VLANs over wireless backhaul (with multiple SSIDs)

Installing and Using OpenWrt Network and Wireless Configuration
1

Hey folks!

I have AP 1 with two SSIDs - lets call them lan_ssid (which is vlan 1) and gues_ssid (vlan 30) - following the advice given in this post.

I also have AP 2 that, for the moment, cannot be wired to the network. So I'm stuck with a wireless backhaul for now.

I found contradicting info but no clear-cut guide. In this post it is said that I need a third SSID, a trunk-SSID, to carry the VLANs.
Here we are give more options:

  • Multiple SSIDs for WDS links for each VLAN - good for a couple before beacon pollution becomes a major concern
  • VLANs over GRE over client/AP or IBSS or 802.11s or ...
  • VLANs over batman-adv over client/AP or IBSS or 802.11s or ...
  • OpenVPN (tap) over client/AP or IBSS or 802.11s or ...

As of now, LAN_SSID on AP 2 works whether I include the bridge-vlans or not.
GUEST_SSID on AP 2 doesn't work with the bridges or without. I tried including the wifi port but it made no difference.
This is the current state of my attempt:

AP 2
/etc/config/network 
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan_wanport'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'phy0-sta1'
	option stp '1'

config device
	option name 'lan1'
	option macaddr '***'

config device
	option name 'lan2'
	option macaddr '***'

config device
	option name 'lan3'
	option macaddr '***'

config device
	option name 'lan_wanport'
	option macaddr '***'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan_wanport:u*'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan3:t'
	list ports 'phy0-sta1:u*'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.10.4'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.10.1'
	list dns '192.168.10.1'
	list dns '192.168.30.1'

config interface 'guest'
	option device 'br-lan.30'
	option proto 'none'
/etc/config/wireless 
config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option band '2g'
	option channel '1'
	option htmode 'HT20'
	option cell_density '0'
	option txpower '15'
	option beacon_int '1000'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'LAN_SSID'
	option encryption 'psk2'
	option key '***'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'sta'
	option ssid 'LAN_SSID'
	option encryption 'psk2'
	option key '**'
	option wds '1'
	option network 'lan'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'sta'
	option network 'guest'
	option ssid 'GUEST_SSID'
	option encryption 'psk2'
	option key '***'
	option wds '1'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option ssid 'GUEST_SSID'
	option encryption 'psk2'
	option wds '1'
	option key '***'
	option network 'guest'
/etc/config/firewall 
config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
/etc/config/dhcp 
config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '192.168.10.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Is what I'm trying to do possible? If so, what am I doing wrong?
Thanks!

2

I personally wouldn't do it like that. Instead, I would use Batman Adv as the backhaul as it can do vlans natively.

Alternatively you could use something like VXLAN instead of vlans but I'm not experienced with it so I don't really know.

3

I'll try to learn a little about them, thanks

4

I run multiple vlans over a wireless vxlan trunk to allow for multiple ssid ap's.

1 Like
5

Not a valid option: this requires the coexistence of multiple client WiFi interfaces on one card; many WiFi cards do not allow that.

EDIT: I stand corrected, it does work on Netgear WAX202. Still, it is not a universally valid option.

Valid solution; you can also use VXLANs instead of VLAN over GRE, and "VXLAN over client/AP" is the solution that @Lynx uses.

One advantage of VXLAN here is that VXLAN contains the code to send appropriate fragmentation-needed ICMP messages when bridged to a link with an insufficient MTU, without capping the MTU. I.e., you can transport an MTU=1500-on-paper link (that you can bridge to other MTU=1500 links) over an MTU=1500 backhaul.

I have never tried it (I promise I will), but, as already mentioned, batman-adv natively supports VLANs and naturally stacks on top of 802.11s.

Please don't. It's slow, has a lot of overhead, and no advantages over VXLAN.

2 Likes
6

I think the WAX202 is fine with this. I also get

	valid interface combinations:
		 * #{ IBSS } <= 1, #{ AP, mesh point } <= 16, #{ managed } <= 19,
		   total <= 19, #channels <= 1, STA/AP BI must match, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz, 160 MHz }

when running iw phy0 info.
If that's the case, wouldn't it be simpler?

Lol. Dully noted!

Will give VXLAN and batman adv a shot.

7

Hm... I also have a WAX202, and can confirm that multiple client interfaces on the 2.4 GHz radio are indeed possible:

image
image1175×238 29.6 KB

8

Yes and it has worked just perfectly for ages now across upgrades. Thanks again for that suggestion @patrakov! Allows me to use three separate and non-overlapping 2.4 GHz channels for guest network over 5 GHz WDS connection.

9

How's the performance? Do you use multicast addresses?

10

Performance is fine, yes I use multicast. Read the forum post I quoted for details

11

Vxlan ist just a simple outer udp packet which is fairly light regarding to resource consumption. On x86 system it's only like 2 or 3 percent lower transfer rates