vLAN with AP and only one Ethernet port

Hi forum
I have a question regarding network segmentation/vLAN.
I have a few devices (all connected through WiFi) that I want to separate from others because they basically just need internet access but they do not need to interact with other devices in my LAN network.

I am running OpenWrt on a dumb Ap which is connected to pfSense. So I want to do all routing, firewall, etc. on pfSense.
The thing is, my AP has only one Ethernet port and I am struggling to get vLAN to work. I have already read a ton of guides/watched videos but without success.

What brought me quite close was the following:
In Network-Interface-Devices I enabled VLAN filtering for br-lan with two VLANs, namely 1 and 10 (10 being my "guest" network).
I could actually change the device of the LAN interface from br-lan to br-lan.1 and had fully access over WiFi to internet and to my LAN network.
But unfortunately when I created a second interface for br-lan.10 this did not work. I did not get an IP when I chose DHCP for this interface. Also setting a static IP in the vLAN10 subnet did not work. Unmanaged did not work either.
By "not working" I mean that my device would not get an IP address when trying to connect to an SSID in the VLAN.10 network.

I am not even sure if the approach I just described is going in the right direction...
Could anyone help me out with some hints on how to configure VLAN correctly in that setting?

You aren't really going into the details of your target device, but it matters (DSA vs. swconfig vs. plain ethernet; yes even single port devices might connect that to an internal switch) as semantics and syntax vary widely.

https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial might provide some initial insight, even for the counter example of what to do differently (e.g. on swconfig).

In principle, you retain one management interface - and everything else gets set up (bridge, VLAN, AP interface connecting to the bridge) with proto=none, just being passed through without your AP being in the loop.

Do you already have this configured and proven to be working as desired (wired)? This is critical before you try to configure a dumb AP since you need to know that the basic functionality is there, otherwise you wouldn't know where to look if there were issues along the way.

Then, let's see the config files from your AP:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Hi @slh and @psherman
Thank you for your comments.
I am using Netgear EX6150v2 as the AP with OpenWrt 22.03.3 and Netgear GS308E as switch.
Here is the output regarding the different commands:

ubus call system board
{
	"kernel": "5.10.161",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "Netgear EX6150v2",
	"board_name": "netgear,ex6150v2",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.3",
		"revision": "r20028-43d71ad93e",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 22.03.3 r20028-43d71ad93e"
	}
}
cat /etc/config/network

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fddb:753d:971e::/48'

config interface 'lan'
	option proto 'dhcp'
	option device 'br-lan.1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth0'

config interface 'guest'
	option device 'br-lan.10'
	option proto 'dhcp'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/soc/a000000.wifi'
	option htmode 'HT20'
	option cell_density '0'
	option channel '11'
	option country 'TW'
	option txpower '21'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11a'
	option path 'platform/soc/a800000.wifi'
	option htmode 'VHT80'
	option cell_density '0'
	option distance '20'
	option channel 'auto'
	option country 'TW'
	option txpower '20'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option ssid 'Netgear'
	option encryption 'psk2'
	option key 'REDACTED'
	option mode 'ap'
	option network 'lan'
	option wds '1'
	option macfilter 'deny'
	list maclist REDACTED'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option ssid 'Netgear'
	option encryption 'psk2'
	option key 'REDACTED'
	option mode 'ap'
	option network 'lan'
	option wds '1'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'OpenWrt_guest'
	option encryption 'psk2'
	option key 'REDACTED'
	option network 'guest'
	option wds '1'
	option disabled '1'
cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	list server 'REDACTED'

config dhcp 'lan'
	option interface 'lan'
	option ra_management '1'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'
	option ra 'hybrid'
	option dhcpv6 'hybrid'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'guest'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

I have tested the vLAN with a wired connection and that works fine, so I conclude that the firewall is properly configured.
I am actually unsure if the Switch is configured correctly.
Here is the config:

pfSense is connected to port 1, the wired connection on port 3 works fine (vLAN 10).
The AP is connected to port 6.

I have tried different things here, e.g. setting PVID on port 6 to 10 but this kills my regular WiFi.
Still since I no not have experience with switch/vLan configs I suspect that there might be a misconfiguration here...

Thanks for your time!

there are two ways this may work.. try this one first:

Specify that vlan10 is tagged by adding :tlike this:

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth0:t'

Also, your guest interface doesn’t need an address. Make it unmanaged like this:

config interface 'guest'
	option device 'br-lan.10'
	option proto 'none'

Let us know if that works.

OpenWrt for the ipq4019 chip didn't do VLANs properly until very recently, you should probably be running 23.05.

On the Netgear switch, the two "trunk" ports (the one connected to the pfsense router and the one connected to the AP) should be set Tagged in both networks. The pfsense router should be configured to tag both networks to its trunk port.

It's a good idea to set up an admin network in the AP so you can log in by wifi if Ethernet is misconfigured.

2 Likes

I have made the two edits but unfortunately it does not work. I am still not getting an IP address when I try to connect to the guest WiFi.

23.05 is still a rc, so I am somewhat reluctant to switch before stable is available.
But I will keep an eye on the release and update as soon as it is available.

Regarding the tagging, vLAN 1 is the native vLAN and it should work with pfSense. At least this is what was reported here: link

Great tip regarding the admin network! I immediately added it. I was always a bit nervous when fiddling with certain setting but never had the idea of having an additional network :upside_down_face:

Don't be, especially if you want VLANs on ipq40xx.

There is another approach you can try...

remove the bridge-vlan stanzas...

Create a new bridge for the guest network like this:

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.10'

Now, edit the lan and guest networks to use the two bridges like this (note that we are using the base bridges):

config interface 'lan'
	option proto 'dhcp'
	option device 'br-lan'

config interface 'guest'
	option proto 'none'
	option device 'br-guest'

Then reboot the device and see if that fixes the issue. If it doesn't, please post the latest config so we can double check it.

Hi psherman, I did the adjustments but unfortunately it did not help. I am still not getting an IP on the guest WLAN.
Here is the network config:

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fddb:753d:971e::/48'

config interface 'lan'
	option proto 'dhcp'
	option device 'br-lan'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.10'

config interface 'guest'
	option device 'br-guest'
	option proto 'none'

config interface 'admin'
	option proto 'static'
	option ipaddr '10.11.11.1'
	option netmask '255.255.255.0'

@slh and @mk24 I downloaded 23.05 rc4 but when I wanted to flash it I got a warning:

Image check failed:

Mon Oct 9 19:48:55 CEST 2023 upgrade: The device is supported, but the config is incompatible to the new image (1.0->1.1). Please upgrade without keeping config (sysupgrade -n). Mon Oct 9 19:48:55 CEST 2023 upgrade: Config cannot be migrated from swconfig to DSA Image check failed.

I guess this means I would have to reconfigure after an upgrade, right?

Yes. Do not keep settings across the upgrade,

Keep in mind that wifi will be disabled and the device will be in a default state (with an address of 192.168.1.1)... you'll want to connect your computer directly to the ethernet port (and offline relative to the rest of your network).

So I guess this would be the last option to get vLAN working right?
Also, do you know if 23.05 stable would be able to keep my config in contrast to 23.05 rc4?

It wont. Just upgrade to 23.05-rc4, redo your config and never look back.

1 Like

Hehehe ok, I will give it a try and report back here.

Hi guys
I just wanted to upgrade my device with rc4 and saw that 23.05 stable has been released.
What is worrying me is that my device is not listed as compatible HW for this release, just v1, but I own v2:


Any idea why this is so?

Seems it’s a bug (on the toh webpage, since it’s supposed to automatically populate with the url to the latest supported firmware)

https://downloads.openwrt.org/releases/23.05.0/targets/ipq40xx/generic/

Could this be so simple ?

Unfortunately not, I have disabled this SSID since it did not work and must have done the config export afterwards.
When I have time I will switch to 23.05 and see how that works.

1 Like

After switching to 23.05 vLANs worked as expected.
Basically with the configuration I had already in the beginning, so it was really a problem of 22.03 as @mk24 pointed out.
Thanks a lot for your support and efforts guys, I very much appreciated it!