Hello,
I've a problem when i try to connect to servers or PC using the WiFi of a Lede client AP.
This is my network:
Suppose I have a sharing server on 192.168.1.10
Note: I know i should not mix Untagged and Tagged on the same port, but I do not have managed switch, and this is the way I've found that makes main network 192.168.1.0/24 works on alla switch, and guest network 192.168.11.0/24 works on guest(+main) AP.
I'm sure i miss something, but i don't get where.
Thank you!
jeff
June 29, 2018, 10:10pm
2
I think that is "expected behavior"
On the GUEST network, you're on 192.168.11.0/24 (I assume) and 192.168.1.10 is on another network. You're not allowing routing from GUEST to LAN and back again, assuming that is something you want to permit.
Thank you jeff, I didn't explain well, let's try again with another example:
wifiMain (192.168.1.0/24)
wifiGuest (192.168.11.0/24)
Router Main 192.168.1.1 is configured with wifiMain as a bridge with Lan interface (untagged) and wifiGuest as a bridge of Guest interface on internal VLAN switch #11 (tagged)
AP secondary 192.168.1.5 is configured with wifiMain as a bridge with Lan interface (untagged) and wifiGuest as a bridge of Guest interface on VLAN #11 (tagged)
jeff
June 30, 2018, 1:32pm
4
Perhaps best if you post your /etc/config/network (use the </> button so that it gets posted as "code" in a scrolling box), as well as which physical Ethernet ports you're using to connect the two APs.
1 Like
You are right Jeff!
Main router side network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda4:92ec:7808::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_dev'
option name 'eth0.1'
option macaddr '11:22:33:44:55:00'
config interface 'wan'
option _orig_ifname 'eth0.2'
option _orig_bridge 'false'
option proto 'pppoe'
option username 'USERNAME'
option password 'PASSWORD'
option ipv6 'auto'
option ifname 'eth0.2'
config device 'wan_dev'
option name 'eth0.2'
option macaddr '11:22:33:44:55:01'
config interface 'wan6'
option _orig_ifname 'eth0.2'
option _orig_bridge 'false'
option ifname 'eth0.2'
option proto 'none'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '1 2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '4 6t'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '11'
option ports '0 3t 6t'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.11.1'
option netmask '255.255.255.0'
option type 'bridge'
option _orig_ifname 'eth0 wlan0-1'
option _orig_bridge 'true'
option ifname 'eth0.11'
Main router side firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'guest'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'wan'
option src 'guest'
Main router side dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
option local '/lan/lab.local/'
option domain 'lab.local'
list server '8.8.8.8'
list server '208.67.222.222'
option nonwildcard '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option leasetime '12h'
option force '1'
option limit '49'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
config dhcp 'guest'
option interface 'guest'
option start '100'
option leasetime '12h'
option force '1'
option limit '49'
Main router side wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/10180000.wmac'
option htmode 'HT20'
option country 'IT'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'wifiapap'
option encryption 'psk-mixed'
option key '**********'
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'wifiapguest'
option encryption 'psk-mixed'
option key '**********'
option network 'guest'
AP side network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd63:5e7c:1f22::/48'
config interface 'lan'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.8'
option gateway '192.168.1.1'
option _orig_ifname 'eth0 radio0.network1'
option _orig_bridge 'true'
option ifname 'eth0.1'
option dns '192.168.1.1'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option _orig_ifname 'eth1'
option _orig_bridge 'false'
option proto 'none'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 2 3 4'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '11'
option ports '0t 1 4t'
config interface 'guest'
option type 'bridge'
option _orig_ifname 'eth0.2 wlan0-1'
option _orig_bridge 'true'
option proto 'static'
option ipaddr '192.168.11.8'
option netmask '255.255.255.0'
option gateway '192.168.11.1'
option dns '192.168.11.1'
option ifname 'eth0.11'
AP side firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option forward 'REJECT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'guest'
option network 'guest'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'wan'
option src 'guest'
AP side dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
AP side wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'platform/qca953x_wmac'
option htmode 'HT20'
option txpower '19'
option country 'IT'
option channel '6'
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'wifiap'
option encryption 'psk-mixed'
option network 'lan'
option key '**********'
config wifi-iface
option device 'radio0'
option mode 'ap'
option key '**********'
option network 'guest'
option ssid 'wifiapguest'
option encryption 'psk-mixed'
Hello,
I think i get it, it's the AP that has issues using mixed Untagged and Tagged on the same port. I think the router I'm using does not support this.any suggestion to solve this with just one router, and unmanaged switch like my network has?
1 Like
You can tag all ports if the unmanaged switch does jumbo frames, or otherwise can handle the extra VLAN header.
Hello and thank @lleachii , I can not tag all the ports cause I need the main DHCP server port untagged, otherwise my wired network device/pc does not get any address, also i think I've some old switch here that does not support jumbo frames.