VLANS on Unifi 6 Lite AP

ehz_gobbo · August 25, 2023, 2:41pm

Hi All, I am having trouble setting up VLANs on my Unifi 6 lite AP

My Setup
Internet > OPNsense DEC750 > MikroTik CRS328-24P-4S+RM > Unifi 6 Lite

OPNsense does routing, DNS, DHP firewall, VLANs
Mikrotik with SwOS
Unifi 6 Lite with OpenWRT 22.03.5 and set as dumb AP following https://openwrt.org/docs/guide-user/network/wifi/dumbap

It is mostly based on this: https://schnerring.net/blog/router-on-a-stick-vlan-configuration-with-swos-on-the-mikrotik-crs328-24p-4s+rm-switch/
I have OPNSense and the switch setup to work with VLANs and all seems works, when I plug a device into a port on the switch, it is assigned to the correct VLAN.

Now I would like to add the AP, and this is where I am having difficulty. I've followed various tutorials the VLAN setup in OpenWRT and tried different ways but it just doesn't seem to work.

The VLANs setup in OPNsense are:

VLAN10_MANAGE (The Management network connects native management interfaces like WiFi access points)
VLAN20_VPN
VLAN30_CLEARNET
VLAN70_IOT

Steps Taken in OpenWRT

Network > Interfaces > Devices
Configure for "br-lan" > Bridge VLAN Filtering > Enable VLAN Filtering
Add 10, 20, 30, 70, and save
Configure for "br-lan" > General device options > Bridge ports
Add br-lan.10, br-lan.20, br-lan.30, br-lan.70, and save

Screenshot 2023-08-25 at 16.19.431812×1170 188 KB
Configure for "br-lan" > Bridge VLAN Filtering
Set Tagged where port and VLAN ID match, and for LAN all tagged

Screenshot 2023-08-25 at 16.19.561810×1114 162 KB
Interfaces > Add new interface (For testing I have only added the IOT interface)
Name: VLAN70_IOT, Protocol: Unmanaged, Interface: br-lan.70
Interfaces > Edit "lan", set interface to br-lan.10
Add wireless with network VLAN70_IOT
Add wireless with network lan (temporarily using using the management vlan)

I have also tried:

Not modifying "br-lan" and creating a new bridge interface as described here https://www.youtube.com/watch?v=2R40KE9aUz4&list=PLvzzB_4CQg6n_A_f2JjkReGbdDAgO6D9_&index=2
Not adding the 10 VLAN "br-lan.10". Instead I change the "lan" interface IPv4 address, gateway and DNS to point to the VLAN 10. This works but I'im not sure it is correct
In step 7 I have tried various options of tagged and untagged. Honestly this is the part I am most confused about. Also having one eth port on the Unifi, I'm not 100% what to do here
In step 9 I have also changed the interface to static IP and set IPv4 address, gateway and DNS to point to the VLAN 70, still does not work

Could someone help me figure out in which step(s) I am making mistakes?

NPeca75 · August 25, 2023, 4:33pm

Hi

sorry but your config is messed up
reset the router to default and paste here your default network config

cat /etc/config/network

zekica · August 25, 2023, 5:55pm

Why are you adding br-lan.10 and others to br-lan? This doesn't make sense at all.

ehz_gobbo · August 25, 2023, 6:04pm

I've reset the device as an AP

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdbb:1f08:7090::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.0.10.2'
	option gateway '10.0.10.1'
	list dns '10.0.10.1'

Like this I can connect to the intrernet, lan is connected to vlan10 on opnsense

ehz_gobbo · August 25, 2023, 6:05pm

I tried both with and without, not sure the correct way, but if not correct will remove it

zekica · August 25, 2023, 6:15pm

When starting from the default setup:

first turn on "Bridge VLAN Filtering", change VLAN ID 1 to 10, and at the same time change "Interface" lan to device br-lan.10, then apply the changes. Set device lan as "untagged, PVID"

You should then still be able to access the management interface without any tags.

then add VLANs 20, 30 and 70 to the bridge vlan filtering, and set "Tagged" to all these and also change vlan 10 on device lan to Tagged.

When you now apply, you will lose access unless you access it through the trunk port on your switch, so I would suggest applying changes without rollback by clicking "Apply unchecked". Then connect it to your switch and continue the setup.

then add three more interfaces all of them using the "unmanaged" protocol - name them vpn, clearnet and iot. You don't need to add them to any firewall zone as they are not managed
then add three APs selecting each of the interfaces above

That should be enough.

NPeca75 · August 26, 2023, 3:03am

Ok

here is your config

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdbb:1f08:7090::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '70'
        list ports 'lan:t'

config interface 'mgmn'
	option device 'br-lan.10'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.0.10.2'
	option gateway '10.0.10.1'
	list dns '10.0.10.1

config interface 'vpn'
        option proto 'none'
        option device 'br-lan.20'

config interface 'clearnet'
        option proto 'none'
        option device 'br-lan.30'

config interface 'iot'
        option proto 'none'
        option device 'br-lan.70'

vlan 10,20,30,70 are tagged on LAN port
so, when you upload this config and reboot router, you could access device only from tagged network

NPeca75 · August 26, 2023, 3:13am

When your AP finally running and is reachable over tagged (trunk) port, then you need to configure WIFI

config wifi-iface 'wifinet0'
        option device 'radio0'
        option network 'vpn'    <- or 'clearnet' or 'iot'

you could attach every SSID to its own vlan
key is option network 'XXXX'
or from LuCI, bond wifi interface to network

ehz_gobbo · August 27, 2023, 5:23pm

Thanks! After several attempts following the advice from both of you, I think I finally got it to work.
Only difference is I left vlan 10 untagged and set as PVID

I guess the main mistake I was making was step 4-5, bridging the vlans

system · September 6, 2023, 5:23pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.