Vlans on Wavlink WL-WN573HX1

timeport · January 19, 2024, 8:20pm

Am I missing anything with vlans?

I'm not able to get the vlan to pass traffic from the ethernet port to wifi.

I've created lan.1000, created br-vlan1000 and added lan.1000 to br-iot. Added an interface "iot" and set it for device br-iot.

Set "iot" as the network for the wifi interface.

if I drop an IP on br-iot, I can ping both a device associated with the AP, as well as an IP on that vlan on another device in the network.

But I can't ping through from the AP to the LAN.

Configs were generated by luci interface

Any ideas? Does this thing have a switch chip in the path or something that I should be doing something with?

config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd34:a801:269f::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config interface 'iot'
	option proto 'static'
	option device 'br-iot'
	option ipaddr '192.168.3.2'
	option netmask '255.255.255.0'

config device
	option type '8021q'
	option ifname 'lan'
	option vid '1027'
	option name 'lan.1027'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'lan.1027'

config/wireless


config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option network '1027 iot'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

NPeca75 · January 19, 2024, 10:39pm

Hi

start with this
"option network" should match "config interface 'iot'"
so, the correct line will be
option network 'iot'

timeport · January 19, 2024, 10:42pm

thanks -- I noticed that in the config, not sure why luci put it that way, just assumed luci knew what she was doing.

trying that now

timeport · January 19, 2024, 11:01pm

Didn't really help, either way the bridge layout looks right

root@OpenWrt:/etc/config# brctl show
bridge name	bridge id		STP enabled	interfaces
br-lan		7fff.803f5d72a315	no		lan
br-iot		7fff.803f5d72a315	no		lan.1027
							phy0-ap0
root@OpenWrt:/etc/config#

psherman · January 19, 2024, 11:05pm

Is the IoT network routed on this device or on some other router?

timeport · January 19, 2024, 11:31pm

another router upstream. this is just a small lab directly connected to a mikrotik router.

I'm a career network engineer with about 20 years experience working with Mikrotik -- not going to say 1000% that the MT config is not the issue since...well I still do make mistakes. But it's pretty unlikely.

Also this same layout works with a Netgear WAX220 running Openwrt.

Router is 192.168.3.1

AP is 192.168.3.2

client is 192.168.3.5

AP is directly connected(via a poe injector) to a port on the MT router (Hap AC2)

from the router:

[admin@Mikrotik] > ping 192.168.3.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                                          
    0 192.168.3.1                                56  64 404us     
    1 192.168.3.1                                56  64 435us     
    sent=2 received=2 packet-loss=0% min-rtt=404us avg-rtt=419us max-rtt=435us 
[admin@Mikrotik] > ping 192.168.3.2
  SEQ HOST                                     SIZE TTL TIME       STATUS                                          
    0 192.168.3.2                                56  64 1ms156us  
    1 192.168.3.2                                56  64 1ms106us  
    sent=2 received=2 packet-loss=0% min-rtt=1ms106us avg-rtt=1ms131us max-rtt=1ms156us 
[admin@Mikrotik] > ping 192.168.3.5
  SEQ HOST                                     SIZE TTL TIME       STATUS                                          
    0 192.168.3.5                                                  timeout                                         
    1 192.168.3.5                                                  timeout                                         
    2 192.168.3.5                                                  timeout                                         
    3 192.168.3.1                                84  64 91ms992us  host unreachable

^^ no arp response from client when ping from router

MT config (bridge vlan filtering not enabled, bridge just acts a a dumb switch and forwards all traffic)

/interface vlan
add interface=bridge name=vlan1027 vlan-id=1027
[admin@Mikrotik] > /interface/vlan/print detail 
Flags: X - disabled, R - running 
 0 R name="vlan1027" mtu=1500 l2mtu=1594 mac-address=08:55:31:6D:E9:F6 arp=enabled arp-timeout=auto 
     loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m 
     vlan-id=1027 interface=bridge use-service-tag=no 
[admin@Mikrotik] > /ip address/print where interface=vlan1026
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS         NETWORK      INTERFACE
0 192.168.3.1/24  192.168.3.0  vlan1027

from the AP:

### pinging gateway/router
root@OpenWrt:/etc/config# ping 192.168.3.1
PING 192.168.3.1 (192.168.3.1): 56 data bytes
64 bytes from 192.168.3.1: seq=0 ttl=64 time=0.997 ms
^C
--- 192.168.3.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.997/0.997/0.997 ms

### pinging client
root@OpenWrt:/etc/config# ping 192.168.3.5
PING 192.168.3.5 (192.168.3.5): 56 data bytes
64 bytes from 192.168.3.5: seq=30 ttl=64 time=354.360 ms
64 bytes from 192.168.3.5: seq=31 ttl=64 time=71.638 ms
64 bytes from 192.168.3.5: seq=32 ttl=64 time=97.686 ms
64 bytes from 192.168.3.5: seq=33 ttl=64 time=16.917 ms
^C
--- 192.168.3.5 ping statistics ---
34 packets transmitted, 4 packets received, 88% packet loss
round-trip min/avg/max = 16.917/135.150/354.360 ms

^^ AP can ping client and router on vlan 1027

One difference I noticed is the WAX220 doesn't have the 'eth0' Ethernet Switch port. I'm not sure why there would be a switch here or even if there actually is one, but can't help but wonder if that's a factor. This device is pretty new to Openwrt, I had to add a kernel patch just to support the flash chip and get it to even boot, so not entirely impossible that something isn't being handled right

psherman · January 19, 2024, 11:43pm

In that case, you can make this network unmanaged.

Delete this:

And edit the iot network as follows:

config interface 'iot'
	option proto 'none'
	option device 'br-iot'

If that doesn't work, it could be related to the way that the lan port is treated -- we might need to do a bridge VLAN config. But reboot the device after making the changes and see if that fixes the problem.

timeport · January 20, 2024, 12:28am

No love, tried it both with the wireless network as '1027 iot' like luci did it and just 'iot'. Same behavior except I can't test ping to the AP from router since 1027 isn't an interface on the AP now.

root@OpenWrt:~# cd /etc/config/
root@OpenWrt:/etc/config# cat wireless 

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option network 'iot'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

root@OpenWrt:/etc/config# cat network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd34:a801:269f::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config interface 'iot'
	option proto 'none'
	option device 'br-iot'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'lan.1027'

root@OpenWrt:/etc/config#

psherman · January 20, 2024, 12:30am

What is between your router and your AP? Do you have a managed switch? If so, have you verified that the trunks are properly configured? A good way to test is to set an access port (i.e. just the iot network, untagged + PVID on a given port) and plug a computer into that port. Does it get an IP address via DHCP and does it get the expected connectivity. If that fails, the issue is the switch or router. If it succeeds, it tells us the AP is the problem.

timeport · January 20, 2024, 2:05am

nothing at all. AP is plugged directly to router. The entire lab consists of a HapAC2 router, a poe injector, and the AP.

I've confirmed via wireshark the packets are leaving the port tagged, and the AP when configred with managed mode can talk to the router on vlan1027. And the client.

Just client can't talk to router and router can't talk to client. Not answering arps so it's not even a firewall issue though I set default policy to accept just in case

I'm going to sniff the wireless interface on the client next to see if the client even receives the packets, to see exactly where they're being dropped

psherman · January 20, 2024, 2:56am

The ideal situation would be to verify that the router is working properly for the tagged network. Do you have a managed switch available to run the test I proposed?

The other approach we can do is to try bridge-vlans.

add the following:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '1027'
	list ports 'lan:t'

Then delete this:

Edit the lan network interface to use br-lan.1

config interface 'lan'
	option device 'br-lan.1'
	option proto 'dhcp'

and edit the iot network to use br-lan.1027

config interface 'iot'
	option proto 'none'
	option device 'br-lan.1027'

Then reboot the router. If that doesn't work, we need to look upstream.

timeport · January 20, 2024, 3:28am

I put a network tap in the interface between the AP and router.

with this config

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd34:a801:269f::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'dhcp'

config interface 'iot'
        option proto 'none'
        option device 'br-lan.1027

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '1027'
        list ports 'lan:t'

I'm not seeing anything come through from the AP tagged with vlan 1027, and the packets that should be untagged are coming through with an 802.1q tag for vlan1

of course -- no data coming from the attached wifi client device either.

Btw I really appreciate everyone taking the time to work with me on this. The bridge-vlan config is what I actually thought would solve this, but seems like it's not quite working like it should.

My ultimate goal is actually running a dynamic vlan w/radius and PPSK (have it working with the wax220 and wax218) on this, but obviously there's no point in working on that part until we can get static vlans working.

timeport · January 20, 2024, 3:29am

sorry that was the wrong config copy/paste...I'm editing in the correct config that is running now

timeport · January 20, 2024, 4:46am

Okay, this guy has a switch chip.

Here is the commit that supports it https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=ab12a01cd78772b4cfc82db7d0002c05dc0f97b5

The commit is from win-star who is the manufacturer of the device.

ramips: add support for WAVLINK WL-WN573HX1

Hardware
--------

Specifications:
- Device: WAVLINK WL-WN573HX1 Outdoor AP
- SoC: MT7621AT
- Flash: 16MB
- RAM: 256MB
- Switch:1 LAN (10/100/1000 Mbps)
- WiFi: MT7905 2x2 2.4G + MT7975 2x2 5G
- LEDs: 1x STATUS (blue, configurable)
1x LAN (green)

Product link:
https://www.wavlink.com/en_us/product/WL-WN573HX1.html

I don't know enough yet to fully understand but I think this means the "lan" interface is wired to port 3 of the onboard switch chip

 114 &switch0 {
 115         ports {
 116                 port@3 {
 117                         status = "okay";
 118                         label = "lan";
 119                 };
 120         };
 121 };

So the question is -- is what I'm doing here enough to tell the switch what to do?

psherman · January 20, 2024, 5:48am

Yes, but...

Maybe it would be good to reset the device to defaults and then post the default config here (just the /etc/config/network file). This way we can ensure that we're looking at all the right device/port names and such.

Otherwise, I suspect one of two things:

there may be something wrong with the upstream insofar as the VLAN not working as intended.
Either or both of the devices involved may not like having an untagged network on the trunk. There are some devices out there that will not work properly when using tagged+untagged on the trunk -- those seem to only work when all networks in a trunk are tagged.

timeport · January 20, 2024, 6:26am

Reset to defaults:

root@OpenWrt:/# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd3c:75e7:ada3::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

root@OpenWrt:/# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

I'm pretty confident it's not the upstream device. I have a network tap on the line and there were no packets leaving the AP with anything except a vlan 1 tag, except in my initial configuration.

Also this same lab setup works just fine with a wax220

Just like half of everyone with a problem, I too think it's a bug in the code or how the switch is being handled. I know MT7621 is a very well known controller, but this is a new device, DSA configs are fairly new, so not unfathomable that something isn't quite right here.

But also you may have a point on the tagged+untagged, I've seen it before, even have many fairly high-end switches (looking at you, Juniper QFX) that can't do tagged and untagged on the same port.

It's getting late tonight but will work on it some more tomorrow night. The assistance is much appreciated!

psherman · January 20, 2024, 6:32am

Thanks for indulging the reset to defaults.

I think you should re-implement the bridge-vlan, but this time make all networks tagged on the ethernet port. At the same time, make all networks tagged on the upstream. See if that helps.

Before you do this, make sure you can get to the OpenWrt device via wifi for admin so you don't have to resort to failsafe mode to regain access and fix any issues with the config.

timeport · January 21, 2024, 5:31am

Still no luck. I added lan as tagged vlan10 and iot as tagged vlan1027

I get dhcp packets on the wire tagged with vlan10, but nothing at all from the wireless device.

If I add another managed interface with vlan1027, I get tagged traffic and two-way communications from the AP on both vlans(ap pulls an IP from vlan1027, I have no dhcp running on vlan10 just sniffing the traffic), but nothing from devices connected to the wifi interface. Also in this layout the AP can't ping the client device at all -- in my original setup the AP could ping the router(on vlan1027) and the client device, just the client device and the router could not communicate.

Whatever was going on, the AP is not forwarding the vlan1027 traffic to the client device. With the original config with lan.1027 in a separate bridge, I see wifi client traffic on vlan 1027 from the router, T Traffic leaving the router is being tagged with vlan1027, but the AP is not forwarding that traffic to the client device.

Back on the original config, I have confirmed all with lan+wifi sniffers

Traffic to client from AP works.
Traffic to AP from client works
Traffic to AP from router(on vlan1027) works.
Traffoc to router(on vlan1027) from router works
Traffic TO router from client on AP works.
Traffic FROM router to client on AP does not work. The packets never leave the AP.