I Set Up A VLAN But Can't Ping Systems On It

[isaacthekind]

Use the radio config from your default /etc/config/wireless after factory reset, most options are generic (like country code). But the path to the WiFi device may vary with different models.

Ok, I've added it.

- Can you connect (associate) to the SSID / Wireless Network (Can be checked at the status overview in the OpenWRT web gui)

I can't see anything (photos included).

- Do you receive an IP address (Check the DHCP Service Log @ OPNsense if request are received)

No.

/etc/config/network:

Code: [Select]

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'REDACTED'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
list ipaddr '10.0.7.2/24'
list ipaddr '192.168.1.1/24'
option gateway '10.0.7.1'

config device
option name 'eth0.2'
option macaddr 'REDACTED'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'

config interface 'WiFi_MGMT'
option device 'phy0-ap3'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'

/etc/config/wireless (same as before, but with radio changed to be like in default wireless config):

Code: [Select]

config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'

config wifi-device 'radio1'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option band '5g'
option country 'US'
option channel 'auto'
option htmode 'HT20'
option cell_density '0'

config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi 1'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan4'

config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi 2'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan5'

config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi 3'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan6'

config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi-MGMT'
option encryption 'sae'
option key 'Very Secret'

config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid 'WiFi 1'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan4'

config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'WiFi 2'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan5'

config wifi-iface 'wifinet6'
option device 'radio1'
option mode 'ap'
option ssid 'WiFi 3'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan6'

config wifi-device 'radio2'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option channel '1'
option band '2g'
option htmode 'HT20'
option disabled '1'

config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'

/etc/config/wireless-OLD (the one it gives after factory reset, not currently active on system, just showing for reference so you can see original radio0):

Code: [Select]

config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option disabled '1'

config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'

config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option channel '1'
option band '2g'
option htmode 'HT20'
option disabled '1'

config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'


[isaacthekind]

I have been experimenting some more and I think I was confused in my prior reply (as is probably the case with all my replies..)

I can see my laptop's mac adderss show up in the Wireless Overview in OpenWrt and in the DHCPv4 leases in OPNsense now. Pictures included, code still same. I'm still getting the same message in the command line though on my laptop which says it can't connect. I have set the IP on my laptop appropriately before trying to connect.

[netnut]

With your laptop connected over wireless to the "WiFI_MGMT" and a static ip configured, you should now be able to reach the OpenWRT device over HTTP or SSH through it's IP address: 192.168.2.1.

From here you can change the WIRED management interface to the already suggested config, read _VERY_ carefully, these are just minor changes, but you the need to c/p these exactly. Do this via SSH and editing the /etc/config/network file, so you're 100% sure the config is like below (so don't use GUI). After you changed the file just reboot and wait for OpenWRT to be back online.

Code: [Select]

###
# Management Interface (Wired)
###

config device
option name 'br-vlan1'
option type 'bridge'
list ports 'eth0.1'

config interface 'vlan1'
option device 'br-vlan1'
option proto 'static'
option ipaddr '10.0.7.2'
option netmask '255.255.255.0'
        option gateway '10.0.7.1'
option ip6assign '0'

Again connect via "WiFi_MGMT" and try to ping the WIRED management interface (10.0.7.2) FROM OPNsense (10.0.7.1) and the other way around, from OpenWRT to OPNsense. (OpenWRT -> Network -> Diagnostics or via SSH shell)

Do you get a ping reply ?

[isaacthekind]

I understand everything you said there. With my laptop connected to WiFi-MGMT, I will connect over SSH and copy/paste the exact changes you just gave to /etc/config/network for the WIRED interface, reboot, then connect VIA WIRED and try pinging WIRED from OPNsense and vice versa, then report back.

Before I can do that, as far as i can tell, I still have to fix the WiFi-MGMT connection problem I mentioned in my prior comments though. This is what happens:

On laptop, I scan with "nmcli devices wifi list" -> I see WiFi-MGMT -> I try to connect with "nmcli device wifi connect WiFi-MGMT password "Very Secret"" -> I see in OpenWrt Wireless Devices GUI area my laptop MAC, with host as "?" (pictured) -> I get "Error: Connection failed: IP configuration could not be reserved (no available address, timeout, etc)." on laptop.

This is with all config files same as last time I showed them.

[netnut]

This is with all config files same as last time I showed them.

Yeah, because that's related to your laptop and all the config files I posted are about OpenWRT, Cisco Switch and OPNsense. As I understand your problem is "How do I connect to my WiFi with a static IP", which is the case for the WiFi_MGMT where you need 192.168.2.2/24 staticly configured. Well, that's something you have to figure out at your client, which I guess would be NetworkManager.

If your not familar with NetworkManager cli and/or syntax, I suggest you start or install the GUI of your distro and use that, or use Mac or Windows if Linux networking is too complex. The command line you're posting is just assiociating to the SSID, it's missing things like ipv4 method, ip address and netmask which are needed for static network address assignment. Your probably still default to DHCP which explains previous errors you posted. A correctly configured network for the client is my only anchor to understand what's happening.


BTW

I understand everything you said there. With my laptop connected to WiFi-MGMT, I will connect over SSH and copy/paste the exact changes you just gave to /etc/config/network for the WIRED interface, reboot, then connect VIA WIRED and try pinging WIRED from OPNsense and vice versa, then report back.

After reboot connect via WIRELESS, that's the whole point, you can do everything from here now (if you fix your client wifi), so also checking if the WIRED is working. Only THEN we switch back from WIRELESS to WIRED, first the validation...

Can you also post the output of your bridges after boot, something like this:

Code: [Select]

root@OpenWRT:~# brctl show
bridge name bridge id STP enabled interfaces
br-vlan1 7fff.ffffffffffff no eth0.1
br-vlan6 7fff.ffffffffffff no eth0.6
phy0-ap2
phy1-ap2
br-vlan4 7fff.ffffffffffff no eth0.4
phy0-ap0
phy1-ap0
br-vlan5 7fff.ffffffffffff no eth0.5
phy0-ap1
phy1-ap1


[isaacthekind]

Your probably still default to DHCP which explains previous errors you posted

I didn't know nmcli defaulted to DHCP. I modified the connection to use manual and now the error message is gone and I can see the connection is up. But i still can't ping 192.168.2.1 from the laptop or reach the GUI.

After reboot connect via WIRELESS, that's the whole point, you can do everything from here now (if you fix your client wifi), so also checking if the WIRED is working. Only THEN we switch back from WIRELESS to WIRED, first the validation...

Right, understood now. Do all tests on wireless management interface, then switch to wired only when that is all working. Fall back to wireless if anything breaks.

Can you also post the output of your bridges after boot, something like this:

Sure. Keep in mind, I still have not configured the VLANs. The two config files have not been touched since I last posted them, but only /etc/config/wireless is exactly like yours (except for radio0 which is now the same as the default radio0 settings for my device). My /etc/config/network is just the default, but with WiFi-MGMT added:

Code: [Select]

root@OpenWrt:~# brctl show
bridge name bridge id STP enabled interfaces
br-lan 7fff.c0c9e35dcfca no eth0.1

/etc/config/network:

Code: [Select]

interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'REDACTED'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
list ipaddr '10.0.7.2/24'
list ipaddr '192.168.1.1/24'
option gateway '10.0.7.1'

config device
option name 'eth0.2'
option macaddr 'REDACTED'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'

config interface 'WiFi_MGMT'
option device 'phy0-ap3'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'

/etc/config/wireless

Code: [Select]

config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'

config wifi-device 'radio1'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option band '5g'
option country 'US'
option channel 'auto'
option htmode 'HT20'
option cell_density '0'

config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi 1'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan4'

config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi 2'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan5'

config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi 3'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan6'

config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'WiFi-MGMT'
option encryption 'sae'
option key 'Very Secret'

config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid 'WiFi 1'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan4'

config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'WiFi 2'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan5'

config wifi-iface 'wifinet6'
option device 'radio1'
option mode 'ap'
option ssid 'WiFi 3'
option encryption 'sae'
option key 'Very Secret'
option network 'vlan6'

config wifi-device 'radio2'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option channel '1'
option band '2g'
option htmode 'HT20'
option disabled '1'

config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'


[isaacthekind]

I managed to get it working!

I figured I should mention this so you don't return after holiday then put in more time when it's been resolved. I can explain what the issues were, if that's of interest, was a problem with the guest network and with my switch, not with your code. The help in this thread was very awesome and gave me a lot of insight without which I'd probably not have resolved it. Thank you so much for all the time and effort, really appreciated.

[netnut]

I managed to get it working!

I figured I should mention this so you don't return after holiday then put in more time when it's been resolved. I can explain what the issues were, if that's of interest, was a problem with the guest network and with my switch, not with your code. The help in this thread was very awesome and gave me a lot of insight without which I'd probably not have resolved it. Thank you so much for all the time and effort, really appreciated.

Good to hear!

Always nice to hear what was the "magic" that solves a problem or challenge.

[isaacthekind]

Essentially... Everything you sent was correct but that old switch was not passing all the VLANs in the trunk to the AP. It has this default behaviour of only passing VLANs that meet both the following conditions:

1) There is a physical switch port, other than trunk, associated with the VLAN in question.
2) A device has already been successfully connected to this port.

Before 1, wireless connection to the VLAN fails, after 1 wireless connection to the VLAN succeeds but with not internet access, after 2 everything works.

[netnut]

Essentially... Everything you sent was correct but that old switch was not passing all the VLANs in the trunk to the AP. It has this default behaviour of only passing VLANs that meet both the following conditions:

1) There is a physical switch port, other than trunk, associated with the VLAN in question.
2) A device has already been successfully connected to this port.

Before 1, wireless connection to the VLAN fails, after 1 wireless connection to the VLAN succeeds but with not internet access, after 2 everything works.

Ah, makes sense (the solution, not the switch behaviour ;-)). I'm not using Cisco hardware that much, it already confused me that it allows all VLAN's on a trunk port without "any" configuration. Normally you have to define an allowed VLAN list or just any, but at least define the policy.

Well, congrats. Configuring an advanced firewall, managed switch and probably one of the most difficult OpenWRT setups (Multi VLAN Dumb AP) without prior network knowledge is quite an achievement. This might be a good time to sit down, take a nice drink and tap yourself on the back...

[isaacthekind]

Yeah when I graduate to big boy hardware I want to get away from Cisco, a lot of smart people seem to complain about it, this is just a cheapo used switch for learning purposes.

I'm extremely happy to have it all working, and now i can play around with things and learn all the little nuances. I'm taking a break for a day or two though as you suggest. Next I plan to try implementing LAGG stuff you mentioned, some intrusion prevention/detection stuff, WireGuard, the list goes on, it's all very fun. :p

Thanks for putting up with my insane levels of confusion here. Hugely appreciated.

[netnut]

Yeah when I graduate to big boy hardware I want to get away from Cisco, a lot of smart people seem to complain about it, this is just a cheapo used switch for learning purposes.

Well, although not a fan (*sigh*), you own a decent piece of hardware. I guess every (network) device has it's quirks, you just have to know what these are ;-).

Thanks for putting up with my insane levels of confusion here. Hugely appreciated.

You're welcome, love your persistence and can-do mentality!