pfSense with OpenWRT Guest logon with VLAN

Ramosel

Is anyone here well versed in OpenWRT?

I've been fighting an issue using OpenWRT Dumb Access points and having a secondary (Guest) network coming on a pfSense built VLAN. I seem to have exhausted the ideas of folks on 3 different sites (OpenWRT forum, Reddit and OneMarcFifty's discord). There is a whole lot more to this but quick version is I have a Guest VLAN 10 built on the LAN connection in pfSense. It is using a completely different IP range and DHCP instance. It passes the Managed switch and if I have the interface in OpenWRT on DHCP, it does pull an address from the correct network. Watching the live logs, any logon to the Guest interface does pass the security logon but never fully connects, never gets an IP address. I can supply a bunch more info but need to see if anyone has the knowledge/interest before I flood this area with data. I am using the new version of OpenWRT 21.02.3 using the DSA switching model.

johnpoz

@ramosel why are you trying to use the "guest" network on openwrt? Just setup openwrt with a vlan ssid, and use the captive portal on pfsense on this vlan if you want "guests" to auth that way.

I know openwrt can do vlans and use a different ssid, etc.

Ramosel

@johnpoz said in pfSense with OpenWRT Guest logon with VLAN:

@ramosel why are you trying to use the "guest" network on openwrt? Just setup openwrt with a vlan ssid, and use the captive portal on pfsense on this vlan if you want "guests" to auth that way.

I know openwrt can do vlans and use a different ssid, etc.

Thanks Jon, sorry that wasn't clear but I was trying to give a 30,000 ft overview to see if there were any informed or interested souls before I got down to detail. I am creating a guest ssid on a VAP and tying it to an interface based on an 802.11q device on the br-lan device... or br-lan.10. I don't need captive portal as it will be used very little by very few. I just need segregation when in-laws are around. I run multiple WRT3200ACMs, all on a backhaul. My garage, unfortunately, only has a single ethernet cable run so I need to the VLAN to ride that line. This is just being a pain as I can set the Guest Interface up to be a DHCP client and it pulls an address from the correct network so I'm fairly confident I have the VLAN configured correctly on pfSense and tagged correctly on the switch. I even see packets moving on the interface. Ideally, once I get the guest SSID working on its own network, I'd like to make the interface either a static IP or unmanaged. Running a logread -f on my testbed WAP, I see that the WPA handshake completes... but the connection never completes... no IP from the VLAN network DHCP ever gets assigned.

root@Testbed_OpenWrt:~# logread -f
Thu May 19 18:57:05 2022 daemon.notice hostapd: wlan1-1: AP-STA-DISCONNECTED 76:71:a2:88:98:13
Thu May 19 18:57:05 2022 kern.debug kernel: [13330.264009] ieee80211 phy1: staid 1 deleted
Thu May 19 18:57:05 2022 daemon.info hostapd: wlan1-1: STA 76:71:a2:88:98:13 IEEE 802.11: associated (aid 1)
Thu May 19 18:57:05 2022 daemon.notice hostapd: wlan1-1: AP-STA-CONNECTED 76:71:a2:88:98:13
Thu May 19 18:57:05 2022 daemon.info hostapd: wlan1-1: STA 76:71:a2:88:98:13 WPA: pairwise key handshake completed (RSN)
Thu May 19 18:57:07 2022 daemon.info hostapd: wlan1-1: STA 76:71:a2:88:98:13 IEEE 802.11: authenticated
Thu May 19 19:01:25 2022 daemon.notice hostapd: wlan1-1: AP-STA-DISCONNECTED 76:71:a2:88:98:13
Thu May 19 19:01:26 2022 daemon.info hostapd: wlan1-1: STA 76:71:a2:88:98:13 IEEE 802.11: disassociated
Thu May 19 19:01:26 2022 kern.debug kernel: [13591.290602] ieee80211 phy1: staid 1 deleted
Thu May 19 19:01:26 2022 daemon.info hostapd: wlan1-1: STA 76:71:a2:88:98:13 IEEE 802.11: disassociated
Thu May 19 19:01:27 2022 daemon.info hostapd: wlan1-1: STA 76:71:a2:88:98:13 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)

The native wlan0 and wlan1 radio SSIDs work fine, even when they are the same SSID and running 802.11r. It's only the VAP that fails. If I move the VAP to the standard Br-lan device (LAN) it works fine, there is just no segregation. Everything seems to point to it being the Marvell driver but the "Keeper" of the drivers for OpenWRT (Sergio) says this is NOT a driver issue.

Radio 3 (wlan2) is completely disabled.

The Guest network is what I need to proof... once it's working I'll add an IOT as well. But I'm just trying to do this one step at a time.

Am I posting this in the right area, or should I have put it in "Wireless"?

johnpoz

@ramosel said in pfSense with OpenWRT Guest logon with VLAN:

The Guest network is what I need to proof.

Why do keep calling it a guest network - its just a ssid on a specific vlan.. If you use it for guests that great, but guest networks on wifi routers are different, they are normally isolated from the lan network.

no IP from the VLAN network DHCP ever gets assigned.
This is just being a pain as I can set the Guest Interface up to be a DHCP client and it pulls an address from the correct

Which is it??

I haven't used openwrt in years. But I run many a ssid on different vlans, with unifi its clickitly clickity.. Assign the vlan id you want on what ssid, and setup your switch port to carry that tagged vlan..

This really has zero to do with pfsense.. This has to do with your openwrt device setting up a tag vlan to a ssid..

Here is what I would suggest.. Setup your vlan on pfsense, setup your switch for that vlan.. Now create an access port on your switch in that vlan. Now connect say a laptop to that port, does it get an IP in your vlan, does it have internet -- you have to setup rules on your vlan interface. If so there you go pfsense and your switch are working for that vlan.. Now setup your openwrt for that vlan..

Ramosel

@johnpoz That is precisely what I am trying to do... Isolate not only from the LAN but also from each other. Yes, I have the VLAN, rules and DHCP setup on pfSense. I believe I have the switch setup correctly (i'm getting the right address from the right DHCP instance on the "guest" network interface. So I may not be using the same vernacular but I think we're on the same page. Please correct me if I'm wrong... I'm here to get answers, not piss you off... really.

From what I know, what I've read, what I've seen other do, I think this should be working... it's just not.

johnpoz

@ramosel ok I don't remember openwrt having a nice gui like that back in the days when I use to play with it. ;)

But maybe I am being stupid... I see your br-lan.10 but shouldn't it have a little radio icon next to it?

The way I am reading that is you have the br-lan.10 on a switch port - but what radio and ssid is it using?

Ramosel

@johnpoz Yeah, if you haven't played with it in a while (and I have been a DD-WRT guy for 20 years) then this is all new with ver. 21. They have left SWConfig behind and this is all DSA now (well, for some platforms. they haven't integrated DSA across all makes/models/versions yet).

So you create the 802.11q device, create the Guest (GuestTest in this case) interface and assign the device to it, then under wireless set the Network to the interface/device you create. So, in the configuration of the SSID in the wireless setup, in this case wlan1-1. Looks like this:

Ramosel

@johnpoz I know you are a busy guy and I've certainly learned a lot of things from you... So I do respect your abilities. If you wan't to help me play with this, I'll gladly send you a WRT3200ACM to bash around.

johnpoz

@ramosel really? Sure why not - I could do that ;)

But why doesn't it show a little radio icon, when your lan shows 2?

BTW - why do you have guesttest on channel 10? Channels to use for 2.4 are 1,6 or 11.. That wouldn't be the reason for your issue - but not a good channel to choose..

Cool_Corona

You dont need OpenWRT to handle that.

Use a range extender together with pfsense and a VLAN capable switch.

https://www.asus.com/dk/Networking-IoT-Servers/Range-Extenders-/All-series/RP-AX56/

This works like a charm creating the networks you need and letting pfsense handle VLANs.

Ramosel

@johnpoz said in pfSense with OpenWRT Guest logon with VLAN:

@ramosel really? Sure why not - I could do that ;)

But why doesn't it show a little radio icon, when your lan shows 2?

BTW - why do you have guesttest on channel 10? Channels to use for 2.4 are 1,6 or 11.. That wouldn't be the reason for your issue - but not a good channel to choose..

John, you are so right.. But, it's my "testbed" for this guest network issue. I live in a Loooong house stretched out across a mountain side in a T shape with the vertical element of the T traveling up the mountain. My "production" WAPs ARE on 1, 6 and 11... at the end points of the T. That way I get pretty good coverage when I'm out on the tractor or excavator too. The "testbed" WAP lives in the TE closet under the house farthest from 11.

I'll get a WRT3200ACM loaded and configured up to my current working point. My email is on my profile page. Send me a shipping address and I'll get it off to you.

PS: I think I need to fix my profile... my age is off by about 40 years?!?!

johnpoz

@ramosel said in pfSense with OpenWRT Guest logon with VLAN:

WAP lives in the TE closet under the house farthest from 11.

If its farthest from where 11 is, then it should also be on 11 as well.. There is really no reason to ever use anything other than 1,6 and 11.

but since I don't see how you have any radio assigned to this new network your calling guesttest and on this port with .10 vlan ID - how would anyone connect to it?

stephenw10

Mmm, this sure looks like a bridge problem.

This shouldn't be that difficult, it something OpenWRT does all the time in comercial deployments. Been a while since I've tried it. But not so long I've never seen LuCI

When you associate the VAP with the LAN network clients are able to connect to it? So not a wireless issue?

Might be easier to spot the problem from the uci output at the command line. I'm betting there's a missing device on the bridge....

Steve

Ramosel

@stephenw10 said in pfSense with OpenWRT Guest logon with VLAN:

Mmm, this sure looks like a bridge problem.

This shouldn't be that difficult, it something OpenWRT does all the time in comercial deployments. Been a while since I've tried it. But not so long I've never seen LuCI

When you associate the VAP with the LAN network clients are able to connect to it? So not a wireless issue?

Might be easier to spot the problem from the uci output at the command line. I'm betting there's a missing device on the bridge....

Steve

I agree Steve, it shouldn't. But it's been evading me and ideas seem to have dried up on 3 different OpenWRT specific forums... So either I'm a complete doofus newb, I'm trying to do something that can't be done or there is some nuance I and others haven't stumbled into.... yet. I fully take this as my screwup if someone finds the problem. The DSA is a good step forward but I admit I don't really, fully understand it. As far as bridging goes, one can only make changes on the br-lan device. But at this point, ANY change I make to "Bridge VLAN Filtering" causes a lockout condition... no big deal, you wait 90 seconds and revert when the option presents. Since I am not using the WAN, I assign it to the br-lan and use that for the back-haul connection. Currently I have the default SSIDs set with different names so I can readily test connections to them. But in production, they would be the same. I also have 802.11r on all SSIDs. I found if I had it on the default wireless everything worked fine. But once I built out the GuestTest, if I didn't enable 802.11r on the Guest wireless, the default wireless (on the same radio) would reject logons, not fail the password, just reject logon. DTIM is set to 3 as Apple products seem to like it better. I do not enable IPv6 anywhere in the home network. I've also removed the native (cut down) version of WPAD and installed the full version. dnsmasq, firewall and odhcpd are all disabled since these are run as dumb APs.

Network 6/1/2022

root@Testbed_OpenWrt:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        option ipv6 '0'
        option bridge_empty '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'
        option ipaddr '192.168.1.6'
        option delegate '0'

config device
        option name 'wan'
        option ipv6 '0'

config device
        option name 'wlan1-1'
        option ipv6 '0'

config device
        option name 'wlan0'
        option ipv6 '0'

config device
        option name 'wlan1'
        option ipv6 '0'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '10'
        option name 'br-lan.10'
        option ipv6 '0'
        option macaddr '60:38:e0:BB:c6:68'

config interface 'GuestTest'
        option proto 'static'
        option ipaddr '172.16.10.6'
        option netmask '255.255.255.192'
        option gateway '172.16.10.1'
        option device 'br-lan.10'

Wireless  6/1/2022

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
        option band '5g'
        option htmode 'VHT80'
        option country 'US'
        option cell_density '0'
        option channel '44'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option dtim_period '3'
        option ieee80211r '1'
        option mobility_domain '123F'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option encryption 'psk2'
        option ssid 'OpenWRT5'
        option key 'xxxxxxxx'
        option max_inactivity '14400'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
        option band '2g'
        option htmode 'HT20'
        option country 'US'
        option cell_density '0'
        option channel '11'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ieee80211r '1'
        option mobility_domain '123F'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option dtim_period '3'
        option encryption 'psk2'
        option ssid 'OpenWRT'
        option key 'xxxxxxxx'
        option max_inactivity '14400'
        option disassoc_low_ack '0'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
        option channel '34'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option dtim_period '3'
        option encryption 'psk2+ccmp'
        option key 'xxxxxxxx'
        option ieee80211r '1'
        option mobility_domain '123f'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option key 'xxxxxxxx'
        option ssid 'GuestTest'
        option dtim_period '3'
        option network 'GuestTest'
        option disassoc_low_ack '0'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option encryption 'psk2+ccmp'
        option mobility_domain '123f'
        option isolate '1'

stephenw10

Ok, I need to test this but I think your problem here is that you only actually have one bridge device. You have created a VLAN device and named it br-lan.10 but it isn't a bridge device.

We can't see you're switch config there but can I assume WAN is eth0? Or that could be the internal port connected to the switch?

What I would do though is create a VLAN device on the uplink ethernet port. Then create a bridge device with that VLAN as a port. Then create an interface using that new bridge. And then add the VAP to that interface.

I have to wait until later to test it to avoid angry Facebook users.

Steve

Ramosel

@stephenw10 said in pfSense with OpenWRT Guest logon with VLAN:

Ok, I need to test this but I think your problem here is that you only actually have one bridge device. You have created a VLAN device and named it br-lan.10 but it isn't a bridge device.

We can't see you're switch config there but can I assume WAN is eth0? Or that could be the internal port connected to the switch?

What I would do though is create a VLAN device on the uplink ethernet port. Then create a bridge device with that VLAN as a port. Then create an interface using that new bridge. And then add the VAP to that interface.

I have to wait until later to test it to avoid angry Facebook users.

Steve

No problem, I can wait. Lets not PO the Facebook folks... The ones in Berkeley are liable to call 911... again... (not joking). This isn't an urgent thing, just something that needs to get done. I've been banging on it for a while now... I guess it's a route few follow. But I prefer to let pfSense do all the routing, rules, vlans, dhcp, etc... as it does it so much better. I just need it to flow to dumb APs

What you describe is how I tested it under ver 19.07,9? But that was still SWConfig. Under the new version (now 21.02.3) and going forward, they are DSA you just don't have that path... that I see. I could very well be wrong.

Rick

stephenw10

Forgot I had an AP300 already setup.

So, yeah, this works:

root@AP300:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd21:90da:7fd9::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth0'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='dhcp'
network.lan.delegate='0'
network.@device[1]=device
network.@device[1].type='8021q'
network.@device[1].ifname='eth0'
network.@device[1].vid='1001'
network.@device[1].name='eth0.1001'
network.@device[2]=device
network.@device[2].type='bridge'
network.@device[2].name='br-guest'
network.@device[2].ports='eth0.1001'
network.GUEST=interface
network.GUEST.proto='dhcp'
network.GUEST.device='br-guest'
network.GUEST.delegate='0'

Then:

root@AP300:~# uci show wireless.wifinet2
wireless.wifinet2=wifi-iface
wireless.wifinet2.device='radio0'
wireless.wifinet2.mode='ap'
wireless.wifinet2.ssid='AP300-Guest'
wireless.wifinet2.encryption='sae-mixed'
wireless.wifinet2.key='1234512345'
wireless.wifinet2.ieee80211w='1'
wireless.wifinet2.network='GUEST'

Clients connect to that and pull a lease from a dhcp server on VLAN1001.

That's a 21.02 snapshot:

root@AP300:~# uname -a
Linux AP300 5.4.143 #0 Mon Sep 6 02:58:45 2021 mips GNU/Linux

There is no switch on that device so DSA doesn't come into play. I'm not sure how those devices you have are laid out in hardware but if it has only one internal NIC you would need to configure the switch. However it looks like you already did that bit correctly since the vlan assigned as an interface is pulling a lease in the correct subnet.

Steve

Ramosel

@stephenw10 The (network.@device[1].ifname='eth0') is throwing me. If you are in LuCI and select the dropdown for network, is there a "Switch" entry under Interfaces and Wireless? Or do you get Interfaces and Wireless with no Switch?

Sorry, botched that, had to edit.

stephenw10

No there's no switch in the AP300, it's an access point.

What's the hardware layout in the WRT3200ACM? Is this correct for your version?
https://openwrt.org/toh/linksys/wrt3200acm#switch_ports_for_vlans

If so and you are using the eth1 (WAN) port as the uplink you should be able to create the VLAN there and then add that to the new bridge device. I've used eth0 because that's the only port on the AP300.
You could create it on eth0 (the internal switch port) on your router but then you need to configure the switch to trunk that VLAN. Or use port based VLANs to just pass it.
It looks like OpenWRT will also allow you to create a VLAN on the bridge interface which is what you have done. For me that's less logical. YMMV!

There's probably several ways to do this. It's definitely possible.

Steve

stephenw10

Oh, wait think I read that switch diagram wrong. So the hardware actually has 5 physical ports? LAN 1-4 and WAN?
In fact both actual NICs (eth0 and eth1) are connected to the switch on internal ports 5 and 6?

If you're using port VLAN mode (not 802.1q) then all VLAN traffic is passed. So create a VLAN interface on eth0. Create a bridge device with that in it. Create an interface with the new bridge. Assign the guest wifi to that.

There are in fact numerous ways you could do this depending what you want.

Steve