrzy · February 15, 2021, 10:40am

Hello,
i'm new in VLANs and i need help with this,

my configuration is:

R1 - EA8500 openwrt, it's my main router - dhcp, internet on WAN,
WLAN1 main 192.168.1.x - roaming with R2 - everything works ok
WLAN2 vlan3 192.168.3.x - working ok, only when connecting to this router, roaming with R2 - not working
only one LAN port is used to connect to switch

R2 - WNDR4300 openwrt
WLAN1 main 192.168.1.x - roaming with R1 - everything works ok, dhcp from R1
WLAN2 vlan3 192.168.3.x - roaming with R2 - not working, when connect to this AP device can not get IP, when connecting with static IP device has not access to internet, to lan, to nothing, and there is no accecc to this device...
all LAN ports (WAN is made as LAN port) are used and there must be 192.168.1.x network

problem is WLAN2 on R2 to connect to dhcp from R1 vlan3 (192.168.3.x network).

R1 and R2 are so connected:

R1 <-> switch LCS-GS9428 <-> switch tplink <-> R2

configs:

R1:
/etc/config/dhcp

config dhcp 'vlan3'
    option start '100'
    option limit '150'
    option leasetime '12h'
    option interface 'vlan3'
    option force '1'

/etc/config/firewall

config zone
        option name 'vlan3'
        list network 'vlan3'
        option input 'REJECT'
        option forward 'REJECT'
        option output 'ACCEPT'

config forwarding
        option dest 'vlan3'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'vlan3'

config rule
        option src 'vlan3'
        option name 'vlan3_to_server'
        option dest 'lan'
        list dest_ip '192.168.1.xx'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option src_port '67-68'
        option src 'vlan3'
        option family 'ipv4'
        option target 'ACCEPT'
        option dest_port '67-68'
        list proto 'tcp'
        list proto 'udp'

config rule
        option dest_port '67-68'
        option dest 'vlan3'
        option target 'ACCEPT'
        option src_port '67-68'

config rule
        option dest_port '53'
        option src 'vlan3'
        option target 'ACCEPT'
        option family 'ipv4'
        list proto 'tcp'
        list proto 'udp'

/etc/config/network


config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda3xxxdbe::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr 'c0:xx'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option macaddr '00:xx'
        option dns '8.8.8.8 8.8.4.4'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr '00:xx'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option macaddr '00:xx'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 1 2 3 4'
        option vid '1'
		
config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'
        option vid '2'

config interface 'vpn'
        option ifname 'tun0'
        option proto 'none'

config interface 'vlan3'
        option proto 'static'
        option type 'bridge'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option mtu '1496'
        option ifname 'eth0.3'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0t 1t 2t 3t 4t'

/etc/config/wireles

config wifi-iface 'wifinet3'
        option ssid 'vlan_test'
        option encryption 'psk2'
        option device 'radio0'
        option isolate '1'
        option ieee80211r '1'
        option ft_over_ds '1'
        option key 'xx'
        option network 'vlan3'
        option mode 'ap'
        option ft_psk_generate_local '1'
        option mobility_domain 'fxx6'
        option nasid 'Cxx'

R2:
/etc/config/dhcp

config dhcp 'vlan3'
        option interface 'vlan3'
        option ignore '1'

/etc/config/firewall

config zone
        option network 'vlan3'
        option input 'ACCEPT'
        option name 'vlan3'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config rule
        option src_port '67-68'
        option src 'vlan3'
        option target 'ACCEPT'
        option dest_port '67-68'
        option dest 'lan'

config rule
        option src_port '53'
        option src 'vlan3'
        option target 'ACCEPT'
        option dest_port '53'
        option dest 'lan'

config forwarding
        option dest 'vlan3'
        option src 'lan'

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7xxxe::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'dhcp'
        option ifname 'eth0.1 eth0.2'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr 'a0:xxx'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option ar8xxx_mib_type '0'
        option ar8xxx_mib_poll_interval '500'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 4 3 2 1 5'

config interface 'vlan3'
        option proto 'static'
        option type 'bridge'
        option ipaddr '192.168.3.2'
        option ifname 'eth0.3'
        option netmask '255.255.255.0'
        option gateway 'xxx'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0t 1t'

/etc/config/wireles

config wifi-iface 'wifinet2'
        option encryption 'psk2'
        option device 'radio0'
        option ieee80211r '1'
        option ft_over_ds '1'
        option mode 'ap'
        option ft_psk_generate_local '1'
        option network 'vlan3'
        option ssid 'vlan_test'
        option mobility_domain 'fxx6'
        option key 'xx'
        option nasid ' Axx3'
        option isolate '1'

attila1 · February 15, 2021, 5:55pm

Try to change REJECT to ACCEPT in zone vlan3 on R1 for option input&forward as well.

Ryrzy · February 15, 2021, 6:09pm

didnt work i have tested this to

attila1 · February 15, 2021, 6:20pm

And do you see any Mac address on R1 through interface eth0.3 (related to r2)?

Ryrzy · February 15, 2021, 6:24pm

i see nothing from R2 from 3 network, even if connect to WLAN2 on R2 with static IP 192.168.3.33
WLAN1 works ok on R2, devices get IPs from DHCP on R1 - because this is main network

attila1 · February 15, 2021, 6:43pm

Are you sure that relevant Ethernet interfaces are vlan-tagged (means defined as trunk) on both switches?
I can imagine that main vlan works only because vlan1 is the native vlan on both switches.

Ryrzy · February 15, 2021, 6:59pm

on R1 it looks like this (i use only one switch port):

on R2 it looks like this:

internet <-> (WAN) R1 (LAN1) <-> switch LCS-GS9428 <-> switch tplink <-> (LAN4) R2

attila1 · February 15, 2021, 7:24pm

Okay, so main LAN is working because vlan Id 1 isn't tagged on both routers.
But the vlan Id 3 has to be tagged on LCS and tplink switches as well.
(Be noted, summary - at least - 4 pieces of switch ports has to be configured, because the 2 side of the LCS-tplink link has to be tagged as well.)

Ryrzy · February 15, 2021, 8:12pm

i think you have right and LCS is the problem, tplink is not configurable.
R1 is connected to LCS to LAN1 and R2 is on LAN20, how do you think, how shoult it be set in LCS? when i set PVID on 1 and 20 to 3 i dont have connection from whole network ;/ i think i will try to make my cable longer from R2 and connect to R1 LAN port, no LCS connection.

attila1 · February 15, 2021, 8:39pm

Try set egress for port 1 and 20 to "tagged" and set pvid to "1,3" or "1;3" (I don't know what can be the syntax.)

Hmmm, or ... maybe pvid means preferred vlan id. Then pvid has to remain 1, and change egress to tagged only.

Ryrzy · February 15, 2021, 9:37pm

And here is the problem... I can set only one vlan id in pvid on each port. When I change to tagged only I lose access to this port devices grrr I think this switch is to old for my ideas

Ryrzy · February 15, 2021, 9:45pm

Wait.... I think.... yes.... YES! It works!! I have changed only port 1 and 20 to tagged, "only tagged" is disabled and pvid stays "1" on both ... and f..ck yeah it looks like it is working! (Will test all devices from this site of network tomorrow by it realy looks like it works! )

attila1 · February 16, 2021, 9:00am

@Ryrzy ,

One more thing. Don't forget to set mtu size to 1496 on R2's vlan3 interface as well. (Otherwise you can be in trouble with longer packets.)

Ryrzy · February 16, 2021, 10:16am

ohh thank you for this tip will do when i be back home
btw. from yesterday everything looks ok, and it works as it should big thanks for help @attila1

attila1 · February 16, 2021, 6:12pm

Your welcome.

system · February 26, 2021, 6:12pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.