VLANs on GL-B1300, OpenWrt 22.03.2 r19803-9a599fee93

Hi,

I flashed a B1300 to OpenWrt 22.03.2 r19803-9a599fee93 and attempted to get 802.11q VLANs working on the LAN interface(s). I’ve tried all the standard methods, including using DSA, etc. However, I’ve not gotten anywhere.

Some more details: I am not using the WAN port. Just the two LAN ports. I have an external router that provides all firewall, DHCP and DNS services (opnsense). I basically just want to plug in the radio, have the LAN port(s) understand 802.11q packet format (tagged from a “smart” switch) and distribute the packets to either a specific ESSID or drop the packet on the “other” LAN port. But, using the second LAN port is not terribly important so long as I can get the radio to pass tagged traffic back to at least one LAN port which would be configured for tagged traffic.

I’ve read a number of posts across different forums, but most go off into lots of detail about vlan 5 and something to do with the WAN port, and the occasional “I got it to work” with no details. Grr.

So, first, should I be using the new DSA method of defining the VLANs? Seems simple enough. I did change the device on br_lan to be the VLAN device. Also, I am working with VLANs 14 and 15. So, no conflicts with 0,1,2 and 5 that I’ve read about.

If this is known to work, and DSA is the way to go, I’ll post a sample config. At the moment, I’ve given up because I’ve not gotten a hint that anything is working and plenty of advice that things are “strange” on this chipset.

Thanks,

Mike

DSA is new, not sure how it affected.

If you got something working pls post config.

Is there any way to use VLANs on the GL-B1300 using OpenWrt 22.03.2 r19803-9a599fee93? There seem to be many guesses and strange configs out there, but nothing that works for me.

There is DSA, just making devices with a device. notation… many ways. But, what is is supposed to work with these devices has me stumped.

Mike

Can you post some screenshots? It will help even other people want to test.

I ended up installing a snapshot version of openwrt and getting a fully configured 802.11r, 802.11s and VLAN setup working. I have four of these two configure, so I wrote extensive notes. I will post them here when I have a bit more time. I will say that the new driver for the chipset in snapshot openwrt works so much better. It presents the two LAN ports properly and it appears to also be much faster. I was able to get over 400mbs via iperf3 to my router which is the limit of my backbone to the router. I need to install iperf3 on something attached to the same switch and see what I can get.

My requirements are 802.11r, 802.11s, and mesh routing with wired backhaul when available. This writeup has not tested wired backhaul. The most recent openwrt at the time of this writing does not have a great driver for the chipset in a GL-iNet B1300. The development release does. These are steps I followed:

1. Download firmware

   Index of /snapshots/targets/ipq40xx/generic/

   I downloaded:

   https://downloads.openwrt.org/snapshots/targets/ipq40xx/generic/openwrt-ipq40xx-generic-glinet_gl-b1300-squashfs-sysupgrade.bin

   from 2022/11/02.

2. Connect a laptop with the firmware, configured for 192.168.1.2.

3. Press the power on button and power on. Wait for five flashes or so.

4. You should get a firmware loader on http://192.168.1.1/

5. Load the firmware.

6. Wait for a reboot.

7. ssh root@192.168.1.1

8. passwd

9. cd /etc/config (Make sure you cd. I did not once, and something
   happened in the edit and my changes were lost.) and edit nework.

10. Find the line with 192.168.1.1. Change the IP to something you
    can route on your network.

11. Add option gateway 'your-gateway.ip'

12. Add list dns '192.168.15.2'

You should end up with something like

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns_search 'localdomain'
        option ipaddr '192.168.00.3'
        option gateway '192.168.00.2'
        option device 'br-lan'
        list dns '192.168.00.2'

13. service network reload. This will activate your port on an IP that you can download software and the like with. You will now need to plug in the B1300 into a switch connected ultiumately to the internet and that can route the IPs you just entered.

14. ssh root@<your-ip>. At this point, I was not able to resolve dns names. Not sure why. I added my name server IP into /etc/resolv.conf manually.

====
Collected errors:
 * check_data_file_clashes: Package libnl-tiny2022-05-23 wants to install file /usr/lib/libnl-tiny.so
        But that file is already provided by package  * libnl-tiny2022-11-01
 * opkg_install_cmd: Cannot install package luci.
opkg remove --force-depends libnl-tiny2022-11-01
(yes, this could break something badly.  This is a snapshot install.)
===
    opkg update
    opkg install luci-ssl
    /etc/init.d/uhttpd restart

15. Now you can access luci, the web interface at https://192.168.xx.yy/. At this point, you have flashed the latest copy of openwrt and gotte it working to the point where you can configure it. Yay! Now, my use case is a router providing all dns, dhcp and firewall services. So, I pay no attention to the wan port. I have smart switches ($30 in the US for a tp-link 8 port switch vs $20 for a dumb switch.), so I want to use VLANs to keep my traffic seperate and so I can use firewalls and different ESSIDs to allow different sorts of access. Onward! I should note that when I did this the first time, I had a packaging conflict of some sort. I had to force remove a package, but leave its dependancies. Not sure why that did not happen just now. Ah! Got the wrong image! The one I had on my laptop is different than my desktop. Must have flashed from the desktop first time. No matter.

uname -a
Linux ap-15-4 5.15.76 #0 SMP Wed Nov 2 11:41:56 2022 armv7l GNU/Linux
(new)

uname -a
Linux OpenWrt 5.10.146 #0 SMP Fri Oct 14 22:44:41 2022 armv7l GNU/Linux
(old)

So, let’s do this again, but we can do it from the desktop. We’ll have to retreat back to the laptop because we are going to get an error about using the old config format, I’ll bet. I was wondering why I did not see that this time, too. This time, I unchecked ‘Keep settings and retain current configuration’. If you want them, scp the files from /etc/config off the box first. Then flash. Also check ‘Force Update’. There are more options to think about if you are a long standing user of openwrt. I am not.

Go back to step 8.

16. And now from the status page: Firmware Version OpenWrt SNAPSHOT r21166-9721a42a27

17. Because I want 802.11s mesh, I am going to do:

opkg remove wpad-basic-wolfssl
opkg install wpad-mesh-openssl

Later on, I discovered that I had trouble with encryption on the mesh link, so I switched to wpad-mesh-wolfssl. But, I am not certain I needed to do that. Maybe.

VLANS

So, I want to carry multiple VLANs on LAN port 1 (the middle port on the B1300). Because I want to carry multiple VLANs on the same port, I need to set the port on the phyiscal LAN switch the router is connected to be tagged and carry the VLANs I want. So, I’ll need to change my B1300, and then change the switch or have a port prepared so I can quickly move over and connect. If we do not move to a proper port quickly and reconnect to Luci, our changes could roll back.

So, I am going to prepare an extra port with the VLANs I’ll be needing so I’ll just have to move the network cable after I configure. (Good thing, the admin interface had timed out and I typed the password wrong).

In Luci, Network, Interfaces, Devices tab, Configure box.

• Bridge VLAN filtering. Enable VLAN filtering. I put VLANs 14 and 15 on port LAN 1, tagged. I left VLAN 15 undefined on LAN 2 and set VLAN 14 to u*. I should be able to plug in LAN 2 and get something on LAN 14, assuming I plug into an untagged VLAN 14 port on my switch. Not really a goal, but meh. Save, but you must NOT ‘save+apply’ yet!
• Oh, this assumes the default for br_lan on the general device options is to bridge ports LAN 1 and LAN 2. That was the default.

Network, Interfaces. Edit LAN

• Change the device to be br-lan.<the-vlan>. <the-vlan> should be a tagged VLAN on your switch that has the static IP address you configured as part of the VLAN. Check bring up on boot too. Give everything a look over. Click save.

• So, now it comes time to do a save and apply. You will want to do the save and apply and move the network cable to a tagged port that matches the VLAN device you just set on the LAN interface. ready… go!. And it worked. I am now on tagged port. I am now going to copy the macaddr and ips, etc to a dhcp static entry on the router and convert to dhcp instead of manual. And it worked! I can see the lease on my router’s dhcp lease info area.

I’m going to want at least one extra interface, one where the VLAN will carry the wireless traffic, and potentially keep it seperated from the management and LAN ports. So, let’s do that.

Network, Interfaces, ‘Add new interface…’

• The main thing is to connect it to the br_lan.<vlan> interface you want to use to for the VLAN that will carry your wireless. I am going to put a management IP on here for now using DHCP, but I may remove it in the future, or make a maintenance ESSID with a different password and attach a management IP there, etc. Right now I want to keep things simple. Create the interface, bring up on boot, Save. Remember that most options like dhcp server, etc, do not matter to me. That will all just work. Save+apply.

• Grab the macaddr and make a static DHCP entry. Restart the interface so it gets the static DHCP entry IP you just assigned.

Network, Global network options:

• Check packet steering, and then save+apply.

Network, Wireless

• Edit the radios, advanced settings, and set your country code. Do all radios. At least two, maybe three in general. Save+Apply
• Because I will be doing mesh, I also need to set my channels so all are the same. I am also going to set the security and ESSID while I’m here.
• Set the Network to be the VLAN based device you created above that will be used to carry your wireless traffic. Deselect ‘LAN’ unless you really want it. But, then why create VLANs?
• I am also going to enable 802.11r and set the mobility domain to be the same across all my devices. Save+Apply.. The radios are still not turned on.

Now I am going to add the 802.11s mesh device.

• Click add on the 5ghz radio, assuming you want mesh on 5ghz. For mode, select 802.11s. Select a mesh-id that will be the same. Something like my-mesh.
• Select the network. Now, I wonder what exactly my options here would be for a network? Clearly the VLAN device I created above, but could I use a different one? Not sure.
• Advanced Settings tab at the top, then Interface Configuration at the bottom, Wireless Security. WPA3-SAE and use the same password on all mesh devices. You do not type this when connecting to the wireless, only during setup, so it should be pretty random.

Note: encryption is not working at this time. I am not getting a connection. Using no encryption seems to work, but is not too ideal. But, 5ghz is not available very far off the property, if at all. So… I tried wpad-mesh-wolfssl instead. At first, it did not work, but an error in the log strongly suggested a reboot might help. So, I did and I now have a mesh connection with WPA3-SAE. The status for the connection still says encryption: none, though. UI error?

Save+Apply

End Notes

I think that’s it! I am now going to enable the radios and make a bunch of noise in here.

There seems to be a problem where it is hard to get the 5ghz radio to broadcast at 1 watt (30dbm). Eventually, it just sort of let me choose that value. Not sure why. No tricks being played.

Oh, one thing I keep forgetting. I was using an IP on VLAN 15 to do my edits when I was conneected directly to the device. However, now that they are deployed, I need to use a management IP on the VLAN associated with wireless (14 in my case).

Configs

network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd02:10b1:604c::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        option bridge_empty '1'

config interface 'lan'
        option device 'br-lan.15'
        option proto 'dhcp'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option name 'lan2'

config bridge-vlan
        option device 'br-lan'
        option vlan '15'
        list ports 'lan1:t'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan'
        option vlan '14'
        list ports 'lan1:t'
        list ports 'lan2:u*'

config interface 'LANOC288M'
        option proto 'dhcp'
        option device 'br-lan.14'

Wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option country 'US'
        option cell_density '0'
        option txpower '30'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'ESSID'
        option encryption 'psk2'
        option key 'PASSWORD'
        option ieee80211r '1'
        option mobility_domain '4HEXDIGITS'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option network 'YOURNEWLANNAME'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option band '5g'
        option htmode 'VHT80'
        option country 'US'
        option cell_density '0'
        option channel 'CHANNEL'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'ESSID'
        option encryption 'psk2'
        option key 'PASSWORD'
        option ieee80211r '1'
        option nasid '1504'
        option mobility_domain '4HEXDIGITS'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option network 'YOURNEWLANNAME'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'mesh'
        option mesh_id 'ESSID-mesh'
        option mesh_fwding '1'
        option mesh_rssi_threshold '0'
        option key 'SUPERSECRETPASSWORD'
        option network 'YOURNEWLANNAME'
        option encryption 'sae'

In this case, using my sample, this would be br-lan.15.

Under System, LED configuration, try adding a LED that lights when the mesh is connected. Click ‘Add LED action’, Name: “Mesh On”, LED Name green:mesh, trigger: Network device activity, Device: phy1-mesh0 (in my case), trigger mode: Link On seems to work. Disabling and then re-enabling the mesh caused the led to blink prior to mesh being re-established. Took a few minutes for this to happen.

In System, Startup, disable dnsmasq (a dhcp server) and firewall and stop the services if you have an external router that provides these services. I forgot those two steps, and they caused quite the mystery for a bit.

Mike

Consider installing mesh11sd to manage the mesh connection. I am experimenting with this. Something is not working well with my two mesh nodes that also have wired backhauls. Yes, yes, I know. Why do I need mesh if I have wired backhauls? Because obviously I want to add mesh nodes that will be connected to the nodes that have a wired back haul and can’t run wires to those nodes.

Mike

One thing I hadn’t considered is that packages that work with a particular dev image are only available for a short time period. I recommend you capture the list of all dependent packages when you install luci et al and download if you think you might need to re-install or if you have multiple devices to do. Right now, I am waiting for a rebuild of luci to become available. They fixed the bug, but I do not have a build environment yet and the updated binary packages have not been placed online. So, that’s another option. Learn how to set up a build environment for openwrt and build your own images.

Another issue: I mentioned at one time using wired backhauls and mesh. It appears that you really do not want to set up two devices with wired connections AND mesh them together. It looks like a I created a layer two loop and/or macaddr flapping on some of my switches and created a real mess. Instead, I will use different meshids if I need to connect other APs using wireless mesh so I can avoid L2 loops.

If you happen to be using TP-LINK smart switches and 802.11q VLANS, ignore the error count on the monitor display. From what I can tell, the hardware counts as errors any full sized packet that also has a VLAN header on it. But, after doing lots of tcpdumps from both the target and the router and basically all around the B1300 involved, I can see no actual errors. Packets are transmitted at the proper size. there does not appear to be any fragmentation or other issues, either. This is a vaguely documented bug on some TP-Link forums. However, there they talk about small packets. In my opinion, any packet with a data size great than 1468 (ICMP) will cause a ‘error’. I forget what the data size was for TCP and UDP. 1433 or something? More than likely this resulted in a 1504 byte packet (VLAN header) on the wire and hardware flagged it as an error.

I spent a whole night thinking this was the problem before I moved on and realized the real problem was the layer two loop. Or perhaps mesh itself is the problem. I don’t have an instance at the moment.

Don’t forget my note about added mesh11sd to the install.

Mike

Turns out that if you have development experience, building openwrt from scratch isn’t that hard. I was able to do it on a modern Mac Studio running macOS and using Brew and xcode. And I must say, building what I needed - a base image, luci and some other odds and ends didn’t not take long. Maybe 20 minutes? And of course future builds should be faster since not everything will need to be recompiled. Predictably, compiling the Linux kernel took most of the time. In any case, I was able to extract the two luci packages from the build and install them.

Make sure you follow the directions closely for macOS. Remember that macOS file systems are generally case insensitive, which is not the norm and would probably break openwrt.

I ended up with quite the setup. Multiple meshes, each carrying a different VLAN. I’m not certain if this is a requirement to use different meshes for each VLAN or not, because I made a mistake early on when I copied the configs to the new AP. I forgot to actually define the new vlan on the base bridge. I was able to use the VLAN, but since it wasn’t defined on the hardware, it would not anwer ARPs. So, I’ll probably go back and see if one mesh is all I need.

End result is really worth it.

A highly recommended debugging technique when working with multiple access points with the same SSID is to define extra SSIDs unique to each. Saves you the trouble of knowing what you are connected to, etc. I prefixed all the special SSIDS with S-. So, S-mymesh-D24 and S-mymesh-D5 for the AP in the den, 2.4ghz and 5ghz. Should make signal strength analyzing much easier when I get to that point.

At one point, my Wifi dropped offline, and I thought I broke the main system. It was just an AP I was working on that I forgot was turned on, but not actually connected. A few tests to the S- SSIDs showed this very quickly.

This has been a fun journey. Each major issue was an error on my part. The software is great and the devices when using the latest driver are seemingly quite good.

Mike

Hello, I can confirm DSA is working fine on snapshots builds, I have installed the one from 17th Jan 2023. Note that the DSA commit for the b1300, and in general for many ipq40xx devices is not part of release 22.03.3.
I haven’t tested mesh, as my b1300 is the only AP I currently have.

Further investigations shows mesh can not carry VLANs. You need to either use multiple connections, one for each VLAN, or perhaps a GRE (?) tunnel. I’ve tried the GRE method as documented by others, but some steps seem to have been left out and multiple mesh connections do work, so I use that method.

Mike