Xiaomi ax3200 wlan/lan configuration (Device with DSA)

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello all,
I have troubles to configure the device for my needs:
The intended configuration:

-------------------------------------------
| Ethernet..............   Air........... | 
| LAN1   LAN2  LAN3  WAN   WLAN1  WLAN333 |
-------------------------------------------
    |      |      |   | 
    untagged......    Tagged only VLAN 1, 333  Managed Router      Firewall
    |      |      |	  |                        --------------     ---------
    |      |      |   -------------------------|            |-----|       |
    |      |      |                            --------------     ---------
------- --------- ---------                      |  |  |  |
|Dev. | |Dev.   | |Dev.   |                     internal Dev.
|for  | |for    | |for    |
|VLAN1| |VLAN333| |VLAN333|
------- --------- ---------

There should be two logical Networks:

  1. Ethernet LAN1, SSID WLAN1 should communicate via Ethernet WAN, tagged VLAN 1; Devices connected to LAN1 and WLAN1 are not tagged. SSH and Webaccess to the AX3200 should be possible for Management via LAN1, WLAN1 and WAN using VLAN 1. IP-Range 10.0.0.0/24.
  2. Ethernet LAN2, LAN3, SSID WLAN333 should communicate via Ethernet WAN, tagged VLAN 333; Devices connected to LAN2, LAN3 and SSID WLAN333 are not tagged. SSH and Webaccess to the AX3200 should be blocked via LAN2, LAN3, WLAN2 and WAN using VLAN 333. IP-Range 10.0.1.0/24.

I read the DSA mini tutorial and tried two different configurations:

Configuration 1 (WLAN working, /etc/config/network):

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	option macaddr '02:DA:xx:xx:xx:xx'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.0.247'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '10.0.0.253'

config device
	option name 'wan'
	option macaddr 'd4:da:xx:xx:xx:xx'

config device
	option type '8021q'
	option ifname 'wan'
	option vid '333'
	option name 'wan.333'
	option macaddr 'D4:DA:xx:xx:xx:xx'

config device
	option type '8021q'
	option ifname 'wan'
	option vid '1'
	option name 'wan.1'
	option macaddr '02:DA:xx:xx:xx:xx'

config interface 'wan_333'
	option proto 'static'
	option device 'br-wan_333'
	option ipaddr '10.0.1.247'
	option netmask '255.255.255.0'
	option gateway '10.0.1.253'

config device
	option type 'bridge'
	option name 'br-wan_333'
	list ports 'wan.333'
	option macaddr 'D4:DA:xx:xx:xx:xx'
	option ipv6 '0'

config interface 'wan_1'
	option proto 'static'
	option device 'br-wan_1'
	option ipaddr '10.0.0.247'
	option netmask '255.255.255.0'
	option gateway '10.0.0.253'

config device
	option type 'bridge'
	option name 'br-wan_1'
	list ports 'wan.1'
	option macaddr '02:DA:xx:xx:xx:xx'
	option ipv6 '0'

The Network for WLAN1 is wan_1
The Network for WLAN333 is wan_333

What works with configuration 1 (WLAN OK):

  • Access WLAN1 <-> Ethernet WAN VLAN1
  • Access WLAN333 <-> Ethernet WAN VLAN333
  • Access to the AX3200 for Management via LAN-Ports or WLAN1

What does not work with configuration 1:

  • AX3200 can't communicate via WAN-Port, NTP etc. does not work
  • LAN1 to LAN3 can not communicate via WAN-Port (which is to be expected with this configuration)
  • SSH and Webaccess to the AX3200 is not blocked via LAN2, LAN3, WLAN2 and WAN using VLAN 333
Configuration 2 (best so far, /etc/config/network):

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	option macaddr '02:DA:xx:xx:xx:xx'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.0.247'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '10.0.0.253'
	list dns '10.0.0.253'

config device
	option type 'bridge'
	option name 'br-wan_333'
	option macaddr 'D4:DA:xx:xx:xx:xx'
	option ipv6 '0'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan.333'

config device
	option type 'bridge'
	option name 'br-wan_1'
	option macaddr '02:DA:xx:xx:xx:xx'
	option ipv6 '0'
	list ports 'lan1'
	list ports 'wan.1'

config interface 'wan_333'
	option proto 'static'
	option device 'br-wan_333'
	option ipaddr '10.0.1.247'
	option netmask '255.255.255.0'
	option gateway '10.0.1.253'

config interface 'wan_1'
	option proto 'static'
	option device 'br-wan_1'
	option ipaddr '10.0.0.247'
	option netmask '255.255.255.0'
	option gateway '10.0.0.253'

With regards to WLAN no changes to configuration 1:

  • The Network for WLAN1 is wan_1
  • The Network for WLAN333 is wan_333

What works with configuration 2 (almost there, but WLAN333 does not work):

  • Access WLAN1 <-> Ethernet WAN VLAN1
  • AX3200 can communicate via WAN-Port, NTP etc. does work
  • Access to AX3200 for Management via LAN-Ports or WLAN1
  • Access LAN1 <-> Ethernet WAN VLAN1
  • Access LAN2 and LAN3 <-> Ethernet WAN VLAN333

What does not work with configuration 2:

  • Access WLAN333 <-> Ethernet WAN VLAN333, i can only reach AX3200, ping to an IP-adress fails
  • SSH and Webaccess to the AX3200 is not blocked via LAN2, LAN3, WLAN2 and WAN using VLAN 333

Any help is appreciated to get both LAN-Ports and WLAN working.

Thank You, Nikolaus