Has anyone had success using VLAN bridging on the R8000? After setting up VLANs, the R8000 won't let me connect with any of the wireless antennas. I'm getting a "br-lan recieved packed on wlan1 with own address as source address" message in the system log when I attempt to connect to any wireless antenna. I've used the 22 firmware and the fixed 23 version and keep getting the same result. All antennas work fine when the VLAN bridge is turned off, and when it's turned on, I can connect just fine through the VLAN ports, but the wireless doesn't work.
Let's see your configuration:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
root@OpenWrtR8000:~# ubus call system board
at /etc/{
"kernel": "5.10.176",
"hostname": "OpenWrtR8000",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "Netgear R8000 (BCM4709)",
"board_name": "netgear,r8000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.5",
"revision": "r20134-5f15225c1e",
"target": "bcm53xx/generic",
"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
}
}
config/nroot@OpenWrtR8000:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fda4:4f5b:9995::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan.99'
config device
option name 'wan'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config bridge-vlan
option device 'br-lan'
option vlan '44'
list ports 'lan1:t'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '99'
list ports 'lan1:t*'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4:t'
config interface 'Guest'
option proto 'static'
option device 'br-lan.44'
option ipaddr '10.20.30.40'
option netmask '255.255.255.0'
root@OpenWrtR8000:~# cat /etc/config/wireless
cat /etc/config/
config wifi-device 'radio0'
option type 'mac80211'
option path '18000000.axi/bcma0:7/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '149'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrtR8000zero'
option encryption 'psk2'
option key PASSWORD
config wifi-device 'radio1'
option type 'mac80211'
option path '18000000.axi/bcma0:8/pci0001:00/0001:00:00.0/0001:01:00.0/0001:02:01.0/0001:03:00.0'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrtR8000'
option encryption 'psk2'
option key PASSWORD
config wifi-device 'radio2'
option type 'mac80211'
option path '18000000.axi/bcma0:8/pci0001:00/0001:00:00.0/0001:01:00.0/0001:02:02.0/0001:04:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrtR8000two'
option encryption 'psk2'
option key PASSWORD
root@OpenWrtR8000:~# cat /etc/config/dhcp
/etc/co
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'Guest'
option interface 'Guest'
option start '100'
option limit '150'
option leasetime '12h'
root@OpenWrtR8000:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'Guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'Guest'
config forwarding
option src 'Guest'
option dest 'wan'
config rule
option name 'Guest DHCP and DNS'
option src 'Guest'
option dest_port '53 67 68'
option target 'ACCEPT'
Adjust the above to look like this:
config bridge-vlan
option device 'br-lan'
option vlan '99'
list ports 'lan1:t'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:t'
Then reboot the router and see if that helps.
Thanks for your help . . . but, no luck. Still getting the "br-lan: received packet on wlan1 with own address as source address" error in system log when trying to connect through the wireless
Is it not mentioning the MAC address?
Can you copy and paste the 10 lines before and after you try to associate with two different clients?
You can redact the MAC addresses and anything you consider personal but if they are repeated notate it. e.g. A, B, C,...
Here's the logs from two attempts at wireless connection with two different devices. I changed the MAC addresses to be placeholders in square brackets.
Mon Jan 15 15:19:56 2024 daemon.info hostapd: wlan1: STA [MAC:d5] IEEE 802.11: associated
Mon Jan 15 15:20:00 2024 daemon.info hostapd: wlan1: STA [MAC:d5] IEEE 802.11: disassociated
Mon Jan 15 15:20:01 2024 daemon.info hostapd: wlan1: STA [MAC:d5] IEEE 802.11: associated
Mon Jan 15 15:20:01 2024 kern.warn kernel: [ 9615.119388] br-lan: received packet on wlan1 with own address as source address (addr:[MAC:54], vlan:99)
Mon Jan 15 15:20:05 2024 daemon.info hostapd: wlan1: STA [MAC:d5] IEEE 802.11: disassociated
Mon Jan 15 15:20:06 2024 daemon.info hostapd: wlan1: STA [MAC:d5] IEEE 802.11: associated
Mon Jan 15 15:20:06 2024 kern.warn kernel: [ 9620.428166] br-lan: received packet on wlan1 with own address as source address (addr:[MAC:54], vlan:99)
Mon Jan 15 15:20:10 2024 daemon.info hostapd: wlan1: STA [MAC:d5] IEEE 802.11: disassociated
Mon Jan 15 15:20:12 2024 daemon.info hostapd: wlan1: STA [MAC:d5] IEEE 802.11: associated
Mon Jan 15 15:20:12 2024 kern.warn kernel: [ 9625.734440] br-lan: received packet on wlan1 with own address as source address (addr:[MAC:54], vlan:99)
Mon Jan 15 15:20:16 2024 daemon.info hostapd: wlan1: STA [MAC:d5] IEEE 802.11: disassociated
Mon Jan 15 15:20:17 2024 daemon.info hostapd: wlan1: STA [MAC:d5] IEEE 802.11: associated
Mon Jan 15 15:20:17 2024 kern.warn kernel: [ 9631.094003] br-lan: received packet on wlan1 with own address as source address (addr:[MAC:54], vlan:99)
Mon Jan 15 15:20:19 2024 daemon.info hostapd: wlan1: STA [MAC:d5] IEEE 802.11: disassociated
Mon Jan 15 15:20:19 2024 daemon.info hostapd: wlan1: STA [MAC:d5] IEEE 802.11: disassociated
Mon Jan 15 15:21:50 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.99) 192.168.1.206 [MAC:2e]
Mon Jan 15 15:21:50 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.99) 192.168.1.206 [MAC:2e] Laptop1
Mon Jan 15 15:21:53 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: associated
Mon Jan 15 15:21:57 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: disassociated
Mon Jan 15 15:21:57 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: associated
Mon Jan 15 15:21:57 2024 kern.warn kernel: [ 9731.346765] br-lan: received packet on wlan1 with own address as source address (addr:[MAC:54], vlan:99)
Mon Jan 15 15:22:01 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: disassociated
Mon Jan 15 15:22:03 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: associated
Mon Jan 15 15:22:03 2024 kern.warn kernel: [ 9736.681873] br-lan: received packet on wlan1 with own address as source address (addr:[MAC:54], vlan:99)
Mon Jan 15 15:22:07 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: disassociated
Mon Jan 15 15:22:08 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: associated
Mon Jan 15 15:22:08 2024 kern.warn kernel: [ 9742.016161] br-lan: received packet on wlan1 with own address as source address (addr:[MAC:54], vlan:99)
Mon Jan 15 15:22:12 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: disassociated
Mon Jan 15 15:22:13 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: associated
Mon Jan 15 15:22:13 2024 kern.warn kernel: [ 9747.345367] br-lan: received packet on wlan1 with own address as source address (addr:[MAC:54], vlan:99)
Mon Jan 15 15:22:17 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: disassociated
Mon Jan 15 15:22:20 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan.99) 192.168.1.206 [MAC:2e]
Mon Jan 15 15:22:20 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan.99) 192.168.1.206 [MAC:2e] Laptop1
Mon Jan 15 15:22:24 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: associated
Mon Jan 15 15:22:28 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: disassociated
Mon Jan 15 15:22:29 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: associated
Mon Jan 15 15:22:29 2024 kern.warn kernel: [ 9762.549649] br-lan: received packet on wlan1 with own address as source address (addr:[MAC:54], vlan:99)
Mon Jan 15 15:22:33 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: disassociated
Mon Jan 15 15:22:34 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: associated
Mon Jan 15 15:22:34 2024 kern.warn kernel: [ 9767.876429] br-lan: received packet on wlan1 with own address as source address (addr:[MAC:54], vlan:99)
Mon Jan 15 15:22:38 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: disassociated
Mon Jan 15 15:22:39 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: associated
Mon Jan 15 15:22:39 2024 kern.warn kernel: [ 9773.210464] br-lan: received packet on wlan1 with own address as source address (addr:[MAC:54], vlan:99)
Mon Jan 15 15:22:43 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: disassociated
Mon Jan 15 15:22:45 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: associated
Mon Jan 15 15:22:45 2024 kern.warn kernel: [ 9778.543334] br-lan: received packet on wlan1 with own address as source address (addr:[MAC:54], vlan:99)
Mon Jan 15 15:22:49 2024 daemon.info hostapd: wlan1: STA [MAC:2e] IEEE 802.11: disassociated
An update. Still need help.
I changed all the MAC addresses in the device list so every MAC is unique and it got rid of the "with own address as source address" error, but the associated, dissociated errors persist until the device gives up and says it can't connect to this network.
I found a workaround of sorts: I created a new bridge for just the wifi and gave the wifi bridge (br-wifi) access to the LAN (br-lan) through the firewall. Now all the antennae's work great with encryption and full access to the LAN. Yay.
However, br-wifi is now handing out IP addresses which, of course, are a different IP domain than the br-lan. This is a dealbreaker, since I need IP domain to be the same through both the wired VLAN access points and the attached antennaes for fast roaming, etc.
Any idea how I can do that!?!?
Edit the (network/wireless->edit) radios and put them in the lan (br-lan) with eth0. Save/save and apply.
They should then show up in the LuCI interface lan (br-lan) and be missing from br-wifi.
Log into the ssid and check the ip address you end up with. Should be in the same subnet as all the wired lan ports.
This is a little different than how you added the ethernet ports to the lan and the radios will not show up in network config but will show them in lan in the wireless config.
Thanks for your help, but that puts me back at square one. Once the antenna's are associated with anything on the VLAN (ie: br-lan) they stop connecting to devices. The antennas only seem to work when "bridge VLAN filtering" is turned off. The VLAN is killing the antennas.
Maybe it would make sense to upgrade to 23.05.2 and reset to defaults at the same time. Then make the modifications I had provided earlier. That should work in general, and maybe this will ensure that you don't see the error:
Care to give it a shot?
Howdy everyone,
Sorry to jump in on this thread; however, I was curious whether there was a solution when it came to getting Wifi to work with VLANs?
As described by @brawilliamson, any wireless authentication (unless set to open - no encryption) will result in the associated & disassociated issue when combined with filtering.
This is on the latest build of the R8000 (23.05.2). I understand the broadcom limitations; however, there is a note describing that it "works well" (which may need to be amended with all of the quirks that people are experiencing).
Here's a visual with what's going on:
This setup works (however, not ideal)
Mobile device --> Wifi SSID (set to open) ---> connects to VLAN static interface with DHCP
The below setup doesn't
Mobile device --> Wifi SSID (set to WPA/WPA2 or other auths) ---> results in constant auth failure and the syslog mentioning associated and quick dissociated
Kind regards
Maybe it would be best to start a new thread and then we can explore the configuration and see if we can arrive at a solution. If you’d like, I can move your comment to a new topic. We will need to see the complete config and then we can work through troubleshooting. Feel free to post your config and I can move everything to that new thread.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Hi @psherman,
Not a problem, currently in between projects atm, but will hopefully get that done shortly
Well from one Sherman to another let's get this party started and crack this cookie. I’m currently running version 23.05.3 on my Netgear R8000 with OpenWRT. I’ve encountered an issue where VLANs don’t seem to work with Wi-Fi if the SSID is encrypted. However, when the SSID is open, everything works fine.
My setup is a bit unique as I’m using the R8000 as a semi-smart access point with all my interfaces on a single bridge. Despite this difference, I believe the issue should be the same as I’m encountering similar roadblocks.
For additional context, I don’t use the built-in firewall or DHCP as these are managed by my dedicated firewall. I’ve included the requested logs below for further analysis.
ubus call system board
{
"kernel": "5.15.150",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "Netgear R8000 (BCM4709)",
"board_name": "netgear,r8000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "bcm53xx/generic",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
}
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fdfc:aaa3:5c7e::/48'
config interface 'backup'
option proto 'static'
option ipaddr '172.18.0.1'
option netmask '255.255.255.0'
option delegate '0'
option defaultroute '0'
config interface 'mgmt'
option proto 'dhcp'
option device 'bridge.99'
option force_link '1'
config device
option type 'bridge'
option name 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'wan'
option ipv6 '1'
config bridge-vlan
option device 'bridge'
option vlan '99'
list ports 'wan:t*'
config bridge-vlan
option device 'bridge'
option vlan '30'
list ports 'wan:t'
config interface 'home'
option proto 'dhcp'
option device 'bridge.30'
You’ll observe that I’ve only tagged the WAN port, as it’s the only one I’m currently utilizing. Additionally, the port can only be set to ‘tagged’ and not ‘untagged’, due to the configuration of the switch port. If we decide to proceed with further testing, we can adjust this setup according to your preferences.
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '18000000.axi/bcma0:7/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '149'
option band '5g'
option htmode 'VHT80'
option country 'US'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'backup'
option mode 'ap'
option ssid 'test'
option encryption 'psk2'
option key 'test1234'
config wifi-device 'radio1'
option type 'mac80211'
option path '18000000.axi/bcma0:8/pci0001:00/0001:00:00.0/0001:01:00.0/0001:02:01.0/0001:03:00.0'
option channel '6'
option band '2g'
option htmode 'HT40'
option country 'US'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'backup'
option mode 'ap'
option ssid 'test'
option encryption 'psk2'
option key 'test1234'
config wifi-device 'radio2'
option type 'mac80211'
option path '18000000.axi/bcma0:8/pci0001:00/0001:00:00.0/0001:01:00.0/0001:02:02.0/0001:04:00.0'
option channel '48'
option band '5g'
option htmode 'VHT80'
option country 'US'
option cell_density '0'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'backup'
option mode 'ap'
option ssid 'test'
option encryption 'psk2'
option key 'test1234'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'test 2'
option encryption 'psk2'
option network 'home'
option key 'test1234'
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid 'test 2'
option encryption 'psk2'
option network 'home'
option key 'help1234'
config wifi-iface 'wifinet5'
option device 'radio2'
option mode 'ap'
option ssid 'test 2'
option encryption 'psk2'
option network 'home'
option key 'help1234'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
Again, DHCP is being handled by the firewall
cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
We can troubleshoot but it will be touch and go with reporting back. If you want to open a new post please do so.
I'm not sure what would cause the VLANs to fail to work when encryption is enabled on wifi... normally, these would be unrelated things.
But let's dig in a bit to see if we can unravel it.
First, I'd recommend using br-lan or something similar rather than bridge. I say this out of an abundance of caution because it is possible that bridge as a name is not expected given that it is a special word.
I'd also recommend removing the ipv6 option. It should not matter here.
Now, that said, you have mgmt (VLAN 99, DHCP) and home (VLAN 30, DHCP), plus a backup interface.
Generally speaking, it is best practice to have only the management network with an address, and the reset unmanaged. So maybe make home unmanaged (option proto 'none').
Next, does the problem manifest on all of the SSIDs or just one or two of them?
I will give this a try. I do have two other TP-Link Archers set up this way and haven't run into issue but they currently don't use DSA so maybe why I haven't had issues. I will give this a try this evening and see if it changes.
I'd also recommend removing the ipv6 option. It should not matter here.
Can do! I usually do this but must have missed it in my testing. I also have IPv6 disabled upstream as well.
Now, that said, you have mgmt (VLAN 99, DHCP) and home (VLAN 30, DHCP), plus a backup interface.
Generally speaking, it is best practice to have only the management network with an address, and the reset unmanaged. So maybe make home unmanaged (option proto 'none').
This is they way I usually set this up but, for testing reason I wanted to make sure it was able to get the correct IP. I can try it with unmanaged to see if that makes a difference. The backup interface is more of a Failsafe so I can access the device when things hit the fan.
Next, does the problem manifest on all of the SSIDs or just one or two of them?
I haven't tried setting both SSID up with encryption to see if I get the same issue but again can try again this evening. Sidenote if we turn VLAN filtering off we are able to connect without issue with encryption turned on, except when using WPA3 or WPA2/WPA3 encryption.
Let me know if you think of anything else to try and I will test it this evening.
Well, I was able to conduct some testing, but it’s still not working. I did find some rather peculiar things. First, if I set the encryption to open and connect, I can obtain an IP from the firewall, but I’m unable to browse beyond the access point. Additionally, I can connect to the Wi-Fi for the backup interface, but that’s expected since it’s not using any VLAN filtering. At this point, I’ve given up on using this device with the current version of OpenWrt. I might just revert to version 19.07 and stick with that. If anyone wants to buy a cheap R8000 let me know I'm sure we can arrange things.
Let's take a look at the current complete configuration of your AP.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Thanks for running some tests? Does 19.07 function with vlan and wifi?