Precisely. vlan 4 is regular trusted lan and vlan 5 is the management network.
I'm off to bed too. Will implement and test 3/guest tomorrow. Much thanks!
Well, I'm pretty bummed. Yesterday when I introduced vlan 3/guest, I got an IP. However, the first roam to another AP, it connected, my ping dropped, DHCP logs show it did not show the DHCPREQUEST or DHCPACK and I again, was back to where I started.
I must had gotten a false sense of success with roaming on vlan 2/iot, directly after adding the interfaces two nights ago.
I ripped out vlan 3 from the interfaces, the switches, put everything back to the night before's configuration but I could no longer roam on vlan 2/iot.
For my own sake, I will tear everything down again this weekend, to attempt to reproduce my success from two nights ago, or failure.
The primary, wifi/lan remains working, with roaming, in both instances of adding vlan 2/3.
I have a feeling, in both vlan 2/3 cases, that roaming is not working, for whatever reason, with my hardware and openwrt versions, with vlans other than 1/default. I can't explain why, but at this point, the only thing I can point to are vlans.
I would check the switch configs to make sure that the port-membership is setup correctly across all of the relevant links. The easy way to do this is to setup the trunks (i.e. the ports that carry multiple networks) first. Then, on each switch, setup access ports (i.e. only one VLAN, untagged + PVID) for each VLAN. So for example, you could have:
- port 1 = trunk
- port 2 = VLAN 1
- port 3 = VLAN 2
- port 4 = VLAN 3
- ...
This way you can verify connectivity across all of the switches by simply plugging in a computer into each port in turn.
Also, with respect to the switches, don't change any settings that you don't fully understand. All you really need to be doing is setting the VLAN IDs and port-membership.
Once those are verified end-to-end, we can review your router and AP configs to make sure they're all consistent.
I reduced my configs as much as possible. I am only running the lan and iot interface. I disabled the 2.4ghz radio.
For all four switches:
- Confirmed the iot ethernet switch ports are on vlan2
- Received an ip via dhcp
- Was able to resolve and ping external addresses.
- The ip remained the same when testing via ethernet on all four switches
Failed roaming:
- Connected to AP-3
- Roamed to AP-2, confirmed my client disconnected from old AP-3 for new AP-2 via client logs (kernel, wpa_supplicant, NetworkManager) and sucessfully authenticated and associated to AP-2.
- DHCP however failed, state change from activated to failed, deauthenticated and the interface went back to scanning and started over.
- I roamed back to AP-2, although it authenticated and associated back to AP-2, it took many attempts for DHCP to complete successfully, NetworkManager reporting 'ip-config-unavailable' for about 5m until finally connecting.
Switch configurations
switch-1
port 1 = 1U, 2T, PVID = 1 (switch-4)
port 3 = 1U, 2T, PVID = 1 (switch-2)
port 15 = 2U, PVID = 2 (laptop confirmed vlan2+dhcp)
port 23 = 1U, 2T, PVID = 1 (router)
switch-2
port 1 = 1U, 2T, PVID = 1 (switch-1)
port 2 = 1U, 2T, PVID = 1 (AP-2)
port 3 = 2U, PVID = 2 (laptop confirmed vlan2+dhcp)
switch-3
port 1 = 1U, 2T, PVID = 1 (switch-4)
port 2 = 1U, 2T, PVID = 1 (AP-3)
port 3 = 2U, PVID = 2 (laptop confirmed vlan2+dhcp)
switch-4 (connects switch-1 to switch-3)
port 1 = 1U, 2T, PVID = 1 (switch-1)
port 2 = 1U, 2T, PVID = 1 (switch-3)
port 3 = 1U, 2T, PVID = 1 (AP-4)
port 4 = 2U, PVID = 2 (laptop confirmed vlan2+dhcp)
GW
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd15:1c23:81c2::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config interface 'iot'
option device 'eth1.2'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option logdhcp '1'
option logfacility 'DAEMON'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '6,192.168.4.31'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'iot'
option interface 'iot'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,1.1.1.1,1.0.0.1'
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-IOT-DHCP-and-DNS'
option src 'iot'
option dest_port '53 67 68'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Plex'
option family 'ipv4'
list proto 'tcp'
option src 'wan'
option src_dport '32400'
option dest_ip '192.168.4.37'
option dest_port '32400'
config zone
option name 'iot'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot'
config forwarding
option src 'iot'
option dest 'wan'
AP-3
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd47:5997:0040::/48'
option packet_steering '1'
config device
option name 'lan'
option ipv6 '0'
config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'lan'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipv6 '0'
option gateway '192.168.4.1'
list dns '192.168.4.31'
list ipaddr '192.168.4.4/24'
config device
option name 'wan'
config device
option name 'br-iot'
option type 'bridge'
list ports 'lan.2'
option ipv6 '0'
config interface 'iot'
option proto 'static'
option device 'br-iot'
option ipaddr '192.168.2.4'
option netmask '255.255.255.0'
option gateway '192.168.2.1'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/a000000.wifi'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option channel '1'
option disabled '1'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/a800000.wifi'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
option channel '36'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'iot'
option encryption 'psk2'
option key 'pw'
option network 'iot'
option disabled '1'
config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'ap'
option ssid 'wifi'
option encryption 'psk2'
option key 'pw'
option network 'lan'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'iot'
option encryption 'psk2'
option key 'pw'
option network 'iot'
/etc/config/dhcp
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ignore '1'
option dynamicdhcp '0'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '6'
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
AP-2
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd47:5997:0040::/48'
option packet_steering '1'
config device
option name 'lan'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipv6 '0'
option gateway '192.168.4.1'
list dns '192.168.4.31'
list ipaddr '192.168.4.3/24'
config device
option name 'wan'
config interface 'iot'
option proto 'static'
option device 'br-iot'
option ipaddr '192.168.2.3'
option netmask '255.255.255.0'
option gateway '192.168.2.1'
config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'lan'
config device
option name 'br-iot'
option type 'bridge'
list ports 'lan.2'
option ipv6 '0'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/a000000.wifi'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option disabled '1'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/a800000.wifi'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'iot'
option encryption 'psk2'
option key 'pw'
option network 'iot'
option disabled '1'
config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'ap'
option ssid 'wifi'
option encryption 'psk2'
option key 'pw'
option network 'lan'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'iot'
option encryption 'psk2'
option key 'pw'
option network 'iot'
/etc/config/dhcp
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ignore '1'
option dynamicdhcp '0'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
Ok... let's try another change... make the same changes to both APs (obviously make sure you keep the existing addresses for the lan interface):
Add bridge-vlans to /etc/config/network
config bridge-vlan
option device 'br-lan'
option vlan '4'
list ports 'lan:u*'
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan:t'
Then edit the lan to use br-lan.4:
config interface 'lan'
option device 'br-lan.4'
option proto 'static'
option ipv6 '0'
option gateway '192.168.4.1'
list dns '192.168.4.31'
list ipaddr '192.168.4.3/24'
Edit the iot network to use br-lan.2 and also make it unmanaged:
config interface 'iot'
option proto 'none'
option device 'br-lan.2'
Restart the APs and test again.
1 Like
Holy shit yeah!!! Not a single dropped packet!!!
Awesome! We made 2 changes... we setup bridge-vlans and we changed the iot network to unmanaged on the APs. If you're curious which one was the key, you could always put the address back into the iot network... but that's not really necessary except for the curiosity of it.
Now you should be able to build out the rest of your VLANs!
Its definitely the bridge-vlans. After my so thought success the other night, the next day when implementing 3/guest, I setup the interface as unmanaged as you had suggested before. I thought I was going crazy when it didn't work, I tore everything down to only discover 2/iot wasn't working either.
I was literally losing my shit.
Ok, 3/guest is straight forward. My next question will be about cutting over from PVID 1 to PVID 4 and what that means for the config?
Also, as I mentioned, I'd like to leverage a mgmt vlan/network for the network gear. Setting that up also seems straight forward.
I'll create the vlans, configure and test 3/guest and report back.
Thank you!!!
Yeah... sorry this was such an ordeal, tearing down basically everything to find that it was simply the bridge-vlans that were the missing link. But we found it now!
You might have noticed that I made the lan VLAN 4 on the APs, but it is currently untagged. But before we change this...
You said you want to make VLAN 5 your management network. Set that up now. VLAN 5 starts at the router, and is tagged on each trunk port on the switch (i.e. the interconnects between the infrastructure devices). On the APs, this VLAN will have an address, but usually a dedicated management network isn't connected to a wifi SSID (it's up to you, of course).
Critically, you'll want to make sure that you can reach all of the APs via VLAN 5. And then, you need to change the management VLAN for your switches to be VLAN 5 (and update the address accordingly). Make sure you can reach the switches on VLAN 5 before moving on.
Once all of that is done, we can move onto the VLAN 4 migration.
EDIT: Setup VLAN 4 tagged on all the same ports as VLAN 5. Then the process will simply be a few adjustments on the APs and router.
I added all the vlans back to the switches 2T through 5T and two management ports 5U. Agreed, I won't be connecting the management network to a wifi SSID. MGMT interface/network bridge created on the router.
Question, is it generally a best practice to create a network bridge between the interface and raw device?
Assuming so I'll continue creating the bridge and interface on the APs.
Your edit, VLAN 4 tagged referring to the physical switches?
EDIT: 3/Guest on the APs also tested and confirmed good.
For the APs, you'll need to create a bridge-vlan for VLAN 5, and then you'll connect the management network interface to device br-lan.5.
Yes. Exactly.
So you'll have VLANs 2, 3, 4, 5 -- all tagged on the trunk ports.
great!
Right, dumb reference to the APs for bridges. How about the in general? I created a bridge with a single port (eth1.3) for my guest on the router. Just curious if less is generally better or if the abstraction and flexibility of a bridge is generally better.
The router an APs can ping each other over the management interface/network.
For awareness, I intentionally did not setup a DHCP server on the management network.
In the case of your x86 router, you don't need bridges since you don't have a built-in switch and you don't have wifi.
Great. How about the switches? Have you migrated them over to the management network?
That's fine.
Once all of the infrastructure devices are migrated over to VLAN 5, you can make the following edits to the configs:
- on the APs, change the bridge-VLAN for VLAN 4 to tagged (this should match the status of VLAN 4 on the switch):
config bridge-vlan
option device 'br-lan'
option vlan '4'
list ports 'lan:t'
Then, you can remove the address on the lan interface since you have an address on the management interface. So lan/VLAN 4 looks like this:
config interface 'lan'
option device 'br-lan.4'
option proto 'none'
Repeat this for all the APs.
Then, you can simply change the lan device (on the router) to eth1.4 like this:
config interface 'lan'
option device 'eth1.4'
option proto 'static'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
option ip6assign '60'
Restart all the APs and the router and your lan should work on VLAN 4.
Copy all.
So when I cut over the AP's to lan:t for vlan 4 and the router lan to eth1.4, I then need to change PVID to 4 on the switches at the same time, yes?
And does this look good for the management firewall?
config zone
option name 'mgmt'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'mgmt'
config forwarding
option src 'mgmt'
option dest 'guest'
config forwarding
option src 'mgmt'
option dest 'iot'
config forwarding
option src 'mgmt'
option dest 'lan'
config forwarding
option src 'mgmt'
option dest 'wan'
Nothing to add from my side regarding the initial issue, but I wanted to chime in and say that it was very interesting reading this thread and your two's communication. Might very well help me and others out in the future with all the different VLAN and troubleshooting stuff being disected. Thanks for that and have a nice weekend!
1 Like
No, when you have a port specified on the router as eth1.x, it means it is tagged. Same with bridge vlan with lan:t. So you want that vlan set as tagged on those ports.
You can actually leave vlan1 untagged + pvid on the ports - it won’t do anything since you won’t have anything attached to vlan 1 nor will anything be untagged on any of these ports.
Yes. Looks good.
Interesting. I have network engineers that first set me down this path because when they harden networks, its a violation to leave the default vlan enabled and in use. I can experiment with that later.
Ok, almost everything is working correctly. I put my firewall rules in place that should be forwarding traffic from 192.168.5.x to 192.168.4.x, however its not working. The network hardware and management network is unable to reach the trusted vlan 4.
Let’s review the complete config of the router.