Hey there,
I have 22.03.2 installed on my WRT3200ACM, and I am trying to set up a VLAN trunk from my Unifi AP-AC-Pro to my OpenWRT. I have 3 networks set up on my AP with VLAN id’s 12,13, and 20. My AP is plugged into port 1 on my WRT3200. I should also note that the AP requires VLAN 1 to be untagged as it’s the management port for it to work correctly with the cloud key, there is possibly an option to change this to a tagged vlan, which I will do when I get my vlans working.
I have been using VLAN 13 as my testing ground to make sure that I get things up and running correctly.
I have tried both excluding lan1 from the br-lan device and setting up a lan1.13 device, and then assigning it to an interface with a dhcp server on it, as well as just adding vlan 13 to the br-lan bridge device and setting port 1 to tagged without any success. I have also tried making sure that I was not mixing tagged and untagged on the same port.
The ultimate goal is to have my networks on the AP, each with a separate VLAN pointing to my OpenWRT, which would serve the dhcp for each network. Eventually each network will have its own firewall rules; however, to get it initially set up I have been testing it by adding the vlan device to the lan firewall rules.
uci network export
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd91:0bc4:d066::/48'
config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.10.10.1'
config device
option name 'wan'
option macaddr scrubbed
option ipv6 '0'
config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr '192.168.2.254'
option netmask '255.255.255.0'
option gateway '192.168.2.1'
list dns '8.8.8.8'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '12'
list ports 'lan1:t'
config bridge-vlan
option device 'br-lan'
option vlan '13'
list ports 'lan1:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan1:t'
config device
option name 'br-lan.13'
option type '8021q'
option ifname 'br-lan'
option vid '13'
config interface 'Vlan13'
option proto 'static'
option device 'br-lan.13'
option ipaddr '10.10.13.1'
option netmask '255.255.255.0'
config interface 'Vlan12'
option proto 'static'
option device 'br-lan.12'
option ipaddr '10.10.12.1'
option netmask '255.255.255.0'
config device
option name 'br-lan.12'
option type '8021q
If VLAN1 is supposed to be untagged on all 4 ports, make it explicit like this (adding :u*)
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
This section can be removed.
and this one, too:
Let's take a look at your firewall and dhcp files.
firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option drop_invalid '1'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
list network 'lan'
list network 'vlan13'
list network 'vlan1'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'accept lan'
list proto 'all'
option src 'lan'
option dest 'lan'
option target 'ACCEPT'
config defaults
config zone
option name 'lan'
option input 'DROP'
option forward 'DROP'
list network 'vlan13'
option output 'DROP'
dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'Pihole'
option dns '1'
option mac ‘scrubbed’
option ip '10.10.10.218'
config dhcp 'vlan13'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'vlan13'
config dhcp 'vlan1'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'vlan1'
Change the interface names to all lowercase (lan12 and vlan13).
The reason for this change is because OpenWrt is case sensitive. You have lowercase versions of these interface names in your dhcp and firewall files, but no mixed case (Vlan12 and Vlan13) which means there is no firewall or DHCP association with the networks. The fastest fix is to simply change the network name to lowercase (and this is considered best practice, anyway).
So I noticed when I went to make that change, that there was a bunch of junk still in there from when I was testing. I went ahead and cleaned it up. The interface appears to be lowercase:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd91:0bc4:d066::/48'
config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.10.10.1'
config device
option name 'wan'
option macaddr 'scrubbed'
option ipv6 '0'
config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr '192.168.2.254'
option netmask '255.255.255.0'
option gateway '192.168.2.1'
list dns '8.8.8.8'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '12'
list ports 'lan1:t'
config bridge-vlan
option device 'br-lan'
option vlan '13'
list ports 'lan1:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan1:t'
config device
option name 'lan1'
option ipv6 '0'
config interface 'vlan13'
option proto 'static'
option ipaddr '10.10.13.1'
option netmask '255.255.255.0'
option device 'br-lan.13'
config device
option name 'br-lan.13'
option type '8021q'
This can be removed...
and this:
Also, are you certain that your downstream device (presumably a managed switch) is configured properly for VLANs 12 and 13 tagged on the uplink port?
Removed those other entries.
Downstream on port 1 is the Ubiquity AP directly, and the Wireless Networks on it are set in Vlan Only mode (vlans 12,13,20) so should only be tagged traffic. Management network on the AP works fine (vlan 1 untagged). It gets a 10.10.10.xxx address from the lan interface.
ok... and I take it that it is still not working, right?
Let's try this:
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
config bridge-vlan
option device 'br-lan'
option vlan '12'
list ports 'lan1:t'
list ports 'lan2:u*'
config bridge-vlan
option device 'br-lan'
option vlan '13'
list ports 'lan1:t'
list ports 'lan3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan1:t'
list ports 'lan4:u*'
From here, you can plug a computer into each physical port and verify that the networks are functioning properly. Lan1 will still be the main lan (vlan 1) and the other vlans as tagged networks, ports 2-4 will be vlan 12, 13, and 20 respectively (all untagged).
Yeah it's still not working as it stands. I will have to make the config change tomorrow as the physical device is currently inaccessable to test with.
I brought my equipment into work to put it on the healing bench and test it out.
After making the changes to the interfaces, and plugging my laptop into them, the ports are assigning the correct ip's on the correct networks. I also tested the wireless networks and now they too are assigning the correct ips. I'm going to take my equipment back home after work and set it back up and see if it works tonight.
great... glad it is working on the 'healing bench' 
If it doesn't work when you get home, chances are that you have an issue with your vlan configuration on the UAP.
Took it home, and it's working now. Thanks for your assistance. Wondering if Openwrt needed a reboot before the vlans started working correctly.
A reboot works, but so will a restart of the network services..
/etc/init.d/network restart
These are necessary because the config files are read and turned into a running configuration at boot, but not re-read unless explicitly told to do so. I'm sorry I didn't mention that.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 