I currently have 3 interfaces: LAN, WAN, and DEVICES.
DEVICES is a VLAN assigned to LAN. Both have DHCP enabled, and their subnets are:
LAN 10.0.0.0 DHCP range 10.0.0.50 - 10.0.0.254
DEVICES 10.0.1.0 DHCP range 10.0.1.50 - 10.0.1.254
I can't ping systems on DEVICES from LAN even after adding rules on DEVICES to allow any protocol from LAN net to DEVICES net, and I actually can't even ping systems on devices from OPNsense itself.
I'm not sure what I'm missing here. Help would be appreciated, thanks for taking the time to read this.
EDIT: I should also have mentioned I do have internet on systems on DEVICES, for example pinging google from a system on DEVICES succeeds.
QuoteI currently have 3 interfaces: LAN, WAN, and DEVICES.
DEVICES is a VLAN assigned to LAN. Both have DHCP enabled, and their subnets are:
Don't mix LAN (raw) and DEVICES (vlan) with a single interface. Use the current LAN physical interface as VLAN parent (trunk), and configure two VLANs (LAN and DEVICES).
Be aware that changing your LAN interface might disconnect you from CLI/GUI, so be sure you prepare your change smart. Configure your downstream switch with both VLAN id's (tagged)
Or start clean, during the setup of OPNsense you've been asked to create VLAN interfaces, do that at this point (create LAN & DEVICES VLAN) and finish setup as usual.
QuoteI can't ping systems on DEVICES from LAN even after adding rules on DEVICES to allow any protocol from LAN net to DEVICES net, and I actually can't even ping systems on devices from OPNsense itself.
If you want a packet going out of a network segment (LAN) to another network segment (DEVICES), you should configure your rule at the LAN interface. From a firewall point of view a packet is coming INto the LAN firewall interface from LAN network, the rest is covered by stateful filtering ;-).
Ok, welp I failed that pretty badly. Just managed to lock myself out of my GUI and TUI for a long time and spent way too long trying to enter the long password.
I'm trying the approach you suggested but still having trouble. I've configured 2 VLANs CORE and DEVICES, both on bce1. And enabled DHCP on both of them. I also went into my switch and tagged port 3 with vlan 2. But still when I plug a device, like my server into port 3, it isn't being assigned an IP on the DEVICES VLAN associated with port 3.
Hi!
Can you show how you configured your DHCP?
Also, did you configured the port where you plug your device as an access port for vlan 2?
It should not be a firewall rule issue as OPNsense add automaticaly an "allow" DHCP rule when you activate DHCP on an interface.
You can check if your firewall see your device DHCP request by doing packet capture here : "Interfaces / Diagnostics / Packet capture".
I suggest you select all interfaces to be sure that you are not missing any traffic.
It's also possible to look at DHCP logs here : "Services / DHCP / Log File".
You can see my DHCP configuration in attachment.
Cheers
Quote from: isaacthekind on December 05, 2023, 02:16:29 AM
Ok, welp I failed that pretty badly. Just managed to lock myself out of my GUI and TUI for a long time and spent way too long trying to enter the long password.
Step by Step, don't try to do everything at once....
First build your topology, check, check, double check, next are things like DHCP, DNS, etc. So configure your VLANs at OPNSense, configure your switch uplink port (trunk, all vlans) other ports as "access" with desired VLAN and assign IP configuration to OPNsense interfaces and hosts connected to switch.
WAN --- [OPNSENSE] --- BCE1 (VLAN TRUNK)
|
|
|
VLAN 2 (CORE) / VLAN 3 (DEVICES) / VLAN X (X)
|
|
|
[SWITCH]
Uplink ---> |--- Port 1 (VLAN 2+3+X TRUNK)
|
|--- Port 2 (VLAN 2 ACCESS)
|
|--- Port 3 (VLAN 3 ACCESS)
|
|--- Port 4 (VLAN X ACCESS)
If you accomplished this step open up your firewall with an allow any any (you're still building your network, fine tuning is done when the fundamentals are right).
Create a firewall rule at both/all VLAN interfaces, like:
Action: Pass
Interface: VLAN?
Direction: In
TCP/IP Version: IP4+IP6
Protocol: any
Source: any
Destination: any
Now connect hosts to your switch access ports one in VLAN 2 and one in VLAN 3, you don't care about DHCP yet, so configure a static IP in the subnet of your choice as configured at OPNsense. Try to ping or whatever between these hosts, if that doesn't work you did something wrong, time to troubleshoot.
If this all works you can enable DHCP, there isn't much to configure, DHCP is made death simple in OPNSense, just assign a pool to the corresponding VLAN interfaces and you're done. Again, step by step....
Ow, and don't use VLAN1 (Default VLAN) in a VLAN design, leave as is and use something between 2 and 4095. VLAN 1 will work and has nothing to do with your "challenge", but at this stage it's a perfect time to ditch VLAN1 from your topology.
Also stay away from "native vlan ids" on Trunk ports (unless you absolutely know what you're doing), so just use tagged VLANs on trunk ports and a single vlan with an access port.
i got a new device to run the firewall on (Protectli Vault FW4B), so it took me a while to configure everything and get back to where i was. Some of the names are slightly different, however I've found myself stuck on the exact same issue.
gcorre, yes I can show my VLAN DHCP configuration, a screenshot is linked.
netnut, thanks for providing so much detail. I did my best to follow these steps to a tee, but I'm still having the same problem. I'll include a detailed diagram of my current topology. You'll notice there is one blank bubble in the photo, this is the one I have to plug into to actually get any internet on for my desktop. I'll also include a photo from the switch GUI, but just FYI to obtain that photo I have to plug my desktop into port 4, so If you're wondering why port 4 rather than 2 is active in the screenshot, that is why, more importantly though, the screenshot shows the access VLAN tags. I've also configured firewall rules as suggested on CORE and DEVICES. When I connect, I get nothing, I can't ping any device and IP neigh shows no devices, even after reboot of all systems and the OPNsense router. I can however ping 10.0.2.1 and 10.0.3.1 from OPNsense, or from desktop if plugged into port 4.
Also in the case that you want to diagram anything again, feel free to modify my diagram rather than having to make one from scratch. I'll include the Excalidraw file, you can open it on https://excalidraw.com/ .
Can you show us a screenshot of the configuration of your VLAN CORE for example in :
- Interfaces / vlan core (or whatever you named it)"
- Interfaces / Assignment / vlan core
- Interfaces / Other Types / vlan core / edit (the small pencil)
First, your DHCP config is perfect, nothing to change there... I guess you still have VLAN issues, which is understandable (you'll learn along the way), I suggested the following:
Quotei got a new device to run the firewall on (Protectli Vault FW4B)
Nice, excellent device to learn and play with. Because you have a LAN and two OPT ports I suggest you take a slightly different approach than I suggested first. You can get this working with a single LAN interface (as you tried), but the following is more fail safe setup and gives you all the opportunities to play with VLANs and don't lock yourself out.
Configure your device as usual with a regular WAN and LAN interface, this LAN interface will be your "management" network. Now do all your VLAN magic at OPT1 or OPT2 (if you really on fire you can later configure a redundant LACP LAG port to your Cisco, but don't get to excited yet, first thing first...)
So do what you already did (assuming igb0 is WAN, igb1 is LAN, igb2 is OPT1 and igb3 is OPT2), but instead of using the LAN interface (igb1) use your OPT1 or OPT2 to connect your Cisco.
DONT CONFIGURE OPT1 or OPT2 with IP addess information, just assign the VLAN interfaces to it. You can now always use your LAN port to connect to OPNSense and go bezerk on the config of OPT1 /OPT2, if you make a mistake you always have your LAN interface to troubleshoot.
So only configure your CORE and DEVICES VLAN (with OPT1 or OPT2 as parent) and CONFIGURE those two VLAN interfaces with a gateway address at your OPNsense box, I guess you want 10.0.2.254/24 for CORE and 10.0.3.254/24 for DEVICES.
If your finished and still have problems, dump the config of your Cisco switch (please edit any secrets, passwords etc, don't need to share these)
cgorre, yes, they are linked.
netnut, could you clarify what you mean here:
"So only configure your CORE and DEVICES VLAN (with OPT1 or OPT2 as parent) and CONFIGURE those two VLAN interfaces with a gateway address at your OPNsense box, I guess you want 10.0.2.254/24 for CORE and 10.0.3.254/24 for DEVICES."
I've set up TRUNK on OPT1, and made CORE and DEVICES vlans which have TRUNK as the parent, and I've got LAN set up with no children VLANs as a management network that i can fall back to but which I do not plug in when trying to get the VLANs working. Where is the gateway setting though? If you mean the setting Services > DHCPv4 > CORE > Gateway that becomes visible in DHCPv4 for CORE after assigning a static IP to CORE, I get a problem when I do that where it says that CORE 10.0.2.1 is not on the same subnet as the gateway 10.0.0.1. So I'm not really sure how to achieve this step. Could you clarity what IPs you think LAN, TRUNK, CORE, and DEVICES should have, which should have DHCP enabled, and what you mean when you say to assign the devices on these VLANs IPs without using DHCP? It seems to me that I have to enable DHCP to use the static mapping feature in the bottom of Services > DHCPv4 > INTERFACE NAME. I fully understand the topology you describe on the physical layer, everything is plugged in where it should be, but I'm getting lost on the network layer, as in which IPs go where.
Sorry for all the questions, I feel a bit silly getting so stuck with this.
EDIT: Please note that the screenshots were taken for gcorre with the network in the state it was in when they asked the question, they do not reflect any changes made for netnut.
EDIT 2: I don't understand what it would mean to have a "gateway address at my opensense box" if not that the gateway address is the adderss of LAN or TRUNK. But I'm not supposed to assign an IP to TRUNK or use LAN.
Ok, I managed to get it to work. The issue was actually not OPNsense at all, but instead the switch. I guess Cisco has these things called smartport types, and I had to assign the appropriate type to the port which connects to the router. Once I assigned that port the "cisco router" type, everything worked. I had assumed that they were just labels, and didn't have any function beyond that.
I'll now take a look at the redundant LACP LAG port stuff that netnut mentioned.
Thank you both for all the help, really appreciated.
Quote"So only configure your CORE and DEVICES VLAN (with OPT1 or OPT2 as parent) and CONFIGURE those two VLAN interfaces with a gateway address at your OPNsense box, I guess you want 10.0.2.254/24 for CORE and 10.0.3.254/24 for DEVICES."
Hmmm, might have rephrased that one ;-). What I meant to say is that your OPNsense VLAN interfaces are gateways for the specific VLAN they're connected to, but...
Quote
Ok, I managed to get it to work.
You did it 8)
Quote
I'll now take a look at the redundant LACP LAG port stuff that netnut mentioned.
Remember that you can have a LACP LAGG with a single port, so use your free OPT2 for that. If you manage to get it work, you can migrate your existing VLAN's to this trunk and add (you're now free OPT1) the other interface to it to make it redundant.
I have one more question. It's still roughly on this topic, but maybe I should open a new thread. If that's the case just let me know.
So I have my VLANs all up and working. And i can get the rules on them to work the way i want. For ex being able to ssh into or ping other VLANs from CORE (at least when I turn on the rule to do so), but not the other way around. However I'm getting one weird behavior that is hard to understand. I'll include my current topology. Currently my goal is to get OpenWRT to broadcast 2 wireless VLANs: HOME and GUEST. I've plugged my wireless access point directly into igb2 to remove any complications that may arise as a result of going through the switch, though in time the goal is to plug it into the switch and free up igb2 for the LACP LAGG. I can ping the access point from OPNsense, but not from CORE. Even with an allow all rule on core and on WIRELESS. I'm really not sure how to debug this. I looked in the live logs and when I ping from desktop I can see it passing (picture included).
Quote from: isaacthekind on December 09, 2023, 10:56:37 PM
I can ping the access point from OPNsense, but not from CORE.
With your access point connected to igb_2 on OPNsense, the IP address of that interface is the gateway for your access point. Did you configure this IP address as gateway into your Access Point ? Depending on type/version/ap of OpenWRT it's something like this:
config interface '?'
...
option gateway '1.2.3.4' # <--- OPNsense interface IP of igb_2
...
Rember that the default logic of a starting config with OpenWRT is to have a LAN/WAN with NAT enabled. But it depends on the AP type, amount of ports, switch yes/no etc. So it's possible if you use this default config you trying to ping the OpenWRT WAN interface which has a firewall enabled. To dubble check if your topology is right, connect another device to igb_2 and configure it just like your AP and see if ping works. If it does, your topology is right but need to give OpenWRT some attention.
You probably like to read the "Dumb Access Point" guide at OpenWRT, this should be the OpenWRT way of doing things you want. When you connect the AP to your switch, you're capable of (don't need to if you don't want) to bridge your existing VLAN's behind one or more SSID'
It might help if you also add the network addresses in your diagram below the names, this helps to understand what you did build. Something like "CORE : 10.1.0.0/24", "DEVICES : 10.2.0.0/24", etc
I've read the dumb access point guide before, and successfully implemented it which involves disabling DHCP, firewall, etc. But this was without trying to broadcast 2 separate networks and without having VLANs on OPNsense. Maybe I should just plug the access point into the switch since my whole reason for using igb2 was to avoid trouble and that seems not to have happened. I've included the updated topology image you suggested. I'm a bit worried about an X/Y problem here though, so maybe I can just tell you what it is I want to do and if you feel so inclined you can tell me how to approach it (hopefully I'm not being too demanding):
My goal is to have 2 networks broadcast from OpenWRT: HOME and GUEST. I want to configure HOME and GUEST through OPNsense and simply have OpenWRT be a dummy AP, I don't want to be managing separate VLANs on OpenWRT that are not visible in OPNsense. I'm unclear what subnet the cable I pass from the router to OpenWRT should be on, and what IP it should have. TRUNK maybe? A new interface with 2 VLANs on it an no IP kinda like a second TRUNK? I used a dashed line to indicate the part of the topology I don't know how to configure.
Quote from: isaacthekind on December 10, 2023, 03:01:13 AM
...
I used a dashed line to indicate the part of the topology I don't know how to configure.
First advice, take your time, this will probably going to take you in a few WTF? moments or even drive you to complete insanity ;D. But don't give up!
What you want to configure are a couple of SSID's which are one-to-one mapped to a VLAN. Normally OpenWRT will take care of the routing, but in your situation OpenWRT is just for the wireless part. So you need to bridge those VLAN's (ie SSID's) to your switch. The good news is that OpenWRT will revert back to it's latest working configuration, so you can fail hard without any impact (just a lot of waiting time).
This would also be a perfect example where you want a trunk port WITH a native VLAN assigned. Because your OpenWRT AP is only VLAN aware when it's completely finished booting. So if you want to connect to the bootloader or want to do a rescue procedure you don't want a tagged VLAN for the OpenWRT management (it can be done, but with a lot of complexity). Also when you disconnect the AP from your switch and directly connect it to your laptop/pc, a tagged VLAN will only add complexity, so:
Introduce a new VLAN just for management of Access Points, no wireless traffic will use this VLAN, it's just for you to connect and manage the access point. Configure the port where your access point is connected to as type Trunk
and configure the AP management VLAN as native VLAN for this port. All VLAN's used by your wireless SSID's are going to be tagged on the same port. Your challenge is now to configure the default OpenWRT LAN port as an UNTAGGED port with an IP address in the AP management VLAN, the other VLAN's (the tagged ones) can be unnumbered. When they are bridged to the switch and you configured these VLANs in OPNsense with a gateway address, all management/dhcp/routing is done by OPNsense (hence the "dumb" for OpenWRT in this scenario).
The "problem" with OpenWRT is that there are many different device supported, some with one or two ports, some with a build-in switch. Also the switch configuration varies with the different models, some use the old-style config, some the new style (With native Linux VLAN Bridge filtering).
Again, don't give up too early, it's complex at first, but when you're done it all makes sense.
If you get stuck, it might help to share the type of AP you're using (and OpenWRT version).
I don't intend to give up. As long as there is some way to make progress i intend to keep trying.
It's a TP-Link Archer C7 v5, with OpenWRT 23.05.0, and the switch is a Cisco Catalyst 3750X Layer 3 Gigabit Switch - 24 port Gigabit.
I've set the port type to "Access Point" on the switch, which is a trunk port type, and set the native VLAN for that port to 7 on the switch, and created a corresponding VLAN called OPENWRT_MANAGEMENT in OPNsense then tagged it 7 with IP address 10.0.7.1. I've also set the IP for the OpenWRT lan interface to 10.0.7.2 and turned on VLAN filtering with an untagged primary VLAN of 7. I get nothing when I ping OpenWRT from OPNsense or desktop. I'll include some photos of what I've done, maybe you can spot the error. Clearly I'm messing something up, but I'm not sure what.
EDIT: I noticed a small error that the VLAN number in photo 1 is 1 instead of 7. I've fixed this, but still same behaviour.
Quote from: isaacthekind on December 11, 2023, 12:29:54 AM
Clearly I'm messing something up, but I'm not sure what.
It looks pretty ok at first sight, don't know whats behind the "Access Point" switch port profile, but you did configure the native and I guess you added the VLAN ID's for the wireless networks as tagged ?
Did you also add the AP management VLAN ID (7) and both VLAN ID's for the wireless networks at the switch uplink port (tagged) towards OPNsense ?
You're screenshots showing the OpenWRTVLAN Bridge filtering options, are you sure your tp-link doesn't use a traditional switch device, should show up via the "Network -> Switch" menu.
Did you disable the Firewall on the bridge interface ? (Unspecified)
Set the primary IP address to your desired config 10.0.7.2/24, add 192.168.1.1/24 as secondary. So the other way around...
Add your gateway 10.0.7.1 (OPNsense), although your ping from OPNsense should work without it...
Could you factory reset the OpenWRT device and paste the
default OpenWRT network config ? (should be reachable via factory 192.168.1.1/24 ip)
root@OpenWrt:~# cat /etc/config/network
I have not added VLAN IDs for the various wireless networks in OpenWRT. Currently I'm trying to just get the WIRELESS_MANAGEMENT (7) working, I also added one for HOME (6).
"Did you also added the AP management VLAN ID (7) and both VLAN ID's for the wireless networks at the switch uplink port (tagged) towards OPNsense ?"
This I don't understand. I'm sorry.
No, I didn't disable firewall. I tried that and it caused me to lose connectivity.
I reversed the primary and secondary IPs for OpenWRT and set the gateway to 10.0.7.1, I still can't ping OpenWRT from desktop or OPNsense though.
Yes, I factory reset the device then and got the network config for you.
Photos of what I've done, and the network config are attached.
Quote from: isaacthekind on December 11, 2023, 03:48:02 AM
...
"Did you also added the AP management VLAN ID (7) and both VLAN ID's for the wireless networks at the switch uplink port (tagged) towards OPNsense ?"
This I don't understand. I'm sorry.
The uplink port FROM your switch TO OPNsense, that's (one of) your trunk, you usually set one or more VLAN ID's as alllowed over this trunk. Now there's also an simple allow all policy, in that case you don't have to worry if you add the VLAN ;D. But either way, you need to set the specific VLAN ID's or an allow all policy on this trunk port. You have it working for your other VLANs, so there might be an allow all already in place.
You are connecting your OpenWRT device directly from LAN1 to your switch port ?
And I see a traditional switch, so don't configure Bridge VLAN Filtering (network / br-lan device / configure), delete the entry an don't check the enable box.
I didn't configure a specific "allow all" rule on port 1 which connects OPNsense to the switch. But I used a smartport type called "Router" which I suspect may do this. My VLANs (not counting WIRELESS_MANAGEMENT) are working as expected (photo included) so they must be flowing correctly through this trunk.
Yes, I connect OpenWRT directly from LAN1 to port 6 on the switch, which has smartport type "Access Point".
Ok, before going further and the scope of your issue gets way too wide, step back.
Your first goal is to have communication between OPNsense and your Wireless Access Point (management) interface. Until this is solved don't do anything else. Your using a OpenWRT device that by default is using a traditional switch device, so stay away from the Bridge VLAN Filtering menu as you showed in your screenshots, because you're mixing up different VLAN configurations at OpenWRT.
The whole idea of my proposed setup is: that things are as simple and transparant as it could be. So first factory reset your OpenWRT device and start over (this would also be the time to paste the default config so I have a reference how your specific device is configured by default, because it depends heavily on the OpenWRT device branch you are using).
After the factory reset of OpenWRT you DON'T play with VLAN's YET on your Access Point. You configured a native VLAN on the switchport where OpenWRT is connected, so things should work out of the box specificly a ping from/to OpenWRT - OPNSense. If it doesn't your VLAN config is wrong, again NO VLAN's on OpenWRT yet (well, OpenWRT probably is using VLAN1 & 2 internally already, but that's for later)
The only thing you do after the factory reset is changing the default IP address of the OpenWRT LAN interface to 10.0.7.2/24 and if you like 192.168.1.1/24 as secondary. If you use a laptop/pc at LAN port 2 (port 1 is connected to your switch) you should have a permament connection to OpenWRT on 192.168.1.1 (configured as secondary ip in previous step) while doing the change.
If, after just changing the default OpenWRT IP to 10.0.7.2/24 you can't ping OPNsense at 10.0.7.1/24 your VLAN config of the Cisco Switch is wrong.
If you can it really helps if you paste the output the CLI configuration of the port instead of the screenshots. By using Cisco port profiles (like Router / Access Point) you get all kind of default stuff on the port (QoS, BDPU filtering etc) which make things more error prown in this phase of your config, but first try the suggested above, so we can validate the switch VLAN config first.
I actually did paste the default OpenWRT config earlier, just FYI (don't want you to think I didn't listen the first time) but I'll attach it again to this one. This is /etc/config/network directly after factory reset. If there are any other config files you want me to post, just let me know.
If I factory reset the OpenWRT device then change its primary IP to 10.0.7.2 and plug it into the "access point" port, I can ping it from OPNsense, but not from desktop, even with an allow CORE to any rule (desktop is on CORE) at the top of my rule list.
It might take me a bit to figure out the switch CLI, but I'll start working on that now.
See attachment for OpenWRT config file.
Quote from: isaacthekind on December 11, 2023, 04:19:59 PM
If I factory reset the OpenWRT device then change its primary IP to 10.0.7.2 and plug it into the "access point" port, I can ping it from OPNsense, but not from desktop, even with an allow CORE to any rule (desktop is on CORE) at the top of my rule list.
Ok, that's very good news :D, which means your VLAN config works, but you have a routing issue. Did you configure the default gateway in OpenWRT. In the menu where you configured 10.0.7.2/24 (and probably 192.168.1.1/24 as secondary) there's a field "IPv4 gateway", it should have your OPNsense ip configured, so "10.0.7.1" <--- just that, no submask or anything
Sorry, didn;t see your network output earlier, found it, scanning it ;-)
Don't bother with the switch CLI, you proved that VLAN switching works, so for now I trust your Cisco config...
You fixed the first goal: "Your first goal is to have communication between OPNsense and your Wireless Access Point (management) interface."
What's left is your routing issue (which probably is fixed by adding the default gw like I mentioned in previous post). You should ping the OpenWRT management interface from all your LAN segments. Remember the allow Any-Any rule you should place on ALL interfaces in OPNsense firewall config. When your finished your base topology, you can fine tune these firewall policies.
Also don't forget to remove (or set unspecified) the OpenWRT firewall on the br-lan interface for now
OMG, the ping is actually working from desktop after adding the default gateway. Very happy to finally see this haha. I was going a bit insane yesterday. Strange that the default gateway doesn't default to correspond to the default IP, but maybe that's standard.
I supposed this is besides the point now, since, as you said, we know the VLANs are working, but getting into the switch CLI is quite the pain. This SSH config works to get me to the login prompt, except the user is wrong:
host switch
ciphers aes256-cbc
hostname 10.0.0.2
hostKeyAlgorithms ssh-rsa
kexAlgorithms +diffie-hellman-group1-sha1
user cisco
I think that's an old outdated algorithm. But the switch doesn't have a default user name in the GUI, and I can't find it in the docs, and neither "cisco" or "root" work. Lol, Not fun!
Ok, back to relevant things..
If I set the firewall zone to unspecified, I lose connection. So I'm not really sure what to do about that.
I have some sense of what's next, probably setting the VLANs up in the "Switch" menu of OpenWRT and fixing this firewall zone thing, but maybe I'll let you spell it out so I don't go down the wrong path here. Thanks very much for getting me to the point of actually being able to ping the device.
Quote from: isaacthekind on December 11, 2023, 05:23:40 PM
OMG, the ping is actually working from desktop after adding the default gateway. Very happy to finally see this haha. I was going a bit insane yesterday.
Is this the right time to say: "I told you so... :D"
Quote
I supposed this is besides the point now,
Ok, back to relevant things..
Let's do so, we're looking at your wired & wireless network, we really don't care about your SSH Daemon config at this stage ;-). But you're right, your current config is old & insecure.
Quote
If I set the firewall zone to unspecified, I lose connection. So I'm not really sure what to do about that.
I have some sense of what's next, probably setting the VLANs up in the "Switch" menu of OpenWRT and fixing this firewall zone thing, but maybe I'll let you spell it out so I don't go down the wrong path here. Thanks very much for getting me to the point of actually being able to ping the device.
It's the next challenge indeed, but I don't understand why your loosing connectivity right now, should have nothing to do with your current config so let me think for a while 8)
I understand your enthousiastic at this moment, but we need to fix/understand the firewall issue first. Don't configure any VLAN or Wireless on OpenWRT yet, because we're going to use a little OpenWRT bridge trick to make your config super flexible for future use and some next learning steps (but again, first things first ;-))
Yes you can definitely say "I told you so.". Hahaha.
Yeah, no worries just showing SSH cause it was kind of funny, sorry for distraction.
Sure, take your time.
Ok, I'm trying to understand what happens what you describe as "I loose connection". So in your last confirmed working setup, with OpenWRT at 10.0.7.2/24 I like to know:
From where are you managing the OpenWRT AP ?
A laptop connected to Port 2 of the AP, or somewhere from your (VLAN) network ?
Do you use the 10.0.7.2 IP address for management ?
I think this would be easiest to answer with an updated topology diagram. It has all the port numbers and IPs now labelled.
I'm accessing it from the GUI @ 10.0.7.2 on desktop.
The diagram is now too large to share here so I've put it on my Nextcloud for you: https://nextcloud.askyourself.ca/s/k5syMJfCJeJRa5r
The next step is the first to prepare OpenWRT for wireless bridging of your SSID's. While I'm still unsure why your OpenWRT firewall is doing what it does, I guess we fix that with this step anyway.
You now need to do some CLI stuff on OpenWRT, nothing scary, just follow the steps below
1. SSH into your OpenWRT device from your desktop
ssh 10.0.7.2 -l root
2. Backup your current network config
cp /etc/config/network /etc/config/network.org
We're now going to rename two sections (3+4) (from your default network config), section 1 is "loopback" (leave as is), section 2 is "globals" (leave as is) section 3 is device (CHANGE) section 4 is interface "lan" (CHANGE)
3. Edit /etc/config/network and edit the third section like this:
vi /etc/config/network
Current:
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
New:
config device
option name 'br-vlan1'
option type 'bridge'
list ports 'eth0.1'
4. Edit /etc/config/network and edit the fourth section like this:
vi /etc/config/network
Current:
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
New:
config interface 'vlan1'
option device 'br-vlan1'
option proto 'static'
option ipaddr '10.0.7.2/24'
option gateway '10.0.7.1'
list dns '10.0.7.1'
As you can see we just renaming some interfaces and devices, preparing for your bridged wireless setup. We're not talking details right now, but this is the naming scheme the OpenWRT hostap daemon likes and give you some nice features which we discuss later if your wireless is working ;-). Just FYI, it's based on this article (which is old) but again, we discuss later :D https://openwrt.org/docs/guide-user/network/wifi/wireless.security.8021x
Apply the above changes, if you don't know how to use vi (it's no shame) you might want to try nano as text editor which should be more intuitive. After you applied the EXACT changes (CHECK, CHECK, DOUBLE CHECK) in /etc/config/network start a ping on your desktop to 10.0.7.2 and REBOOT the OpenWRT AP and wait until is back. If everything works we're just two steps from working wireless :D
If you're using windows add the -t to your ping command
ping 10.0.7.2 -t
PS, If questions are start to pop up about VLAN1 statements, keep them for now ;-). This VLAN1 configuration of your access point has nothing to do with the: "Don't use VLAN1" design priciples we discussed earlier. That applies to your Cisco switch, but again, I explain later.....
And just one thing: If you change the network configuration for a device which is connected to one of your Cisco switch ports, give it 30-60 seconds to converge. Without the port-fast option on a Cisco switch port, the switch will do some loop/BDPU checks etc before it's actually active, this might corrolate to your "Loss of Connection" experience after changing network properties.
You're certainly right that I have questions about the VLAN1 lines in /etc/config/network. I suspect they'll become clear in time, and I'm reading the article you linked. It's important to me that i understand what I'm doing rather than relying on magic, but I trust your process. :p
No worries about using vi. I'm a 4th year software engineering student, I'm fine with programming, just a novice with networking. My daily driver is Helix.
I've backed up /etc/config/network, made the changes you wanted and rebooted the device. I can't ping it from desktop or OPNsense. I've factory reset and done your steps 3 times now, so I'm sure I'm not making a typo or something, and I waited a few minutes after each reboot. I linked the current /etc/config/network.
Hmmm, I did grap an old TP-Link WDR4300 (which is a slighty older model than yours, but same OpenWRT branch and exact same switch config) and flashed latest OpenWRT to check my own instructions ;-). So I'm a bit surprised you facing issues, but let's go back to the last working situation where you could ping the OpenWRT management interface 10.0.7.2/24 from the Desktop VLAN.
You say that config was working with the following setting active ?!?!:
OpenWRT -> Network -> Interfaces -> lan -> Edit -> Tab: Firewall Settings -> LAN ?
And if you changed that to "unspecified" your loosing connection ?
Quote
It's important to me that i understand what I'm doing rather than relying on magic,
That's an excellent (and appreciated) mindset :D
Quote
You say that config was working with the following setting active ?!?!:
OpenWRT -> Network -> Interfaces -> lan -> Edit -> Tab: Firewall Settings -> LAN ?
And if you changed that to "unspecified" your loosing connection ?
Yes, that's exactly right.
I've asked you to change the firewall from the LAN zone to "Unspecified", that's where your problems started, can you try editing the /etc/config/network file again (because we NEED that naming scheme) before we move on. Now keep the interface in the LAN firewall zone, because that worked for the initial IP change to 10.0.7.2/24, we only changing the device naming scheme so that should really work.
In the mean time I'm looking at the default OpenWRT firewall4 rules, which are now nftable based (old firewall used iptables). I normally leave out the OpenWRT firewall packages (using the OpenWRT image builder) because I hate the interface and only bridge my wireless so no need...
Please confirm if you can connect to 10.0.7.2/24 with the new device names and br-vlan1 (renamed from br-lan) in the LAN firewall zone.
Sadly no I can't connect under those conditions. If I do the suggested edit to /etc/config/network, I lose connection. Can't ping from desktop or OPNsense. So it looks like both the edit, and the change of firewall zone will independently cause connection loss. I've confirmed both form factory reset individually.
Yes, I also hope to disabled firewall and DHCP to use dummy AP mode later when everything is working.
Sorry, I guess i made a typo while removing the secondary ip from the list:
config interface 'vlan1'
option device 'br-vlan1'
option proto 'static'
option ipaddr '10.0.7.2/24' <--- wrong
option gateway '10.0.7.1'
list dns '10.0.7.1'
Should be:
config interface 'vlan1'
option device 'br-vlan1'
option proto 'static'
option ipaddr '10.0.7.2' <--- right
option netmask '255.255.255.0' <--- right
option gateway '10.0.7.1'
list dns '10.0.7.1'
it's hard to configure an infra from far away :P
Please try again with this RIGHT config and still keep it in firewall zone LAN
Aha, I see, subnet needs its own field rather than CIDR notation.
I factory reset, then applied these settings (did not touch anything else like firewall), and rebooted, still disconnected. Current config attached.
Quote
it's hard to configure an infra from far away :P
I'm happy to go on a call and screenshare (Signal, Discord, etc). Whatever you prefer, I'm fine with text or voice.
Quote from: isaacthekind on December 12, 2023, 12:24:00 AM
I factory reset, then applied these settings (did not touch anything else like firewall), and rebooted, still disconnected. Current config attached.
The strange thing here is that we only change the device & interface naming, the underlying interface (eth0.1) keeps the same. I did the change back and forth here without any issue, the only diference is that I'm using a Juniper switch instead of a Cisco, which handles native VLANs differently depending on the switchport config. I don't have an answer for you yet, it might has to do something with those port profiles (https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swvlan.html#92272).
Because you need results (ie WiFi) ;-), you might start to configure your bridges and wireless manualy and forget about renaming the management interface for now. The logic is mapping a Wireless SSID to a VLAN (bridge), so you first need to create one or more VLANs for the different Wireless networks. Now you can bridge to an already existing VLAN like your Desktop VLAN or you can create a new VLAN, for instance the Guest network. If you bridge to an existing VLAN your wireless device becomes litterly part of that specific network. Where for the Guest network you probably like to isolate it completly.
Whatever you configure, remember that the VLANs you configure at OpenWRT do need to exist on OPNsense. You want a "Dumb" Access Point, so OPNsense is the one who provides routing (default gateway), DNS & DHCP and firewalling.
You can use your existing VLAN7 configuration as a template, so for a new VLAN9 you create a VLAN9 interface on OPNsense, give it an address (10.0.9.1/24), configure a DHCP pool and apply a firewall policy.
For OpenWRT:
OpenWRT -> Network -> Switch
You first create the needed VLAN at it's software switch, define a VLAN ID, an optional description and
TAG to both CPU (eth0) and LAN 1. So both ports should display
TAGGED all other ports
OFF. I've added VLAN9 for a new wireless network.
Save & Apply
OpenWRT -> Network -> Interfaces -> TAB: Devices
Add a new device, type: Bridge, Name: br-vlan9, Bridge Ports: eth0.9, check Bring Up Empty Bridge. Leave everything else (other tabs) default for now.
Save & Apply !
OpenWRT -> Network -> Interfaces
Add a new interface, Name: vlan9, Protocol: Unmanaged, Device: br-vlan9. In the advanced settings tab, check force link, uncheck "Use default gateway", Uncheck "Delegate IPv6 prefixes". Firewall settings tab: unspecified, DHCP Server: No DHCP Server configured for this interface . This, of course is done by OPNsense.
Save & Apply
You now can add Wireless SSIDs and point the interface (vlan9 in this example) to the VLAN interfaces you created. You can even map multiple SSID's to a single VLAN (Don't know why you should do that, but you could ;-)).
Ok, so I set this all up just like you suggested, and included photos.
I can connect vlan6 (GUEST, tag: 6, see earlier topology diagram) to a wireless interface and see the network when I look at available networks on a WIFI-capable device like my phone. However I can't connect to it. My phone gets stuck obtaining IP. If I connect lan to wireless interface instead of vlan6, I can connect to it with my phone, and the phone is given an IP on WIRELESS_MANAGEMENT via DHCP.
Well, that sucks ;D
Let's recap to understand what is happening and where the troubleshooting needs to be done:
You can connect to your WiFi SSID, so far so good, the idea is that you connect each SSID to a specific VLAN (enabled bridge), so packets flowing from the SSID will eventually land in the right VLAN further up your infrastucture (Cisco Switch, OPNsense). Now you didn't succeed with VLAN6 but you did with VLAN7 (which is also the native VLAN of your AP management / switchport). The reason is the same as why you failed to enable the initial VLAN bridge interface (br-vlan1), because there's a (still unknown) issue with the VLAN configuration of your switchport where your AP is connected to.
VLAN6 (tagged) won't go through, so your DHCP packets will stuck somewhere between your Wireless Interface and the bridge, they never reach the switch and from there the OPNsense DHCP service. When you choose VLAN7, packets can go through because this is also your _working_ management interface.
Let's talk about VLAN1 ;-), as you've noticed your default OpenWRT management interface is using device eth0.1, this is (one of) the VLAN interface naming schemes of Linux (which OpenWRT is build on). So the default configuration of this OpenWRT device is by default using VLAN1 (and VLAN2 for your WAN port).
But as you can see in your switch configuration, all the LAN ports are assigned UNTAGGED to VLAN1. In your situation, where LAN 1 is connected to the switchport, the switchport will receive UNTAGGED packets. Because you configured a NATIVE VLAN on your switchport, these untagged packets get tagged with VLAN7., that's the whole purpose of a NATIVE VLAN: "Assign the specified VLAN to UNTAGGED traffic by default". That's why your management interface works even if it's using VLAN1 (eth0.1)
So this has nothing to do with the recommendation "Never use VLAN1 in your switch config; Because we don't use VLAN1 at your switch".
The reason why you want your OpenWRT configured this way is when you remove your Access Point from this switchport to a "normal" device, you can directly connect to it with a regular interface. If we would send tagged packets by default from the OpenWRT management interface, you have to create a VLAN aware (tagged) device on your PC/Laptop. Now this is not rocket science, but you do need to know the VLAN ID used upfront.
As you can see in the screenshot in one of my latest post, I quickly configured your situation on OpenWRT, as you can see "my" management interface is renamed (br-vlan1) which somehow fails at your site. Remember the "OpenWRT 802.1x" link I posted, this bridge naming is expected by hostapd (the wireless controller daemon of OpenWRT) for vlan aware bridging and optional 802.1x interface creation.
To understand what's happening we really need to see the CLI config of the (port) configuration. If you don't have (FULL) access to the switch, that's something you need to fix first:
https://community.cisco.com/t5/switching/cisco-3750-password-recovery/td-p/2064077
Ok, I appreciate the explanation. I suspect this could turn into a lot of troubleshooting with the Cisco support community due to the default username weirdness I mentioned earlier. I'm not sure if it will turn into a few days of back and forth, but rest assured that I will be back once I've found a way into the switch CLI, whether that's today or takes a few days.
Ok, I think I've got what you want.
It's really hard to get SSH to work on this switch, it's very old, just a device to learn on before I deem myself worthy of better hardware. Normally, on a new system I turn the SSH daemon on then add my public key, but in this case I had to do everything through Telnet, which was a pain because I've never used it before. I gave up for now on SSH and just looked up Telnet commands to get what I think is the info you want. I used this command:
show interfaces switchport
Note that there are really 24 ports, but I just showed the output for 1-7 since really only the first 6 are being used (see topology diagram) and 7 has the same config as all the other unused ports:
Name: Gi1/0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
Name: Gi1/0/2
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 2 (VLAN0002)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
Name: Gi1/0/3
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 3 (VLAN0003)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
Name: Gi1/0/4
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 4 (VLAN0004)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
Name: Gi1/0/5
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 5 (VLAN0005)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
Name: Gi1/0/6
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 7 (VLAN0007)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
Name: Gi1/0/7
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
Also note that info on the corresponding smartport types is in the topology diagram. And note that I had nothing plugged in at the time of running this command except OPNsense LAN port feeding into switch port 1, and desktop plugged into one of the many non cofigured ports (number 7 or higher). I can only access the switch this way, not when desktop is on CORE.
Quote from: isaacthekind on December 12, 2023, 10:20:39 PM
Ok, I think I've got what you want.
Almost ;-). I like to see (at least) the raw port config
show running-configQuote
It's really hard to get SSH to work on this switch, it's very old, just a device to learn on before I deem myself worthy of better hardware.
Yeah, the OpenSSH project likes to phase out legacy (unsecure) encryption fast, which is a good thing...
Does this option help to SSH into your switch ?
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 username@ciscoswitch Are you running the latest IOS software ? Look for someone with an active Cisco Support contract and ask if he can download it for you if the downloads are not public.
Troubleshoot Tip:
You've practiced OpenWRT factory reset / recovery enough I guess ;D, so here''s a small tip that would really help debugging network connectivity with OpenWRT. Especially in your case, where you need to configure the primary OpenWRT interface which can (and will ;-)) cause permanent connectivity loss...
You create a temporary wireless SSID (with all the config you would normally do, WPA2/3 etc.) and connect that to a temporary (virtual) interface. Number this interface outside of your current IP plan and select the radio / ssid interface as device for this interface. The Wireless SSID gets configured with this interface in the "Network" setting, like this:
OpenWRT -> Network -> Wireless
- Create a SSID on your 2.4GHz or 5GHz radio, leave the "Network" setting unspecified (you create this interface in the next step)
- Enable Radio and wireless SSID configuration
- Save & Apply
OpenWRT -> Network -> Interfaces -> TAB: Interfaces
- Add new interface
- Name: WIFI_MANAGEMENT or WHATEVER
- Protocol: Static address
- Device: Select your wireless SSID from the dropdown, would translate to radio0.network1 or something. Depends on the radio used and sequence of SSID's on that radio.
- Configure this interface with ONLY IPv4 address and netmask, 192.168.2.1/24 might be a good choice. Won't conflict with default OpenWRT network 192.168.1.0/24
- So IPv4 address: 192.168.2.1 IPv4 netmask: 255.255.255.0
- Save & Apply
Go back to:
OpenWRT -> Network -> Wireless
- Edit the SSID and configure the interface you created in the previous step in "Network" (probably already selected)
- Save & Apply
Connect to the Wireless SSID from your laptop, which is connected via WIRED with your switch and normal LAN (with default gw, DNS etc) and WIRELESS with 192.168.2.0/24.
Configure a static IP on your Laptop wireless adapter, something like 192.168.2.2/24, no gateway, no dns, no nothing.
You now can use this Forum / Internet. open a continuous ping towards 10.0.7.2 and reconfigure your AP with browser and/or SSH at 192.168.2.1 and F*CK UP your primary OpenWRT management interface as many times as you like 8), you're always connected via the Management WiFi.
Ok how about this?
switch#show running-config
Building configuration...
Current configuration : 5809 bytes
!
! Last configuration change at 13:01:15 UTC Wed Dec 13 2023
! NVRAM config last updated at 16:10:25 UTC Tue Dec 12 2023
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname switch
!
boot-start-marker
boot-end-marker
!
enable secret 5 REDACTED
!
!
!
no aaa new-model
clock timezone UTC -5
clock summer-time UTC recurring
switch 1 provision ws-c3750x-24
system mtu routing 1500
!
!
ip domain-name home
!
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 70 30
mls qos srr-queue input threshold 1 80 90
mls qos srr-queue input priority-queue 2 bandwidth 30
mls qos srr-queue input cos-map queue 1 threshold 2 3
mls qos srr-queue input cos-map queue 1 threshold 3 6 7
mls qos srr-queue input cos-map queue 2 threshold 1 4
mls qos srr-queue input dscp-map queue 1 threshold 2 24
mls qos srr-queue input dscp-map queue 1 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue input dscp-map queue 1 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue input dscp-map queue 2 threshold 3 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 4 5
mls qos srr-queue output cos-map queue 2 threshold 1 2
mls qos srr-queue output cos-map queue 2 threshold 2 3
mls qos srr-queue output cos-map queue 2 threshold 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 0
mls qos srr-queue output cos-map queue 4 threshold 3 1
mls qos srr-queue output dscp-map queue 1 threshold 3 32 33 40 41 42 43 44 45
mls qos srr-queue output dscp-map queue 1 threshold 3 46 47
mls qos srr-queue output dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 2 threshold 1 26 27 28 29 30 31 34 35
mls qos srr-queue output dscp-map queue 2 threshold 1 36 37 38 39
mls qos srr-queue output dscp-map queue 2 threshold 2 24
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 4 threshold 1 8 9 11 13 15
mls qos srr-queue output dscp-map queue 4 threshold 2 10 12 14
mls qos queue-set output 1 threshold 1 100 100 50 200
mls qos queue-set output 1 threshold 2 125 125 100 400
mls qos queue-set output 1 threshold 3 100 100 100 400
mls qos queue-set output 1 threshold 4 60 150 50 200
mls qos queue-set output 1 buffers 15 25 40 20
mls qos
!
!
spanning-tree mode pvst
spanning-tree extend system-id
auto qos srnd4
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
interface FastEthernet0
no ip address
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
mls qos trust dscp
macro description cisco-router
auto qos trust
spanning-tree portfast trunk
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/2
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/3
switchport access vlan 3
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/4
switchport access vlan 4
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/5
switchport access vlan 5
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/6
switchport trunk encapsulation dot1q
switchport trunk native vlan 7
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
mls qos trust cos
macro description cisco-wireless
auto qos trust
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
ip address 10.0.0.2 255.255.255.0
!
ip default-gateway 10.0.0.1
ip classless
ip http server
ip http secure-server
!
ip sla enable reaction-alerts
!
!
line con 0
line vty 0 4
password REDACTED
login
length 0
line vty 5 15
password REDACTED
login
length 0
!
end
As for the wireless backup, that's a good idea, much better than constantly factory resetting, lol, I should try to get my laptop to do that (no WIFI on desktop). Thanks.
Hmm, sorry I made an edit to my comment but I guess it didn't go through, did not mean to miss your other 2 questions:
I'm having trouble re-enabling SSH through Telnet since factory reset. The instructions in the manual are terrible. So I'm not sure I can answer whether that SSH command works. I'll keep trying to get it running again though.
No I'm not on IOS, I use NixOS.
QuoteOk how about this?
Thats _the_ One ;-)
interface GigabitEthernet1/0/6
switchport trunk encapsulation dot1q
switchport trunk native vlan 7
switchport mode trunk
switchport nonegotiate
These are the important bits...
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
mls qos trust cos
macro description cisco-wireless
auto qos trust
We don't care about qos now, just ignore, won't be your issue
spanning-tree bpduguard enableYour OpenWRT device won't send BDPU's, so your port should not get shutdown by this guard, but there is one very important "thing" with this setting... One of the reasons it's always hard to judge if someone really had the patience (or actively checking it) to wait before the port is in UP mode when troubleshooting a device connecting to it. Because of this setting this port will go through several states (listen, learn, forward) which can take a _while_ (> 30s) depending on the network. So be really, really sure the port is up, you already know the port status command....
This is also the reason your "Access Ports" have a portfast option, BDPU are rejected or filtered by default on this type of ports, that's why these ports are up in a second or so, after you plug in a cable or activating the port.
Quote
No I'm not on IOS, I use NixOS.
I'll forgive you for making me feel old :), but IOS is the name of the Cisco Operating System running on your switch. 8)
Assuming you're are now connected over Wireless as I suggested, you might try this minor change in your OpenWRT config. This would suboptimal though, as I explained earlier about disconnecting the device and connect it to something else as your switch. However:
First add VLAN 7 to your OpenWRT Switch config, OpenWRT -> Network -> Switch. Every VLAN you add here NEEDS to be tagged on CPU and OFF on all ports except LAN1. LAN1 (or any switchport) can only have ONE untagged VLAN and many TAGGED VLAN's.
config device
option name 'br-vlan1'
option type 'bridge'
list ports 'eth0.7' <--- Change this one
Because you have complete freedom over the wired interface now, take your time and test the different scenario's with tagged/untagged OpenWRT switchports and interface (eth0.1 / eth0.7), start with the minor one above. One of them should work :) and should explain how this port is handling VLAN's from OpenWRT.
You might want to adjust the interface and bridge names too if you like, but the OpenWRT switch config and port config will be the most important.
Oh, I thought by IOS you meant the Apple OS for mobile devices. Haha.
I may just be confused here, but I really do not understand what you're asking me to do. You showed me this code:
config device
option name 'br-vlan1'
option type 'bridge'
list ports 'eth0.7' <--- Change this one
But I don't have any code that looks like that. Could you show me the whole config file maybe? That might clear it up. I find this very difficult, sorry.
Quote from: isaacthekind on December 17, 2023, 08:43:07 PM
config device
option name 'br-vlan1'
option type 'bridge'
list ports 'eth0.7' <--- Change this one
But I don't have any code that looks like that.
Well, that's strange because I posted this snippet a few posts earlier ;-) https://forum.opnsense.org/index.php?topic=37380.msg183886#msg183886 . You say you "loose connectivity" when applying this change, so I suggested (step by step) to change the underlaying VLAN ID for this interface from 1 to 7.
Remember, your challenge is to connect the wired management interface to your network, that's a single device & interface section in the network config file, I can't be more specific than that.
Quote
Could you show me the whole config file maybe? That might clear it up. I find this very difficult, sorry.
Sure, but you still need to fix your wired management port. You now know the "trick" to connect to OpenWRT via a wireless management port, so if the full configuration below still don't you give access to the wired interface (again strange because it should) you can and need to debug it from there.
The /etc/config/network & /etc/config/wireless below contains all the bits and pieces we've discussed and is 100% working. In other words, if something isn't: it is _your_ infra ! Your switch looks ok so check check and double check your OPNsense configuration if you can't connect (and get a ip address, dns and internet) to any of the wireless networks.
You get the following setup if you copy/paste the two config files (reboot):
- Wired Management - "br-vlan1" - 10.0.7.2/24 - No Wireless Networks
- Wireless Management - "wlan0-3" - 192.168.2.1/24 - SSID: WiFi_MGMT
- 1x WiFi SSID (Management): WiFi_MGMT - Wireless Management
- 1x WiFi SSID (Management): 2.4 GHz Radio
- 3x WiFi SSID's: WiFi 1 / WiFI 2 / WiFi 3
- 3x WiFi SSID's: Dual Radio 2.4GHz & 5GHz + WPA3
- 3x WiFi VLAN Mapping:
WiFi 1 -> VLAN 4
WiFi 2 -> VLAN 5
WiFi 3 -> VLAN 6
Names and VLAN id's are configurable, read the comments, especially for wireless.
/etc/config/network
#
# OpenWRT Network Config
#
# !!! Edit Management Interface (Wired) when having connectivity issues
# !!! vlan1 / br-vlan1 / eth0.1
#
###
# Loopback
###
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
###
# IPv6 ULA
###
config globals 'globals'
option ula_prefix ''
###
# Management Interface (Wired)
###
config device
option name 'br-vlan1'
option type 'bridge'
list ports 'eth0.1'
config interface 'vlan1'
option device 'br-vlan1'
option proto 'static'
option ipaddr '10.0.7.2'
option netmask '255.255.255.0'
option gateway '10.0.7.1'
option ip6assign '0'
###
# Management Interface (Wireless)
###
config interface 'WiFi_MGMT'
option device 'wlan0-3'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'
###
# VLAN 4 = WiFi 1
###
config device
option type 'bridge'
option name 'br-vlan4'
list ports 'eth0.4'
option bridge_empty '1'
option ipv6 '0'
config interface 'vlan4'
option proto 'none'
option force_link '1'
option defaultroute '0'
option delegate '0'
option device 'br-vlan4'
###
# VLAN 5 = WiFi 2
###
config device
option type 'bridge'
option name 'br-vlan5'
list ports 'eth0.5'
option bridge_empty '1'
option ipv6 '0'
config interface 'vlan5'
option proto 'none'
option device 'br-vlan5'
option force_link '1'
option defaultroute '0'
option delegate '0'
###
# VLAN 6 = WiFi 3
###
config device
option type 'bridge'
option name 'br-vlan6'
list ports 'eth0.6'
option bridge_empty '1'
config interface 'vlan6'
option proto 'none'
option device 'br-vlan6'
option force_link '1'
option defaultroute '0'
option delegate '0'
###
# Switch Configuration
###
#
# !!! option vlan = sequence
# !!! option vid = VLAN ID
#
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2 3 4 5'
option vid '1'
option description 'Default VLAN'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '4'
option ports '0t 2t'
option description 'VLAN 4 - WiFi 1'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '5'
option ports '0t 2t'
option description 'VLAN 5 - WiFi 2'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '6'
option ports '0t 2t'
option description 'VLAN 6 - WiFi 3'
config switch_vlan
option device 'switch0'
option vlan '5'
option ports '0t 2t'
option vid '7'
option description 'VLAN 7 - Cisco Switch Native VLAN'
#
# OpenWRT Wireless Configuration
#
# !!! Don't use radio0 & radio1 from this file
# !!! Use your device specific radio config (with path, country code, etc)
# !!! Configure and add all custom wireless options (802k/v/r etc)
# !!! Only copy the SSID config
#
###
# Radio 0 - 2.4GHz
###
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option band '2g'
option country 'US'
option channel 'auto'
option htmode 'HT20'
option cell_density '0'
###
# Radio 1 - 5GHz
###
config wifi-device 'radio1'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option band '5g'
option country 'US'
option channel 'auto'
option htmode 'HT20'
option cell_density '0'
###
# SSID: WiFi 1 - 2.4GHz
###
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi 1'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan4'
###
# SSID: WiFi 2 - 2.4GHz
###
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi 2'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan5'
###
# SSID: WiFi 3 - 2.4GHz
###
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi 3'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan6'
###
# SSID: WiFi-Management - 2.4GHz
###
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi-MGMT'
option encryption 'sae'
option key 'Very Secret'
###
# SSID: WiFi 1 - 5GHz
###
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid 'WiFi 1'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan4'
###
# SSID: WiFi 2 - 5GHz
###
config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'WiFi 2'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan5'
###
# SSID: WiFi 3 - 5GHz
###
config wifi-iface 'wifinet6'
option device 'radio1'
option mode 'ap'
option ssid 'WiFi 3'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan6'
Your final solution would look like this, where you have a bridge per vlan with a vlan and (dual) wireless interface(s):
root@OpenWrt:~# brctl show
bridge name bridge id STP enabled interfaces
br-vlan5 7fff.ffffffffffffffffffffff no wlan0-1
eth0.5
wlan1-1
br-vlan1 7fff.ffffffffffffffffffffff no eth0.1
br-vlan6 7fff.ffffffffffffffffffffff no eth0.6
wlan1-2
wlan0-2
br-vlan4 7fff.ffffffffffffffffffffff no eth0.4
wlan0
wlan1
Besides these static mappings you now also have the possibility to create a single SSID with dynamic VLAN assignment through 802.1x with Radius (which can be installed on OPNsense...).
But you should fix your management interface first 8)
I'm willing to keep trying things here, I really would like to get this working, and I don't want to give up. But I'm starting to feel like I may be wasting your time, because no matter what I do, I just get the same behaviour. I can copy paste the exact files you've used, line for line, /etc/config/network and /etc/config/wireless, then reboot, and still I can't ping the device. I've checked and triple checked OPNsense and I really can't see the error. You said that config 100% works so if it fails for me there's something wrong with my infrastructure, but it's just totally beyond me what this could be. I've shown my topology, I've also checked over and over to make sure the topology is right. I even went and bought a patch panel just to make it almost impossible to plug anything into the wrong place, lol. The IPs are all exactly as described in my topology diagram. So I just really don't know what to do. If you want to keep suggesting things, I'm happy to keep trying but at this point I'm worrying about being a burden. I'm sure it's not fun to help someone when you put tons of time into writing solutions, and even go as far as to set up a dummy device at your house for testing, just to have them always say "sorry, same behaviour". Rest assured, I am carefully trying everything you post and reading your comments in detail and repeatedly, I'm just still failing for some reason. But I'm not half-assing it over here or anything.
That you can't ping the management interface was the issue we tried to solve, but you asked for a full configuration, you got a full configuration ;-).
The OpenWRT configuration contains three different important parts, try to understand these and please confirm if they do work:
- The wired management interface
* You still have an issue with that, your switch config looked ok at first sight. But there's something wrong which I can't see from my couch.
- The wireless management interface
* This one should work, because it doesn't depend on anything else except for your OpenWRT device. So can you connect to the Wireless SSID: WiFi MGMT and can you connect to the management interface 192.168.2.1 ? You need to statically configure an IP address on your wireless client when connecting to this SSID, 192.168.2.2/24 (/24 == 255.255.255.0) will work
- The 3 VLAN bridges for the 3 wireless SSID's
* The config provides 3 SSID's for WiFi 1, WiFi 2 and WiFi 3 (mapped to VLAN 4, VLAN 5 and VLAN6). Can you connect to these WiFi networks and do you get an IP address, DNS and Internet. Do they all work ? Which one do, which one don't ?
Yeah, to be clear, I'm not blaming you at all. I did ask for full configuration. I thought maybe I could spot something off about mine.
To answer your 3:
- Wired is working right now. I can connect at 10.0.7.2 from CORE.
- Wireless I'm having trouble. I want to make sure to get this working since it's the fallback. If I follow your steps I get some trouble. First I set up SSID with unspecified network (picture 1), and enable it. Then I make an interface with a static address 192.168.2.1 and netmask 255.255.255.0 and select my SSID from dropdown, which defaults to radio0.network1, as you said it would (picture 2, and picture 3). But if I have it enabled, then the device becomes phy0-ap0 instead of radio0.network1 (picture 4). If I then try to connect on my laptop with 'nmcli device wifi connect OpenWrt password mypass` it fails to connect and says "ERROR: connection activation failed: IP configuration could not be resolved (no available address, timeout, etc)". This happens even if I assign my laptop an IP of 192.168.2.3 with ifconfig before I try connecting.
- VLANs having trouble with all, but probably should focus on wireless management interface first.
EDIT: If I set the SSID to lan instead of unspecified, I can connect with the laptop.
Quote from: isaacthekind on December 20, 2023, 10:37:52 PM
Yeah, to be clear, I'm not blaming you at all.
You could, but I wouldn't care ;D, just trying to help...
Quote
To answer your 3:
- Wired is working right now. I can connect at 10.0.7.2 from CORE.
You wanted to create a so called OpenWRT Dumb Access Point with multiple VLAN's. As explained, your first task should be renaming the management interface to the br-vlanX naming scheme before going forward. You twice reported "loss of connectivity" and now you're connected again. ???
I shared a _complete_ config file to work from, but
Quote
...
First I set up SSID with unspecified network (picture 1), and enable it.
...
Here you are back at the default config and try to config networks already provided in my example, do you see this doesn't help to understand where you are. Are you using my config or are you playing around with something default/custom ?!?! It's hard to understand what your doing ;-)
Quote
- VLANs having trouble with all, but probably should focus on wireless management interface first.
That COULD be a bridging issue, BUT if you didn't successfully renamed your wired management interface first (br-vlanX) this ain't going to work.
Quote
You wanted to create a so called OpenWRT Dumb Access Point with multiple VLAN's. As explained, your first task should be renaming the management interface to the br-vlanX naming scheme before going forward. You twice reported "loss of connectivity" and now you're connected again. ???
I factory reset, sorry I should have said this. If I do the br-vlanX i lose connectivity. Sorry I will avoid making further changes without saying exactly what I'm doing.
Quote
I shared a _complete_ config file to work from, but
Yes, but when i switch to it I lose connectivity. So I factory reset, sorry, again I should have said something.
Quote
Here you are back at the default config and try to config networks already provided in my example, do you see this doesn't help to understand where you are. Are you using my config or are you playing around with something default/custom ?!?! It's hard to understand what your doing ;-)
Sorry, yes i see how it's unhelpful. I am back to square one, trying to do your previous suggestion with wireless management interface so I can avoid further factory resets.
Quote
That COULD be a bridging issue, BUT if you didn't successfully renamed your wired management interface first (br-vlanX) this ain't going to work.
I did not successfully rename it.
If there are any other things I say that are confusing please point them out, I don't mean to make you repeat yourself, I'm just confused.
From now on, I will include the current config at the bottom of each comment so it's clear what I am doing.
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'REDACTED'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
option gateway '10.0.7.1'
list ipaddr '10.0.7.2/24'
list ipaddr '192.168.1.1/24'
config device
option name 'eth0.2'
option macaddr 'REDACTED
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'WIFI_MGMT'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option device 'phy0-ap0'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'sae'
option key 'hello1234'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option channel '1'
option band '2g'
option htmode 'HT20'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
With the current config I can see OpenWrt network when i scan on my laptop, but i can't connect to it. If I change WIFI_MGMT device to "lan" then I can connect wirelessly from the laptop.
So we're still at Step 1, the "Rename and configure the Wired Management Interface. br-vlan1", again, this is mandatory to make your bridged VLANs to work in later steps. Now this is a typical "Chicken Egg" problem, because you have an issue with it we need to find out what's the problem. The problem with a non-working management interface is: you can't manage it.
So that's why we need to go to step 2 first, configure the Wireless Management Interface, so we can debug the problems with your Wired Management Interface. Only when step 1 is successfully done, we can go to step 3 - Setting up Wireless SSID's.
You've explained your familiar with text editors (like VI), so it really suprises me if I give you this config for the Wireless Management Interface:
###
# Management Interface (Wireless)
###
config interface 'WiFi_MGMT'
option device 'wlan0-3'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'
You report back that it isn't working with:
config interface 'WIFI_MGMT'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option device 'phy0-ap0'
Even if your device ends-up as "phy0-ap0" instead of my "wlan0-3" this is not what I posted and the reason why it doesn't work. I'm really trying to help you, but if I need to (double) check if you really configured what I suggested you never succeed.
The devil is in the details, OpenWRT supports over 1000 different devices. The network config definitions changed significantly after v21.x, some devices have a built-in switch (like yours), some don't. Some devices with a built-in switch changed to DSA (Linux Bridge VLAN filtering), some don't, like yours.
Even a single point, collon, hash or whatever can completly f*ck up your config, so please, at least be _really_ sure you copy paste the configs right and be clear what you're doing.
I've commented the config files extensively, part by part, section by section. Looking at your wireless config (and my comment in the example files), I don't see a country code in the radio's....
So to be absolutly clear, THIS should be your wireless management interface config (only changing the device entry to match your OpenWRT device)
###
# Management Interface (Wireless)
###
config interface 'WiFi_MGMT'
option device 'phy0-ap0' <---- Your wireless radio / ssid sequence
option type 'bridge' <---- Should be a BRIDGE
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'
Rember it's now refering to phy0 (which I assume is your 2.4GHz radio, where phy1 is 5GHz) and ap0 is the first SSID in the list. So if you change the sequence of the SSID's somehow (by adding and/or removing them) the apX part will change too. Same goes for changing the management from 2.4 GHz (phy0) to 5GHz (phy1).
So don't change this AGAIN, UNTIL you have fixed wired management access (Step 1), otherwise you lock yourself out.
Quote
You've explained your familiar with text editors (like VI), so it really suprises me if...
Quote
Even a single point, collon, hash or whatever can completly f*ck up your config...
It's not that I have any trouble with the editor or that I don't understand how even a slight difference in a config file, like a tab instead of a space, can mess things up. I've been programming for around 4 years, I understand these types of things for sure. The problem is I'm having trouble understanding what I'm trying to do here, which is 100% my fault. Right now I have directly copied your /etc/config/wireless. But I can't directly copy your /etc/config/network, because that will cause me to lose connectivity so although /etc/config/wireless is exactly like yours /etc/config/network is not. /etc/config/network is basically just the default after factory reset, but I've now added a section for the WiFi management interface. I think the correct thing to do for device is phy0-ap3, because WiFi-MGMT is the fourth SSID in the list under radio0 (picture included). Currently, when I scan on my laptop, I see WiFi 1, WiFi 2, WiFi 3, and WiFi-MGMT. Though I can't connect to WiFI-MGMT. I assume I need to do more to make /etc/config/network correct, again I would copy yours exactly, but for some reason that causes me to lose connection.
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'REDACTED'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
option gateway '10.0.7.1'
list ipaddr '10.0.7.2/24'
list ipaddr '192.168.1.1/24'
config device
option name 'eth0.2'
option macaddr 'REDACTED'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'WiFi_MGMT'
option device 'phy0-ap3'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'
/etc/config/wireless
#
# OpenWRT Wireless Configuration
#
# !!! Don't use radio0 & radio1 from this file
# !!! Use your device specific radio config (with path, country code, etc)
# !!! Configure and add all custom wireless options (802k/v/r etc)
# !!! Only copy the SSID config
#
###
# Radio 0 - 2.4GHz
###
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option band '2g'
option country 'US'
option channel 'auto'
option htmode 'HT20'
option cell_density '0'
###
# Radio 1 - 5GHz
###
config wifi-device 'radio1'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option band '5g'
option country 'US'
option channel 'auto'
option htmode 'HT20'
option cell_density '0'
###
# SSID: WiFi 1 - 2.4GHz
###
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi 1'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan4'
###
# SSID: WiFi 2 - 2.4GHz
###
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi 2'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan5'
###
# SSID: WiFi 3 - 2.4GHz
###
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi 3'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan6'
###
# SSID: WiFi-Management - 2.4GHz
###
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi-MGMT'
option encryption 'sae'
option key 'Very Secret'
###
# SSID: WiFi 1 - 5GHz
###
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid 'WiFi 1'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan4'
###
# SSID: WiFi 2 - 5GHz
###
config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'WiFi 2'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan5'
###
# SSID: WiFi 3 - 5GHz
###
config wifi-iface 'wifinet6'
option device 'radio1'
option mode 'ap'
option ssid 'WiFi 3'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan6'
Quote from: isaacthekind on December 21, 2023, 01:36:44 AM
I think the correct thing to do for device is phy0-ap3, because WiFi-MGMT is the fourth SSID in the list under radio0 (picture included).
Exactly! I assumed your "current" state of config, but if you're back at my wireless config it's the fourth SSID, so phy-ap3.
If your Wireless Management is working now, again c/p my latest /etc/config/network & /etc/config/wireless (only adjust the finetuning of the wireless management). You should end up again in a state where you don't have access to the wired management but you do now via wireless. From here you can start debugging the wired management interface.
For the wireless config, adjust radio0 & radio1 to your needs, your country and paths are probably different
Quote
Exactly! I assumed your "current" state of config, but if you're back to my wireless config it's the fourth SSID, so phy-ap3.
Ok good!
Quote
If your Wireless Management is working now...
It's not quite working. It's working in the sense that it is visible when I scan with my laptop. But it's not working in the sense that if I try to connect to it with the standard command "nmcli device wifi connect WiFi-MGMT password "Very Secret"" I get an error which says "ERROR: connection activation failed: IP configuration could not be resolved (no available address, timeout, etc)".
EDIT: I can change the country to CA since I'm in Canada, but I'm not sure how to determine the correct path.
Files currently unchanged from last post.
Quote from: isaacthekind on December 21, 2023, 02:02:09 AM
It's not quite working. It's working in the sense that it is visible when I scan with my laptop. But it's not working in the sense that if I try to connect to it with the standard command "nmcli device wifi connect WiFi-MGMT password "Very Secret"" I get an error which says "ERROR: connection activation failed: IP configuration could not be resolved (no available address, timeout, etc)".
The Wireless Management interface you've created is just a simple (bridge) device without DHCP or whatever, it only provides a HTTP & SSH entry at 192.168.2.1 over wireless. So you need to put a static address on the wireless interface of the client, everything but 192.168.2.1/24 will work, like 192.168.2.2/24.
Also be aware there are two stages connecting to a wireless network, actually connect TO a network (SSID) and the (automatic) configuration of IP information. So something as "I can't connect to this/that Wireless Network" always needs extra explanation:
- Can you connect (associate) to the SSID / Wireless Network (Can be checked at the status overview in the OpenWRT web gui)
- Do you receive an IP address (Check the DHCP Service Log @ OPNsense if request are received)
Quote
EDIT: I can change the country to CA since I'm in Canada, but I'm not sure how to determine the correct path.
Use the radio config from your default /etc/config/wireless after factory reset, most options are generic (like country code). But the path to the WiFi device may vary with different models.
Quote
Use the radio config from your default /etc/config/wireless after factory reset, most options are generic (like country code). But the path to the WiFi device may vary with different models.
Ok, I've added it.
Quote
- Can you connect (associate) to the SSID / Wireless Network (Can be checked at the status overview in the OpenWRT web gui)
I can't see anything (photos included).
Quote
- Do you receive an IP address (Check the DHCP Service Log @ OPNsense if request are received)
No.
/etc/config/network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'REDACTED'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
list ipaddr '10.0.7.2/24'
list ipaddr '192.168.1.1/24'
option gateway '10.0.7.1'
config device
option name 'eth0.2'
option macaddr 'REDACTED'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'WiFi_MGMT'
option device 'phy0-ap3'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'
/etc/config/wireless (same as before, but with radio changed to be like in default wireless config):
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
config wifi-device 'radio1'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option band '5g'
option country 'US'
option channel 'auto'
option htmode 'HT20'
option cell_density '0'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi 1'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan4'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi 2'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan5'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi 3'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan6'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi-MGMT'
option encryption 'sae'
option key 'Very Secret'
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid 'WiFi 1'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan4'
config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'WiFi 2'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan5'
config wifi-iface 'wifinet6'
option device 'radio1'
option mode 'ap'
option ssid 'WiFi 3'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan6'
config wifi-device 'radio2'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option channel '1'
option band '2g'
option htmode 'HT20'
option disabled '1'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
/etc/config/wireless-OLD (the one it gives after factory reset, not currently active on system, just showing for reference so you can see original radio0):
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option channel '1'
option band '2g'
option htmode 'HT20'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
I have been experimenting some more and I think I was confused in my prior reply (as is probably the case with all my replies..)
I can see my laptop's mac adderss show up in the Wireless Overview in OpenWrt and in the DHCPv4 leases in OPNsense now. Pictures included, code still same. I'm still getting the same message in the command line though on my laptop which says it can't connect. I have set the IP on my laptop appropriately before trying to connect.
With your laptop connected over wireless to the "WiFI_MGMT" and a static ip configured, you should now be able to reach the OpenWRT device over HTTP or SSH through it's IP address: 192.168.2.1.
From here you can change the WIRED management interface to the already suggested config, read _VERY_ carefully, these are just minor changes, but you the need to c/p these exactly. Do this via SSH and editing the /etc/config/network file, so you're 100% sure the config is like below (so don't use GUI). After you changed the file just reboot and wait for OpenWRT to be back online.
###
# Management Interface (Wired)
###
config device
option name 'br-vlan1'
option type 'bridge'
list ports 'eth0.1'
config interface 'vlan1'
option device 'br-vlan1'
option proto 'static'
option ipaddr '10.0.7.2'
option netmask '255.255.255.0'
option gateway '10.0.7.1'
option ip6assign '0'
Again connect via "WiFi_MGMT" and try to ping the WIRED management interface (10.0.7.2) FROM OPNsense (10.0.7.1) and the other way around, from OpenWRT to OPNsense. (OpenWRT -> Network -> Diagnostics or via SSH shell)
Do you get a ping reply ?
I understand everything you said there. With my laptop connected to WiFi-MGMT, I will connect over SSH and copy/paste the exact changes you just gave to /etc/config/network for the WIRED interface, reboot, then connect VIA WIRED and try pinging WIRED from OPNsense and vice versa, then report back.
Before I can do that, as far as i can tell, I still have to fix the WiFi-MGMT connection problem I mentioned in my prior comments though. This is what happens:
On laptop, I scan with "nmcli devices wifi list" -> I see WiFi-MGMT -> I try to connect with "nmcli device wifi connect WiFi-MGMT password "Very Secret"" -> I see in OpenWrt Wireless Devices GUI area my laptop MAC, with host as "?" (pictured) -> I get "Error: Connection failed: IP configuration could not be reserved (no available address, timeout, etc)." on laptop.
This is with all config files same as last time I showed them.
Quote from: isaacthekind on December 22, 2023, 02:18:02 AM
This is with all config files same as last time I showed them.
Yeah, because that's related to your laptop and all the config files I posted are about OpenWRT, Cisco Switch and OPNsense. As I understand your problem is "How do I connect to my WiFi with a static IP", which is the case for the WiFi_MGMT where you need 192.168.2.2/24 staticly configured. Well, that's something you have to figure out at your client, which I guess would be NetworkManager.
If your not familar with NetworkManager cli and/or syntax, I suggest you start or install the GUI of your distro and use that, or use Mac or Windows if Linux networking is too complex. The command line you're posting is just assiociating to the SSID, it's missing things like ipv4 method, ip address and netmask which are needed for static network address assignment. Your probably still default to DHCP which explains previous errors you posted. A correctly configured network for the client is my only anchor to understand what's happening.
BTW
QuoteI understand everything you said there. With my laptop connected to WiFi-MGMT, I will connect over SSH and copy/paste the exact changes you just gave to /etc/config/network for the WIRED interface, reboot, then connect VIA WIRED and try pinging WIRED from OPNsense and vice versa, then report back.
After reboot connect via
WIRELESS, that's the whole point, you can do everything from here now (if you fix your client wifi), so also checking if the WIRED is working. Only THEN we switch back from WIRELESS to WIRED, first the validation...
Can you also post the output of your bridges after boot, something like this:
root@OpenWRT:~# brctl show
bridge name bridge id STP enabled interfaces
br-vlan1 7fff.ffffffffffff no eth0.1
br-vlan6 7fff.ffffffffffff no eth0.6
phy0-ap2
phy1-ap2
br-vlan4 7fff.ffffffffffff no eth0.4
phy0-ap0
phy1-ap0
br-vlan5 7fff.ffffffffffff no eth0.5
phy0-ap1
phy1-ap1
Quote
Your probably still default to DHCP which explains previous errors you posted
I didn't know nmcli defaulted to DHCP. I modified the connection to use manual and now the error message is gone and I can see the connection is up. But i still can't ping 192.168.2.1 from the laptop or reach the GUI.
Quote
After reboot connect via WIRELESS, that's the whole point, you can do everything from here now (if you fix your client wifi), so also checking if the WIRED is working. Only THEN we switch back from WIRELESS to WIRED, first the validation...
Right, understood now. Do all tests on wireless management interface, then switch to wired only when that is all working. Fall back to wireless if anything breaks.
Quote
Can you also post the output of your bridges after boot, something like this:
Sure. Keep in mind, I still have not configured the VLANs. The two config files have not been touched since I last posted them, but only /etc/config/wireless is exactly like yours (except for radio0 which is now the same as the default radio0 settings for my device). My /etc/config/network is just the default, but with WiFi-MGMT added:
root@OpenWrt:~# brctl show
bridge name bridge id STP enabled interfaces
br-lan 7fff.c0c9e35dcfca no eth0.1
/etc/config/network:
interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'REDACTED'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
list ipaddr '10.0.7.2/24'
list ipaddr '192.168.1.1/24'
option gateway '10.0.7.1'
config device
option name 'eth0.2'
option macaddr 'REDACTED'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'WiFi_MGMT'
option device 'phy0-ap3'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
config wifi-device 'radio1'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option band '5g'
option country 'US'
option channel 'auto'
option htmode 'HT20'
option cell_density '0'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi 1'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan4'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi 2'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan5'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi 3'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan6'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi-MGMT'
option encryption 'sae'
option key 'Very Secret'
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid 'WiFi 1'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan4'
config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'WiFi 2'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan5'
config wifi-iface 'wifinet6'
option device 'radio1'
option mode 'ap'
option ssid 'WiFi 3'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan6'
config wifi-device 'radio2'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option channel '1'
option band '2g'
option htmode 'HT20'
option disabled '1'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
I managed to get it working!
I figured I should mention this so you don't return after holiday then put in more time when it's been resolved. I can explain what the issues were, if that's of interest, was a problem with the guest network and with my switch, not with your code. The help in this thread was very awesome and gave me a lot of insight without which I'd probably not have resolved it. Thank you so much for all the time and effort, really appreciated.
Quote from: isaacthekind on December 26, 2023, 08:28:02 AM
I managed to get it working!
I figured I should mention this so you don't return after holiday then put in more time when it's been resolved. I can explain what the issues were, if that's of interest, was a problem with the guest network and with my switch, not with your code. The help in this thread was very awesome and gave me a lot of insight without which I'd probably not have resolved it. Thank you so much for all the time and effort, really appreciated.
Good to hear!
Always nice to hear what was the "magic" that solves a problem or challenge.
Essentially... Everything you sent was correct but that old switch was not passing all the VLANs in the trunk to the AP. It has this default behaviour of only passing VLANs that meet both the following conditions:
1) There is a physical switch port, other than trunk, associated with the VLAN in question.
2) A device has already been successfully connected to this port.
Before 1, wireless connection to the VLAN fails, after 1 wireless connection to the VLAN succeeds but with not internet access, after 2 everything works.
Quote from: isaacthekind on December 27, 2023, 11:47:24 PM
Essentially... Everything you sent was correct but that old switch was not passing all the VLANs in the trunk to the AP. It has this default behaviour of only passing VLANs that meet both the following conditions:
1) There is a physical switch port, other than trunk, associated with the VLAN in question.
2) A device has already been successfully connected to this port.
Before 1, wireless connection to the VLAN fails, after 1 wireless connection to the VLAN succeeds but with not internet access, after 2 everything works.
Ah, makes sense (the solution, not the switch behaviour ;-)). I'm not using Cisco hardware that much, it already confused me that it allows all VLAN's on a trunk port without "any" configuration. Normally you have to define an allowed VLAN list or just any, but at least define the policy.
Well, congrats. Configuring an advanced firewall, managed switch and probably one of the most difficult OpenWRT setups (Multi VLAN Dumb AP) without prior network knowledge is quite an achievement. This might be a good time to sit down, take a nice drink and tap yourself on the back... :D
Yeah when I graduate to big boy hardware I want to get away from Cisco, a lot of smart people seem to complain about it, this is just a cheapo used switch for learning purposes.
I'm extremely happy to have it all working, and now i can play around with things and learn all the little nuances. I'm taking a break for a day or two though as you suggest. Next I plan to try implementing LAGG stuff you mentioned, some intrusion prevention/detection stuff, WireGuard, the list goes on, it's all very fun. :p
Thanks for putting up with my insane levels of confusion here. Hugely appreciated.
Quote from: isaacthekind on December 28, 2023, 12:09:58 AM
Yeah when I graduate to big boy hardware I want to get away from Cisco, a lot of smart people seem to complain about it, this is just a cheapo used switch for learning purposes.
Well, although not a fan (*sigh*), you own a decent piece of hardware. I guess every (network) device has it's quirks, you just have to know what these are ;-).
Quote
Thanks for putting up with my insane levels of confusion here. Hugely appreciated.
You're welcome, love your persistence and can-do mentality!