It is dsa. If there are bugs, that is obviously an issue. But it won’t work with swconfig syntax because it is not swconfig.
I would work directly with the text file here rather than using luci.
Can you post the default network config of the wax202. I’ll try to make the edits into the file (I’m on mobile at the moment, so it is easiest to start from fresh/default than to try to fix other versions)
I'm not using swconfig syntax. I tested it out of desperation and failed.
Like I said, all I'm doing is creating two 802.1q tags attached to lan1.
I've tried both LuCI and the code you posted via PuTTY. I can create the bridge-vlan just fine, but as soon as I add vlan to the ports, things go wrong.
The default network is pretty generic:
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd0f::::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config device
option name 'lan1'
option macaddr ':::::'
config device
option name 'lan2'
option macaddr ':::::'
config device
option name 'lan3'
option macaddr ':::::'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr ':::::'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
Try using this file in its entirety.
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd0f::::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan3:u*'
list ports 'lan3:u*'
config device
option name 'lan1'
option macaddr ':::::'
config device
option name 'lan2'
option macaddr ':::::'
config device
option name 'lan3'
option macaddr ':::::'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr ':::::'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '9'
list ports 'lan1:t'
config interface 'wanb '
option device 'br-lan.9'
option proto 'dhcp'
config interface 'wanb6'
option device 'br-lan.9'
option proto 'dhcpv6'
Nope. Locked out of the router again. "Device unreachable! Still waiting for device..." Had to do another hard reset.
Btw, I assume the bridge-vlan ports needed to be lan1:u*, lan2:u* and lan 3:u*... not lan 3 twice.
Besides all this, does having a second WAN come in over a trunk to a LAN port like this require a change to the firewall?
How were you connected to the device? What other connections were present?
Ideally, you've got only a single connection to the WAX202 for this initial test... use lan2 or lan3 connected directly to your computer, no other connections at all.
The default LAN address (192.168.1.1) does not match what you will ultimately need for your network to operate properly, but we want to focus on making the minimum set of changes to prove the configuratino works/doesn't work before moving on.
Yes, sorry for the typo. I did that while on mobile.
Yes, but that can be handled later... we first want to get the network config file working.
I kept the IP as 192.168.3.1.
I made the changes from a PC on the other end, but after saving I couldn't connect from that PC or the one connected directly to port 3.
This means you changed the address from the default?
On the other end meaning connecting through the E3200?
this means there were still multiple connections?
Try starting with factory reset state and a single physical connection -- your computer directly connected to either LAN2 or LAN3, and no other network connections.
Then make the changes I recommended earlier directly using a text editor.
add:
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '9'
list ports 'lan1:t'
config interface 'wanb '
option device 'br-lan.9'
option proto 'dhcp'
config interface 'wanb6'
option device 'br-lan.9'
option proto 'dhcpv6'
and edit the lan's device from 'br-lan' to 'br-lan.1'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
Restart the router and see what happens. Ideally, you should get an IP address on your PC via DHCP in the 192.168.1.0/24 network and you should be able to reach the router at 192.168.1.1. If that works, we can make the additional edits required.
Okay. I'll try again when I have a chance, but I'm getting a bit annoyed with OpenWrt.
I just found out today that I had the wifi set up wrong... and insecurely. I only discovered that trying to set up guest wifi which is crazy complicated.
I'm thisclose to flashing the router back to the OEM firmware, using it as a WAP and putting a switch in between it and the Linksys which can load balance with Fresh Tomato which is orders of magnitude easier to deal with.
I really appreciate your help here, that's been awesome, but this is burning up so much time I don't have.
I understand the frustration. DSA is relatively new and requires a bit of learning before it can work. And there are some devices that may have some bugs... but mainly, the key is using a very methodical approach in configuring and troubleshooting.
Guest wifi is well documented and should be pretty straight forward. However, I'll admit that some of this stuff can be a bit tough for people who are new to OpenWrt -- there is a learning curve. IMO, the devs have done an excellent job making OpenWrt very usable in a basic/default configuration for all experience levels. What you are trying to do is actually pretty advanced and very unique/bespoke for your specific needs, so there isn't really an easy way to make it significantly easier -- you just have to learn in a bit of a trial-by-fire way. Once you internalize what's going on, it will begin to feel pretty natural.
My biggest issues is while I'm learning, my network is likely insecure, besides occasionally unstable.
Let’s solve one technical issue at a time. We can review for security at each major step.
Okay. I just don't get it. I did a factory reset then copy pasted what you said.
Loading LuCI afterwards and it loaded but clicking on network interface resulted in: RPC call to uci/get failed with ubus code 9: Unspecified error
at handleCallReply (http://192.168.1.1/luci-static/resources/rpc.js?v=git-22.361.69894-438c598:15:1)
Plugged cable into WAN port and trunk into port 1 and nothing changed.
Changed ip to 192.168.3.1 with cables unplugged again and nothing changed.
Replugged the cables and realized there was WAN based internet, but no MultiWan.
Installed mwan3 package and mwan3 LuCI packages. No change.
Now able to check MultiWAN manager, it says wanb has no tracking.
Noticed that the MultiWAN manager Interface has same error as Network Interface
Used PuTTY to match my previous mwan3 settings (I can post these if you'd like). Mostly deleted several of the MWAN Members and configured the MWAN Policy. Rebooted and MultiWAN manager now says wanb status is disabled.
Added back the rest of the interface options to network lans, but not the option type bridge, like you said.
Discovered the error keeping the interface page from appearing was because I copy pasted your post and there was a space between the b and the apostrophe: config interface 'wanb '
Rebooted and wanb was running and interface was accessible.
Added for dhcp:
config dhcp 'wan6'
option interface 'wan6'
option ignore '1'
No change.
Moved Wanb and b6 to wan firewall zone with wan and wan6... speedtest then showed load balancing was working.
Made sure all the rest of the settings matched my previous ones and the router is still up and running.
This makes no sense, but it's working!
Now to make sure the firewall configuration is right and figure out the guest wifi.
Edit: I am noticing some websites are hitting me with CAPTCHAs that didn't before and a stream I tested with ffmpeg resulted in a TLS error. Is that normal for multiwan?
Great. I was pretty confident that it would work... a space would certainly explain the problem.
Please post your complete config for review and then I can also guide you through the guest wifi configuration. Regarding the guest wifi - will that need to be on multiple APs, or just this one?
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
So in my first setup with the wifi, I had the wireless network with the LAN and the WANs. Yeah, probably not good, but I had no info suggesting otehrwise.
What I'm looking to do is have the 5 & 2.4Ghz for our regular network access and then an additional 5Ghz only guest network.
Network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd82::::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config device
option name 'lan1'
option macaddr ':::::'
config device
option name 'lan2'
option macaddr ':::::'
config device
option name 'lan3'
option macaddr ':::::'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr ':::::'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option broadcast '1'
option metric '20'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option metric '30'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '9'
list ports 'lan1:t'
config interface 'wanb'
option device 'br-lan.9'
option proto 'dhcp'
option metric '10'
config interface 'wanb6'
option device 'br-lan.9'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option metric '40'
Wireless:
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option band '2g'
option country 'US'
option cell_density '0'
option channel '2'
option htmode 'HE20'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid ''
option encryption 'psk2'
option key ''
option network 'lan'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
option band '5g'
option country 'US'
option cell_density '0'
option channel '128'
option htmode 'HE80'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option encryption 'psk2'
option key ''
option ssid ''
option network 'lan'
dhcp:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'wan6'
option interface 'wan6'
option ignore '1'
Firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wanb'
list network 'wanb6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
Also, here is the mwan3 because the setup was based on a youtube video, that honestly, I don't understand the settings.
Also, I don't know if it gives any sort of favoritism to the ISP, but I did lower the metric of WANb since it's speed is more stable, but WANa has functioning IPv6.
option enabled '1'
list track_ip '1.0.0.1'
list track_ip '1.1.1.1'
list track_ip '208.67.222.222'
list track_ip '208.67.220.220'
option family 'ipv4'
option initial_state 'online'
option track_method 'ping'
option reliability '1'
option count '1'
option size '56'
option max_ttl '60'
option timeout '4'
option interval '10'
option failure_interval '5'
option recovery_interval '5'
option down '5'
option up '5'
config interface 'wan6'
list track_ip '2606:4700:4700::1001'
list track_ip '2606:4700:4700::1111'
list track_ip '2620:0:ccd::2'
list track_ip '2620:0:ccc::2'
option family 'ipv6'
option enabled '1'
option initial_state 'online'
option track_method 'ping'
option reliability '1'
option count '1'
option size '56'
option max_ttl '60'
option timeout '4'
option interval '10'
option failure_interval '5'
option recovery_interval '5'
option down '5'
option up '5'
config interface 'wanb'
list track_ip '1.0.0.1'
list track_ip '1.1.1.1'
list track_ip '208.67.222.222'
list track_ip '208.67.220.220'
option family 'ipv4'
option reliability '1'
option enabled '1'
option initial_state 'online'
option track_method 'ping'
option count '1'
option size '56'
option max_ttl '60'
option timeout '4'
option interval '10'
option failure_interval '5'
option recovery_interval '5'
option down '5'
option up '5'
config interface 'wanb6'
list track_ip '2606:4700:4700::1001'
list track_ip '2606:4700:4700::1111'
list track_ip '2620:0:ccd::2'
list track_ip '2620:0:ccc::2'
option family 'ipv6'
option reliability '1'
option enabled '1'
option initial_state 'online'
option track_method 'ping'
option count '1'
option size '56'
option max_ttl '60'
option timeout '4'
option interval '10'
option failure_interval '5'
option recovery_interval '5'
option down '5'
option up '5'
config member 'wan_m1_w3'
option interface 'wan'
option metric '1'
option weight '3'
config member 'wanb_m1_w3'
option interface 'wanb'
option metric '1'
option weight '3'
config member 'wan6_m1_w3'
option interface 'wan6'
option metric '1'
option weight '3'
config member 'wanb6_m1_w3'
option interface 'wanb6'
option metric '1'
option weight '3'
config policy 'balanced'
list use_member 'wan_m1_w3'
list use_member 'wanb_m1_w3'
list use_member 'wan6_m1_w3'
list use_member 'wanb6_m1_w3'
option last_resort 'unreachable'
config rule 'https'
option sticky '1'
option dest_port '443'
option proto 'tcp'
option use_policy 'balanced'
config rule 'default_rule_v4'
option dest_ip '0.0.0.0/0'
option use_policy 'balanced'
option family 'ipv4'
config rule 'default_rule_v6'
option dest_ip '::/0'
option use_policy 'balanced'
option family 'ipv6'
Whew.
Ok... this looks fine.
You can follow the guest wifi guide. I recommend starting with creating the guest network interface first (and DHCP server), and then associate the new guest network with a new firewall zone, and finally link it with a wifi SSID.
If you want to take it one step at a time, do the network interface first and then we'll review.
Is the mwan3 really correct? It's so... weird with metrics, weights and interfaces that generate something like triple the members that are recommended you delete... honestly, I have no idea what I did, I just duplicated what the video recommended.
I don’t really know about mwan3 configs - I just looked at the rest of your setup.
For mwan3 specific questions, open a new thread - this will help get eyes on the specifics you are asking about.
Okay. Started that thread. As far as you know, is the firewall safe for Port 1? AFAIK just tagging the packets it SHOULD be safe, but I'm not sure.
Yes... port 1 has your lan (untagged VLAN 1) in the lan firewall zone. and then it has tagged VLAN 9 as your second wan (assigned to the wan firewall zone). All is good there.
And now that you have a new thread for mwan3 questions, maybe we should close this one given that the original issue (WAN + LAN on one port) has been solved. If you want to continue with guest network stuff, start a new thread on that -- feel free to tag me in and I'll continue working with you on that.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.