I Set Up A VLAN But Can't Ping Systems On It

[netnut]

...
I used a dashed line to indicate the part of the topology I don't know how to configure.

First advice, take your time, this will probably going to take you in a few WTF? moments or even drive you to complete insanity . But don't give up!

What you want to configure are a couple of SSID's which are one-to-one mapped to a VLAN. Normally OpenWRT will take care of the routing, but in your situation OpenWRT is just for the wireless part. So you need to bridge those VLAN's (ie SSID's) to your switch. The good news is that OpenWRT will revert back to it's latest working configuration, so you can fail hard without any impact (just a lot of waiting time).

This would also be a perfect example where you want a trunk port WITH a native VLAN assigned. Because your OpenWRT AP is only VLAN aware when it's completely finished booting. So if you want to connect to the bootloader or want to do a rescue procedure you don't want a tagged VLAN for the OpenWRT management (it can be done, but with a lot of complexity). Also when you disconnect the AP from your switch and directly connect it to your laptop/pc, a tagged VLAN will only add complexity, so:

Introduce a new VLAN just for management of Access Points, no wireless traffic will use this VLAN, it's just for you to connect and manage the access point. Configure the port where your access point is connected to as type Trunk
and configure the AP management VLAN as native VLAN for this port. All VLAN's used by your wireless SSID's are going to be tagged on the same port. Your challenge is now to configure the default OpenWRT LAN port as an UNTAGGED port with an IP address in the AP management VLAN, the other VLAN's (the tagged ones) can be unnumbered. When they are bridged to the switch and you configured these VLANs in OPNsense with a gateway address, all management/dhcp/routing is done by OPNsense (hence the "dumb" for OpenWRT in this scenario).

The "problem" with OpenWRT is that there are many different device supported, some with one or two ports, some with a build-in switch. Also the switch configuration varies with the different models, some use the old-style config, some the new style (With native Linux VLAN Bridge filtering).

Again, don't give up too early, it's complex at first, but when you're done it all makes sense.

If you get stuck, it might help to share the type of AP you're using (and OpenWRT version).

[isaacthekind]

I don't intend to give up. As long as there is some way to make progress i intend to keep trying.

It's a TP-Link Archer C7 v5, with OpenWRT 23.05.0, and the switch is a Cisco Catalyst 3750X Layer 3 Gigabit Switch - 24 port Gigabit.

I've set the port type to "Access Point" on the switch, which is a trunk port type, and set the native VLAN for that port to 7 on the switch, and created a corresponding VLAN called OPENWRT_MANAGEMENT in OPNsense then tagged it 7 with IP address 10.0.7.1. I've also set the IP for the OpenWRT lan interface to 10.0.7.2 and turned on VLAN filtering with an untagged primary VLAN of 7. I get nothing when I ping OpenWRT from OPNsense or desktop. I'll include some photos of what I've done, maybe you can spot the error. Clearly I'm messing something up, but I'm not sure what.

EDIT: I noticed a small error that the VLAN number in photo 1 is 1 instead of 7. I've fixed this, but still same behaviour.

[netnut]

Clearly I'm messing something up, but I'm not sure what.

It looks pretty ok at first sight, don't know whats behind the "Access Point" switch port profile, but you did configure the native and I guess you added the VLAN ID's for the wireless networks as tagged ?

Did you also add the AP management VLAN ID (7) and both VLAN ID's for the wireless networks at the switch uplink port (tagged) towards OPNsense ?

You're screenshots showing the OpenWRTVLAN Bridge filtering options, are you sure your tp-link doesn't use a traditional switch device, should show up via the "Network -> Switch" menu.

Did you disable the Firewall on the bridge interface ? (Unspecified)

Set the primary IP address to your desired config 10.0.7.2/24, add 192.168.1.1/24 as secondary. So the other way around...
Add your gateway 10.0.7.1 (OPNsense), although your ping from OPNsense should work without it...

Could you factory reset the OpenWRT device and paste the default OpenWRT network config ? (should be reachable via factory 192.168.1.1/24 ip)

Code: [Select]

root@OpenWrt:~# cat /etc/config/network

[isaacthekind]

I have not added VLAN IDs for the various wireless networks in OpenWRT. Currently I'm trying to just get the WIRELESS_MANAGEMENT (7) working, I also added one for HOME (6).

"Did you also added the AP management VLAN ID (7) and both VLAN ID's for the wireless networks at the switch uplink port (tagged) towards OPNsense ?"

This I don't understand. I'm sorry.

No, I didn't disable firewall. I tried that and it caused me to lose connectivity.

I reversed the primary and secondary IPs for OpenWRT and set the gateway to 10.0.7.1, I still can't ping OpenWRT from desktop or OPNsense though.

Yes, I factory reset the device then and got the network config for you.

Photos of what I've done, and the network config are attached.

[netnut]

...
"Did you also added the AP management VLAN ID (7) and both VLAN ID's for the wireless networks at the switch uplink port (tagged) towards OPNsense ?"

This I don't understand. I'm sorry.

The uplink port FROM your switch TO OPNsense, that's (one of) your trunk, you usually set one or more VLAN ID's as alllowed over this trunk. Now there's also an simple allow all policy, in that case you don't have to worry if you add the VLAN  . But either way, you need to set the specific VLAN ID's or an allow all policy on this trunk port. You have it working for your other VLANs, so there might be an allow all already in place.

You are connecting your OpenWRT device directly from LAN1 to your switch port ?

And I see a traditional switch, so don't configure Bridge VLAN Filtering (network / br-lan device / configure), delete the entry an don't check the enable box.

[isaacthekind]

I didn't configure a specific "allow all" rule on port 1 which connects OPNsense to the switch. But I used a smartport type called "Router" which I suspect may do this. My VLANs (not counting WIRELESS_MANAGEMENT) are working as expected (photo included) so they must be flowing correctly through this trunk.

Yes, I connect OpenWRT directly from LAN1 to port 6 on the switch, which has smartport type "Access Point".

[netnut]

Ok, before going further and the scope of your issue gets way too wide, step back.

Your first goal is to have communication between OPNsense and your Wireless Access Point (management) interface. Until this is solved don't do anything else. Your using a OpenWRT device that by default is using a traditional switch device, so stay away from the Bridge VLAN Filtering menu as you showed in your screenshots, because you're mixing up different VLAN configurations at OpenWRT.

The whole idea of my proposed setup is: that things are as simple and transparant as it could be. So first factory reset your OpenWRT device and start over (this would also be the time to paste the default config so I have a reference how your specific device is configured by default, because it depends heavily on the OpenWRT device branch you are using).

After the factory reset of OpenWRT you DON'T play with VLAN's YET on your Access Point. You configured a native VLAN on the switchport where OpenWRT is connected, so things should work out of the box specificly a ping from/to OpenWRT - OPNSense. If it doesn't your VLAN config is wrong, again NO VLAN's on OpenWRT yet (well, OpenWRT probably is using VLAN1 & 2 internally already, but that's for later)

The only thing you do after the factory reset is changing the default  IP address of the OpenWRT LAN interface to 10.0.7.2/24 and if you like 192.168.1.1/24 as secondary. If you use a laptop/pc at LAN port 2 (port 1 is connected to your switch) you should have a permament connection to OpenWRT on 192.168.1.1 (configured as secondary ip in previous step) while doing the change.

If, after just changing the default OpenWRT IP to 10.0.7.2/24 you can't ping OPNsense at 10.0.7.1/24 your VLAN config of the Cisco Switch is wrong.

If you can it really helps if you paste the output the CLI configuration of the port instead of the screenshots. By using Cisco port profiles (like Router / Access Point) you get all kind of default stuff on the port (QoS, BDPU filtering etc) which make things more error prown in this phase of your config, but first try the suggested above, so we can validate the switch VLAN config first.

[isaacthekind]

I actually did paste the default OpenWRT config earlier, just FYI (don't want you to think I didn't listen the first time) but I'll attach it again to this one. This is /etc/config/network directly after factory reset. If there are any other config files you want me to post, just let me know.

If I factory reset the OpenWRT device then change its primary IP to 10.0.7.2 and plug it into the "access point" port, I can ping it from OPNsense, but not from desktop, even with an allow CORE to any rule (desktop is on CORE) at the top of my rule list.

It might take me a bit to figure out the switch CLI, but I'll start working on that now.

See attachment for OpenWRT config file.

[netnut]

If I factory reset the OpenWRT device then change its primary IP to 10.0.7.2 and plug it into the "access point" port, I can ping it from OPNsense, but not from desktop, even with an allow CORE to any rule (desktop is on CORE) at the top of my rule list.

Ok, that's very good news , which means your VLAN config works, but you have a routing issue. Did you configure the default gateway in OpenWRT. In the menu where you configured 10.0.7.2/24 (and probably 192.168.1.1/24 as secondary) there's a field "IPv4 gateway", it should have your OPNsense ip configured, so "10.0.7.1" <--- just that, no submask or anything

Sorry, didn;t see your network output earlier, found it, scanning it ;-)

[netnut]

Don't bother with the switch CLI, you proved that VLAN switching works, so for now I trust your Cisco config...

You fixed the first goal: "Your first goal is to have communication between OPNsense and your Wireless Access Point (management) interface."

What's left is your routing issue (which probably is fixed by adding the default gw like I mentioned in previous post). You should ping the OpenWRT management interface from all your LAN segments. Remember the allow Any-Any rule you should place on ALL interfaces in OPNsense firewall config. When your finished your base topology, you can fine tune these firewall policies.

Also don't forget to remove (or set unspecified) the OpenWRT firewall on the br-lan interface for now

[isaacthekind]

OMG, the ping is actually working from desktop after adding the default gateway. Very happy to finally see this haha. I was going a bit insane yesterday. Strange that the default gateway doesn't default to correspond to the default IP, but maybe that's standard.

I supposed this is besides the point now, since, as you said, we know the VLANs are working, but getting into the switch CLI is quite the pain. This SSH config works to get me to the login prompt, except the user is wrong:

host switch
    ciphers aes256-cbc
    hostname 10.0.0.2
    hostKeyAlgorithms ssh-rsa
    kexAlgorithms +diffie-hellman-group1-sha1
    user cisco

I think that's an old outdated algorithm. But the switch doesn't have a default user name in the GUI, and I can't find it in the docs, and neither "cisco" or "root" work. Lol, Not fun!

Ok, back to relevant things..

If I set the firewall zone to unspecified, I lose connection. So I'm not really sure what to do about that.

I have some sense of what's next, probably setting the VLANs up in the "Switch" menu of OpenWRT and fixing this firewall zone thing, but maybe I'll let you spell it out so I don't go down the wrong path here. Thanks very much for getting me to the point of actually being able to ping the device.

[netnut]

OMG, the ping is actually working from desktop after adding the default gateway. Very happy to finally see this haha. I was going a bit insane yesterday.

Is this the right time to say: "I told you so... "

I supposed this is besides the point now,
Ok, back to relevant things..

Let's do so, we're looking at your wired & wireless network, we really don't care about your SSH Daemon config at this stage ;-). But you're right, your current config is old & insecure.

If I set the firewall zone to unspecified, I lose connection. So I'm not really sure what to do about that.

I have some sense of what's next, probably setting the VLANs up in the "Switch" menu of OpenWRT and fixing this firewall zone thing, but maybe I'll let you spell it out so I don't go down the wrong path here. Thanks very much for getting me to the point of actually being able to ping the device.

It's the next challenge indeed, but I don't understand why your loosing connectivity right now, should have nothing to do with your current config so let me think for a while 


I understand your enthousiastic at this moment, but we need to fix/understand the firewall issue first. Don't configure any VLAN or Wireless on OpenWRT yet, because we're going to use a little OpenWRT bridge trick to make your config super flexible for future use and some next learning steps (but again, first things first ;-))

[isaacthekind]

Yes you can definitely say "I told you so.". Hahaha.

Yeah, no worries just showing SSH cause it was kind of funny, sorry for distraction.

Sure, take your time.

[netnut]

Ok, I'm trying to understand what happens what you describe as "I loose connection". So in your last confirmed working setup, with OpenWRT at 10.0.7.2/24 I like to know:

From where are you managing the OpenWRT AP ?

A laptop connected to Port 2 of the AP, or somewhere from your (VLAN) network ?

Do you use the 10.0.7.2 IP address for management ?

[isaacthekind]

I think this would be easiest to answer with an updated topology diagram. It has all the port numbers and IPs now labelled.

I'm accessing it from the GUI @ 10.0.7.2 on desktop.

The diagram is now too large to share here so I've put it on my Nextcloud for you: https://nextcloud.askyourself.ca/s/k5syMJfCJeJRa5r