Xiaomi Mi Router 4A GE with vlan and multiple vlan doesn't work

For the last couple of years I'm enjoying the use of OpenWrt on different hardware platforms, but now I'm running into a problem.

Situation :

Xiaomi Mi Router 4A Gigabit Edition with OpenWrt 23.05.0. Uplink to the switch in in port 2
On the switch there are 2 networks. Untagged : 192.168.43.x/24 and tagged (as vlan 34) 192.168.34.x/24. Both networks are connected to a pFsense firewall.

On network 192.168.43.x/24 the IP adress of the accesspoint is 192.168.43.253/24. On the 192.168.34.x/24 network the IP adress on of the accesspoint is 192.168.34.253/24. Both just work fine, the accespoint is manageble thrue both ipadresses. On the router there are 2 wifi networks defined. WireLess300 (connected with the lan brige) and WireLess30 (connected with the lan34 bridge).

On the WireLess300 part it all works fine, the problem is in the WireLess30 part. There is no network traffic between the wifi interface and the lan34 bridge. When I set up static IP adresses on the wifi clients (connected with WireLess30) they can ping to each other. So the radio part seems to work. I Can't seem to find what the problem is here. All the firewall zones are gone. dnsmasq, firewall and odhcpd services are stopped and disabled. There is no difference in the br-lan.34 bridge and setting up vlan 34 on lan2 and then creating a bridge with the lan2 port in there. The results are the same, interfaces works, bridging to the wifi radio doesn't. My other Openwrt device (TP-Link Archer C7) works just fine with same vlan etc

I could use some help. What am I missing ?

ubus call system board
{
        "kernel": "5.15.134",
        "hostname": "OpenWrt300-4A",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Xiaomi Mi Router 4A Gigabit Edition",
        "board_name": "xiaomi,mi-router-4a-gigabit",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}


cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd32:72fb:3761::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.43.253'
        option gateway '192.168.43.254'
        list dns '192.168.43.254'
        option ip6assign '64'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '34'
        option name 'br-lan.34'

config interface 'lan34'
        option proto 'dhcp'
        option device 'br-lan.34'


cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'
        option channel '3'
        option country 'US'
        option txpower '23'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key '#############'
        option ssid 'WireLess300'
        option wmm '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '5g'
        option htmode 'VHT40'
        option cell_density '0'
        option country 'US'
        option channel '48'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key '###########'
        option ssid 'WireLess300-5G'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'WireLess30'
        option encryption 'psk2'
        option key '#########'
        option wmm '0'


cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '192.168.43.254'
        option boguspriv '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'


cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

You need to use bridge vlan filtering.

#/etc/config/network

...

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan'
        option vlan '34'
        list ports 'lan2:t'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.43.253'
        option gateway '192.168.43.254'
        list dns '192.168.43.254'

config interface 'lan34'
        option proto 'dhcp'
        option device 'br-lan.34'
	    option metric '10'

Also add option network 'lan34' to 'wifinet2' and remove option wmm '0'.

https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial#multiple_networks_using_vlan_tagging

1 Like

Last coupe of hours been testing your solution, been testing with 2 routers (Xiaomi Mi Router 4A GE and a Cudy WR3000) but I don't get it running. For testing I've removed the wan port and connected it to the same switch (same configuration, untagged 192.168.43.x/24 and 34 tagged 192.168.34.0/24). When I add the bridge interface on the Wan port and don't change anything the connection to the untagged network is made. When I enable "bridge vlan filtering' and just add vlan 34 as tagged connection isn't made. Both DHCP and fixed IP don't work.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd97:d08c:15e8::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.43.248'
	option netmask '255.255.255.0'
	option gateway '192.168.43.254'

config device
	option type 'bridge'
	option name 'br-wan'
	list ports 'wan'
	option ipv6 '0'
	option bridge_empty '1'

config interface 'brwan'
	option proto 'dhcp'
	option device 'br-wan'

config bridge-vlan
	option device 'br-wan'
	option vlan '34'
	list ports 'wan:t'

I thought like above solution would set the wan port on vlan 34 tagged, but it doesn't seem to work. What am I doing wrong ???

The device must be br-wan.34.

Ok, changed, now it's this

cat /etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd97:d08c:15e8::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.43.248'
	option netmask '255.255.255.0'
	option gateway '192.168.43.254'

config device
	option type 'bridge'
	option name 'br-wan'
	list ports 'wan'
	option ipv6 '0'
	option bridge_empty '1'

config interface 'brwan'
	option proto 'dhcp'
	option device 'br-wan.34'

config bridge-vlan
	option device 'br-wan'
	option vlan '34'
	list ports 'wan:t'

Result the same, no ipadress and the mac address doesn't show up in pfsense arp cache It seems OpenWRT thinks the interface is up, its transmitting something, but there is no any answers

Protocol: DHCP client
MAC: 80:AF:CA:1A:69:29
RX: 0 B (0 Pkts.)
TX: 22.29 KB (70 Pkts.)

PEBKAC !!!

After changeing so many things during the last hours and resetting the switch to factory default the tagged port (with vlan34) to the firewall was overlooked. Just changed it and now its working.

Thank you so much for your help. It's clear now. Create the vlans on the bridge and use the 802.1q as the device for the interface and use the interface for the wifi solution.