Yet another VLAN setup question

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi Everyone,

I'll try to be as verbose as I possibly can in order to help others help me :slight_smile:

I should note that while I seem to understand how VLAN tagging/untagging/PVID works, I simply cannot apply it in the real world. I use them at work with Ubiquiti but it's very point-n-clicky to make work so this is new territory for me.

I've uninstalled wpad-basic-wolfssl and installed hostapd-wolfssl and with a couple of modifications (see here: https://patchwork.ozlabs.org/project/openwrt/patch/20150715184908.3be2464f@samsung/), OpenWRT is sending the MAC address to OPNSense and authentication happens (or fallback VLAN is provided.) I saw another post about modifying /etc/config/network and adding "dynamic vlans 2" but I'm not that far into it yet (see here: 802.1X dynamic VLAN with DSA config - #4 by fodiator)

I have an 8 port Aruba Instant On 1930 switch (non-POE; latest firmware 2.7.x) where I've got the following connected:

  • Port 1: OPNSense FW
  • Port 5: OpenWRT 22.03.03 fresh install on GL-iNET B1300/Convexa-B via uboot then sysupgrade from OEM Luci interface. WAN port has been removed and interface added to default br-lan (eth1) I've also disabled the firewall, dnsmasq and odhcpd.

Right now everything lives on default VLAN1 which uses 192.168.1.x/24 with DHCP provided by OPNsense.

OPNsense I have 3 VLANs defined:

image
image2085×666 39 KB

VLANs are 192.168.vlanid.1/24 and bound to interfaces. I can ping all the gateways from a machine connected on VLAN1 without issue. I believe OPNSense is acting as a layer3 device in this case.

Switch is currently 192.168.1.2/32

  • Port 1: OPNSense is 192.168.1.254/24
  • Port 5: OpenWRT is 192.168.1.1/24 (eth0)

On the switch, for port#1, I've tagged VLANS 20,90,99 and left VLAN 1 as untagged
On the switch, for port#5, I've tagged VLANS 20,90,99 and left VLAN 1 as untagged
PVID on all ports is VLAN 1

image
image1206×773 28 KB

image
image2135×455 19.3 KB

image
image2130×802 28.4 KB

image
image2133×810 56.1 KB

On OpenWRT: Network > Interfaces > Devices > br-lan > Configure

  • Enable VLAN Bridge Filtering
  • Tag egress VLANS 20,90,99 on eth0
  • Untag egress VLAN1 on eth0
  • eth1 has nothing set (just a minus character; not participating I guess?)

image
image1345×819 42.1 KB

If I understand this correctly, I need OPNSense and OpenWRT ports to act as trunks (port#1,#5), so all VLANs are tagged and VLAN 1 is untagged.

Unfortunately, I end up locking myself out and waiting 1.5 minutes to revert. I'm just not getting it apparently and starting to get frustrated. I think I'm getting way ahead of myself on the setup to make this successful. I tried seting this up as WAN port being the management interface and while I don't get locked out, I don't think VLANs are working and I'm unsure how to test if they are with a workstation (possibly setting IP accordingly and in NIC properties, set the VLAN ID? It's Windows 10 workstation in this use-case.)

Ultimately what I'm trying to do this is:

  • "core" devices like OPNSense,OpenWRT live on VLAN1, makes it easy. This would be my "management" VLAN. It's a home network so I can live with possible security issues doing this. I want all WebUI management interfaces accessible here.
  • OpenWRT authenticates to OPNSense when a client connects to W-iFi (working w/patch above)
  • Client then participates on whatever VLAN-id is sent from OPNSense to OpenWRT
  • I can disable inter-VLAN routing or uses FW to block access from one VLAN to another to protect VLAN1 from other VLANs where necessary (this is not on OpenWRT side)

I'm positive OPNSense is set up correctly, I believe the switch is set up correctly but I'm running into issues getting OpenWRT set up as I keep locking myself out and having to revert. I'm sure I'm missing something obvious but can't see the tree through the forest.

Can someone please guide me where I'm going wrong or what I'm missing here? It would be very much appreciated.

2

Add the pvid in eth0 for vlan1. It's the *
image

1 Like
3

I tried this after posting above, same result (all vlans + your suggestion) end up waiting 1.5min to revert.

I'm accessing the device via Wi-Fi access point (ASUS ap in "ap mode"; it is not VLAN aware that I know of; RT-AC3100) to switch to device connected to same switch:

me >>> wifi-ap wired into port 2 on switch >>> port 5 on switch OpenWrt eth0 (middle port on device)

I even tried just adding VLAN1 by itself using the above:

image
image1347×600 32.2 KB

And I end up waiting 1.5min to revert changes.

Not sure where it's falling over.

4

How exactly are you achieving this? Are you using 802.1x? Or something else?

Let's see the config in text form:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
5

OPNSense is running FreeRADIUS, switch is enabled with 802.1x in MAC authentication (MAB I've seen it referred to and not enforced currently) and I can see on the OPNSense side FreeRADIUS logs that OpenWRT is passing a MAC address w/o delimiters as username/password, it authenticates successfully but I haven't gotten far enough yet to actually drop a client on a different VLAN.

I'm having OpenWrt sending the client MAC address user/passwd and then intending to redirect to whatever VLAN I want the device to be in.

I followed some (I admit) of the guide to turning OpenWrt into a "dumb ap" and then started work on MAC auth for Wi-Fi and now trying to get VLANs to work (no clients are connected to OpenWrt in this work, see previous post on how I'm connecting to OpenWrt.)

This part works as I would expect it to but has been removed until I get the VLAN problem sorted out to remove any extra work I've done, so this is stock OpenWrt with the modifications made in my first post, Wi-Fi isn't even enabled yet but I have configured it in preparation:

EDIT: Clarification: This is stock OpenWrt without the MAC-Auth/MAB patch noted in first post. I've only deleted the WAN interface and added it to br-lan and configured the Wi-Fi settings but it's not turned on yet.

Device info: https://openwrt.org/toh/gl.inet/gl-b1300

image
image1431×394 45.1 KB

Here is the config you asked for:

BusyBox v1.35.0 (2023-01-03 00:24:21 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 22.03.3, r20028-43d71ad93e
 -----------------------------------------------------
root@OpenWrt:~#
root@OpenWrt:~# cat /etc/config/network > diag.log
root@OpenWrt:~# cat /etc/config/wireless >> diag.log
root@OpenWrt:~# cat /etc/config/dhcp >> diag.log
root@OpenWrt:~# cat /etc/config/firewall >> diag.log
root@OpenWrt:~# cat diag.log

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd4:99fc:a724::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.254'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '3 4 0'


config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '1'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'wpa2'
        option auth_server '192.168.1.254'
        option auth_port '1812'
        option auth_secret '<redacted>'
        option acct_server '192.168.1.254'
        option acct_port '1813'
        option acct_secret '<redacted>'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'


config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'


config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

root@OpenWrt:~#
6

I'm a bit confused... your earlier screenshots seem to indicate a device that is using DSA, but the config files show that this is still a swconfig device. I'm not sure how this is possible.

7

Yes, if I go into Network > Switch, there is configuration there but I didn't create it:

image
image1435×934 59.8 KB

Maybe this device doesn't support DSA and needs swconfig instead?

8

Ah... now I understand. This image below appeared to be a DSA config... but this is probably not what you want to use...

Instead, you want to use the swconfig page if you want to add VLANs.

1 Like
9

Yes, I followed Youtube videos on using DSA as that's the new method in v21+

How can I determine if my device supports DSA or not?

I will test with swconfig in the interim but I have to create a boatload of devices/etc I think (I seem to recall DSA is less effort.)

EDIT: I was able to create another VLAN without being locked out:

image
image1446×441 27.4 KB

I think I got it right by being tagged on eth0 and off on the rest.

10

If there is a swconfig page (or the switch definitions in your config file), your device is swconfig.

1 Like
11

That settles that, thanks I will continue moving forward. Much appreciated!

12

I'm resurrecting this because I feel I'm almost there but not sure I'm doing this correctly as I still can't get it working. After discovering my device does not use DSA, I proceeded to create VLANS using swconfig. I completely started over, fresh install with:

  • wpad-basic-wolfssl removed and hostapd-wolfssl installed
  • firewall disabled & rules deleted & in/out/fwd=accept, dnsmasq disabled and odhcpd disabled
  • /etc/resolv.conf is a physical file instead of symlink containing nameserver 192.168.1.254 (FW)
  • patch from beginning of thread to get OpenWrt to send MAC address for authentication to RADIUS
  • aruba switch config remains the same. dhcp snooping enabled on all vlans, port1+5 marked trusted and port 5 enabled for MAC authentication (PAP)
  • MAC address configured in FreeREADIUS on FW, successfully authenticates and VLAN99 (configured) is passed back to OpenWrt

I created a VLAN bridge device called br-vlan backed by eth0 (cpu) and then added a VLAN device with tag 99 and then an unmanaged interface called VLAN99 backed by br-vlan.99 and then in Switch config, added VLAN 99 being tagged on eth0 (cpu) and untagged on all other ports. In Wireless, I set the network on 2.4/5GHz to be VLAN99

This nets me network devices br-vlan, br-vlan.99 and eth0.99 -- when connecting with my phone to the SSID, I authenticate successfully, OpenWrt recognizes the client is supposed to be on VLAN 99 (via hostapd) spins up wlan1.99 and the phone sits there waiting for DHCP which never happens and disconnects from SSID. On the OPNSense router I have VLAN 99 configured and a DHCP scope targeting the VLAN for 192.168.99.100-200

EDIT: If I configure my phone MAC to VLAN 1 in FreeRADIUS, I can connect successfully to VLAN 1 over wireless

Using logread, I can see the transaction happen:

Sun Mar  5 20:42:12 2023 daemon.info hostapd: wlan1: STA 11:22:33:44:55:66 RADIUS: VLAN ID 99
Sun Mar  5 20:42:12 2023 daemon.err hostapd: VLAN: vlan_add: ADD_VLAN_CMD failed for br-vlan: File exists
Sun Mar  5 20:42:12 2023 kern.info kernel: [ 1653.106987] br-vlan99: port 1(br-vlan.99) entered blocking state
Sun Mar  5 20:42:12 2023 kern.info kernel: [ 1653.107045] br-vlan99: port 1(br-vlan.99) entered disabled state
Sun Mar  5 20:42:12 2023 kern.info kernel: [ 1653.112864] device br-vlan.99 entered promiscuous mode
Sun Mar  5 20:42:12 2023 kern.info kernel: [ 1653.118089] device br-vlan entered promiscuous mode
Sun Mar  5 20:42:12 2023 kern.info kernel: [ 1653.124829] br-vlan99: port 2(wlan1.99) entered blocking state
Sun Mar  5 20:42:12 2023 kern.info kernel: [ 1653.127811] br-vlan99: port 2(wlan1.99) entered disabled state
Sun Mar  5 20:42:12 2023 kern.info kernel: [ 1653.134425] device wlan1.99 entered promiscuous mode
Sun Mar  5 20:42:12 2023 kern.info kernel: [ 1653.139974] br-vlan99: port 2(wlan1.99) entered blocking state
Sun Mar  5 20:42:12 2023 kern.info kernel: [ 1653.144813] br-vlan99: port 2(wlan1.99) entered forwarding state
Sun Mar  5 20:42:12 2023 daemon.info hostapd: wlan1: STA 11:22:33:44:55:66 IEEE 802.11: authenticated
Sun Mar  5 20:42:12 2023 daemon.info hostapd: wlan1: STA 11:22:33:44:55:66 IEEE 802.11: associated (aid 1)
Sun Mar  5 20:42:12 2023 daemon.notice hostapd: wlan1: AP-STA-CONNECTED 11:22:33:44:55:66
Sun Mar  5 20:42:12 2023 daemon.info hostapd: wlan1: STA 11:22:33:44:55:66 RADIUS: starting accounting session 8407B7890598D480
Sun Mar  5 20:42:12 2023 daemon.info hostapd: wlan1: STA 11:22:33:44:55:66 WPA: pairwise key handshake completed (RSN)
Sun Mar  5 20:42:12 2023 daemon.notice hostapd: wlan1: EAPOL-4WAY-HS-COMPLETED 11:22:33:44:55:66
Sun Mar  5 20:42:30 2023 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED 11:22:33:44:55:66
Sun Mar  5 20:42:30 2023 daemon.info hostapd: wlan1: STA 11:22:33:44:55:66 IEEE 802.11: disassociated
Sun Mar  5 20:42:31 2023 daemon.info hostapd: wlan1: STA 11:22:33:44:55:66 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Sun Mar  5 20:42:31 2023 kern.info kernel: [ 1672.612508] br-vlan99: port 2(wlan1.99) entered disabled state
Sun Mar  5 20:42:31 2023 kern.info kernel: [ 1672.674655] device wlan1.99 left promiscuous mode
Sun Mar  5 20:42:31 2023 kern.info kernel: [ 1672.674995] br-vlan99: port 2(wlan1.99) entered disabled state
Sun Mar  5 20:42:31 2023 daemon.err hostapd: VLAN: br_delif: Failure determining interface index for 'wlan1.99'
Sun Mar  5 20:42:31 2023 kern.info kernel: [ 1672.858341] device br-vlan.99 left promiscuous mode
Sun Mar  5 20:42:31 2023 kern.info kernel: [ 1672.858395] device br-vlan left promiscuous mode
Sun Mar  5 20:42:31 2023 kern.info kernel: [ 1672.862583] br-vlan99: port 1(br-vlan.99) entered disabled state

Here is my /etc/config/firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

Here is my /etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb0:6b8b:6528::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.254'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 3 4'
        option vid '1'

config device
        option name 'eth0'

config device
        option type 'bridge'
        option name 'br-vlan'
        list ports 'eth0'
        option bridge_empty '1'

config device
        option type '8021q'
        option ifname 'br-vlan'
        option vid '99'
        option name 'br-vlan.99'

config interface 'VLAN99'
        option proto 'none'
        option device 'br-vlan.99'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t'
        option vid '99'

Here is my /etc/config/wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option country 'CA'
        option cell_density '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option key 'EDCBA7568'
        option encryption 'psk2+ccmp'
        option macfilter 'radius'
        option auth_server '192.168.1.254'
        option auth_secret '<redacted>'
        option auth_port '1812'
        option dynamic_vlan '2'
        option vlan_tagged_interface 'br-vlan'
        option vlan_naming '1'
        option vlan_bridge 'br-vlan'
        option rsn_preauth '1'
        option network 'VLAN99'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option country 'CA'
        option cell_density '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk2+ccmp'
        option key 'EDCBA7568'
        option macfilter 'radius'
        option auth_server '192.168.1.254'
        option auth_secret '<redacted>'
        option auth_port '1812'
        option dynamic_vlan '2'
        option vlan_tagged_interface 'br-vlan'
        option vlan_naming '1'
        option vlan_bridge 'br-vlan'
        option rsn_preauth '1'
        option network 'VLAN99'

On the FreeRADIUS server:

Sun Mar  5 19:31:01 2023 : Auth: (34) Login OK: [112233445566/112233445566] (from client OpenWRT port 0 cli 11-22-33-44-55-66)
Sun Mar  5 20:06:57 2023 : Auth: (36) Login OK: [778899001122/778899001122] (from client SWITCH port 5 cli 77-88-99-00-11-22)

The only thing I notice here other than successful authentication is that OpenWrt is passing port 0 (it's in port 5 physically on the switch) and the 2nd MAC address is OpenWrt LAN (untagged 1) and I can see in the switch interface it's successfully authenticated to VLAN 1 (which is what I have this MAC configured to in FreeRADIUS where I want it.)

Now I'm totally stuck as I've run out of ideas on how to troubleshoot this.

13

It looks like you've attempted to apply DSA syntax here. That won't work.
Delete all of these.

This next section is mostly correct, except that the VLAN 99 exists only on the CPU and not on any ports.

I don't know which logical port will correspond to your uplink port, but let's just say it is logical port 3... the switch config and subsequent network structures would look like this:

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 3t'
        option vid '99'

config device
        option name 'br-vlan99'
        option type 'bridge'
        list ports 'eth0.99'

config interface 'vlan99'
        option device 'br-vlan99'
        option proto 'none'

Summarizing the above.. I added 3t to the switch config indicating that vlan99 will be tagged on logical port 3 (and it was already tagged on logical port 0 -- the CPU's eth0). I then created a bridge using port eth0.99 (i.e. VLAN 99 tagged on eth0). And finally I used the bridge as the device for the the network interface (with proto none).

Also note that I have made the network name vlan99 in lowercase... this is convention... it is not required to be in all lowercase, but most of the time it is preferred. That said, it is critical that all instances where a network name is referenced must be the consistent in terms of case (so where applicable, that is usually firewall, dhcp, and wireless).

14

OK, so I deleted all those interfaces and re-created via Luci

Here's /etc/config/network (notice eth0 is back again)

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb0:6b8b:6528::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.254'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 3 4'
        option vid '1'

config device
        option name 'eth0'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 4t'
        option vid '99'

config device
        option type 'bridge'
        option name 'br-vlan99'
        list ports 'eth0.99'

config interface 'vlan99'
        option proto 'none'
        option device 'br-vlan99'

UI shows this:

image
image1429×783 84.4 KB

Interfaces config:

image
image1426×705 81 KB

Switch config:

image
image1451×666 39.1 KB

It's not quite lining up with what we're looking to see. I'll remove device eth0 nonetheless. Continuing to test.

15

this looks correct.

For the purposes of debug, I'd recommend the following:

  1. turn off the free-radius authentication and use simple, directly assigned VLANs (i.e. port or SSID based, not auth based).
  2. setup access ports on your managed switch for VLAN1 and VLAN99 (these are ports that have just the single network, untagged) -- then plug a computer into one and then the other... you should get IP addresses issued in the respective VLAN. If you don't... troubleshot your switch and/or router.
  3. set a trunk port for the dumb AP -- VLAN 1 untagged, VLAN99 tagged. Configure your dumb AP such that you have an SSID on each VLAN and then connect to those SSIDs in turn... again, you should get IP addresses in the respective netowrks.
  4. If all goes well there, the remaining variable is the VLAN association based on the authentication process.
16

Will get this tested out. Thanks for the continued help!

EDIT: Update

#2: I configured port#6 as untagged vlan99, pvid also changed to 99 automatically. Plugged laptop into port, release & renew, boom, IP on vlan99 from router.

#3: Tore down all Wi-Fi config, recreated and set network vlan99, connected, boom, IP on vlan99 from router.

I noticed that with the patch removed, the 802.1x request comes from the switch only (makes sense since OpenWrt was authenticating against my router with the patch and so was the switch) with the proper client information (in the physical port sense.) I did not disable MAC auth as the switch will perform the lookup for the client instead of OpenWrt. I'm going to stand-up VLAN1 on the 2.4G and VLAN99 on 5G and conduct the test again, I'll also leverage RADIUS to see if it'll hop me around between the two (edit: in retrospect, this doesn't make sense as each SSID will be unique for this test.)

I'm going to say the patch did more harm than good, so I learned something.

Now to get one SSID with dynamic vlan working via RADIUS which means I need to create multiple bridges/etc as I did for vlan99 and then tag it to the Wi-Fi and see if I hop around based on RADIUS (this is where DSA would be nice effort-wise I think.)

I feel really close now!

EDIT: Before I go around messing with stuff, I noticed this on the switch (see below) it matches the port# that OpenWrt was showing in RADIUS logs when it was making the query (vlan ID):

image
image2142×348 24.2 KB

I won't make too much of this as my laptop does indeed have an IP address in vlan99 (typing this from there) and continuing on.

17

I got it working. In order to properly document what I did, I noted the steps but will provide the configs in case I missed something.

EDIT: Updated port access control settings. Fallback VLAN appears to be working just fine.

Devices:

  • OPNsense 23.1.1_2-amd64
  • OpenWrt 22.03.3 r20028-43d71ad93e / LuCI openwrt-22.03 branch git-22.361.69894-438c598
  • Aruba Instant On 1930 8G 2SFP firmware 2.7.0

Configuration

  • OPNSense
    -- Follow documented process for creating VLANs
    -- Create X # of VLANs as required. My test-case has VLAN1 (default) and VLAN99
    -- Create gateway IP (static) for VLAN. I used 192.168.x.1/24 where x=1 or 99
    -- Enable and create DHCP scope for VLANs. I used gateway IP for gateway and DNS.
    -- Make sure to attach VLAN to correct parent device (igb1 for me)
    -- Connect igb1 port to port 1 on switch
    -- Install package FreeRADIUS:
    -- Under General: Enable VLAN assignment
    -- Under General: Enable VLAN fallback (VLAN1 for me)
    -- Under Users: create username/password with MAC format specified by switch, assign VLAN id
    -- Under Clients: create entry for switch with secret and IP of switch
    -- Under EAP: ensure MD5 is being used (prime256v1 for me)

  • OpenWrt
    -- Connected eth0 (middle port on device also "cpu") to port 5 on switch
    -- Created swconfig-based vlan99
    -- On switch tag vlan1 and vlan99 on eth0 and lan2 (physical port)
    -- Create single SSID and attach network lan and vlan99

  • Switch
    -- Port 1 is untagged vlan1, tagged vlan99, pvid 1
    -- Port 5 is untagged vlan1, tagged vlan99, pvid 1
    -- 802.1x authentication and accounting enabled
    -- 802.1x RADIUS server configured pointing to OPNSense
    -- Port Access Control enabled
    -- MAC auth: EAP-MD5, Username Group Size 12, Delimiter selected but unused, Username casing lowercase, Password use username
    -- Port 5 control mode: MAC, VLAN assignment enabled, MAC authentication enabled, Re-auth every 3600 seconds. Run in monitor mode to test, disable monitor mode to deploy.

Profit. I need to create more VLANs to test with but when I assigned my test client to VLAN id 1 via RADIUS, it grabs a 192.168.1.x address. If I changed it to VLAN id 99 the client ends up with a 192.168.99.x address. This is definitely progress!

Thank you so much @psherman for helping me get here.

My configs:

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb0:6b8b:6528::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.254'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 3 4'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 4t'
        option vid '99'

config device
        option type 'bridge'
        option name 'br-vlan99'
        list ports 'eth0.99'

config interface 'vlan99'
        option proto 'none'
        option device 'br-vlan99'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option country 'CA'
        option cell_density '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option key '<redacted>'
        option encryption 'psk2+ccmp'
        option network 'vlan99 lan'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option country 'CA'
        option cell_density '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk2+ccmp'
        option key '<redacted>'
        option network 'vlan99 lan'
1 Like
18

Well, I don't know what happened but it just stopped working when I added more VLANs to the configuration and nothing I did could make it work. I even started over and rebuilt it, nope, won't work. Conducted VLAN untagged port test, works fine, get IP in whatever VLAN I configure for the port.

Now I'm working with a SNAPSHOT which supports DSA and running into the same issue. Instead of installing hostapd I installed wpad-mbedtls (as wpad-basic-mbedtls was installed by default; using logread I can definitely see the right vlan id being passed to OpenWrt) as a variable but still no go.

Found various posts here and in the wild on dynamic vlan setup for OpenWrt but can't get any variation of them to work.

I don't get it - it was all working, now I can't get it to work.

19

OK so still using snapshot so I can play with DSA for this device. Remove wpad-basic-mbedtls and install hostapd. disable dnsmasq, firewall + rules/accept-all+fwd and v6/dhcpd (from dumb ap wiki.) Delete /etc/resolv.conf and manually configure DNS and add gateway to /etc/config/network

Process is as follows:

  • Network > Interfaces > Devices > edit br-lan > vlan bridge filtering > enable > add vlan1 untagged on lan1, no pvid and vlan99 tagged on lan1, lan2 is not a member of either (only lan1 and lan2) - don't save & apply
  • Network > Interfaces > Devices > add device > add vlan1 and vlan99 802.1q ending up with br-lan.1 and br-lan.99
  • Network > Interfaces > create new interface unmanaged vlan99 and tag br-lan.99
  • Network > Interfaces > edit br-lan and change to br-lan.1
  • Save & apply

Switch showing HELD when trying to connect from mobile device. I eneded up once again factory resetting, vetting untagged port vlan with laptop but I can't get wifi to even connect to vlan99 even when it's the only one selected. Enabling DHCP snoop for all VLANs seemed to this the lack of DHCP but always falls back to default vlan1 (radius show auth-ok and sends expected dynamic vlan response; checked radius-users and looks good.)

I'm smart enough to know a second set of eyes always helps, so posting configs. Note, that while I did remove wpad for hostapd, I don't have any dynamic vlan config specified. The nerd in me needs to know why this worked and then didn't :slight_smile:

Configuration

root@OpenWrt:/etc/config# for i in network firewall wireless; do echo ---- && echo config file=/etc/config/$i && echo ---- && cat $i; done
----
config file=/etc/config/network
----

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd73:f82e:8467::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option gateway '192.168.1.254'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'lan1:t'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '1'
        option name 'br-lan.1'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '99'
        option name 'br-lan.99'

config interface 'vlan99'
        option proto 'none'
        option device 'br-lan.99'

----
config file=/etc/config/firewall
----

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

----
config file=/etc/config/wireless
----

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option country 'CA'
        option cell_density '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan vlan99'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk2'
        option key 'EDCBA7568'
        option wmm '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
20

Not all of these things are necessary, but generally they are fine. It is critical to ensure that the DHCP server itself is disabled (this is different than disabling dnsmasq). When an upgrade happens, dnsmasq will likely become enabled again, so you want to make sure that the DHCP server doesn't activate when that happens. You can leave the firewall in its default state, too.

IMO, the wiki makes more work out of the process than is specifically necessary. The only requirements for a basic dumb AP are as follows:

  • Change the lan address such that it is:
    • on the same subnet as your main router
    • does not conflict with any addresses already in use
    • using an address that is outside the DHCP pool
    • optionally, set the gateway and dns (only necessary if the dumb AP itself needs internet access.
    • OR -- change the lan to get an address via DHCP
  • Turn off the DHCP server on the lan interface (set the interface to ignore)
  • Setup wifi
    • Set the country code
    • Set your SSID name
    • Set the encryption type
    • Set the password
    • Enable wifi
  • Connect the dumb AP via its LAN port to the upstream LAN.

This is not necessary. I'd actually omit this part entirely.
I'd recommend explicitly defining lan1 as untagged on VLAN 1, like this:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'

Remove these:

You have 2 networks assigned to the same SSID. This will cause a problem. Select either lan or vlan99 -- not both.

I think the reason is above (invalid network setting for that SSID).