I flashed a new hAP ac lite w/ yesterday's nightly (20260201). Tested it enough to confirm that everything worked as it should. For sure, I know that the default port config was "as advertised": 1: WAN untagged 2-4: LAN untagged 5: DtD: VLAN 2
Life was good -- UNTIL I used the WebUI to change the LAN to VLAN5. (For now, let's not muddy the discussion by discussing *why* I want to do such a thing.) Ever since, I can coax no Ethernet traffic out of ports 2-4. I changed it back to untagged. Still nothing.
I don't see anything in "ip a" output that looks fishy to me (newb caveat). I have a single PC connected to a LAN port and Wireshark never shows any packets from the hAP, no matter how I prod it from the PC, or even if I try to generate ARP traffic from the hAP. I connected a 2nd PC to a LAN port (The 1st "PC" is actually a VM w/ a dedicated USB-Ethernet adapter that I use for flashing AREDN devices; the 2nd is an old laptop used for the same purpose) with the same result: I can't coax anything from the hAP but can see the traffic between the 2 PCs fine.
Any tips on diagnosing/fixing it?
(I haven't reset the config; seems like I should get to the root of the problem and fix it "properly" instead of starting over and probably causing the same problem.)
Below is the output from "ip a" and "cat /etc/aredn_include/swconfig" (which I haven't tampered with; messing w/ port assignments was going to be my next step!)
----------------------------------------------------------------------------------------
root@W7MSH-Ka-AD7UF-Cab:~# ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc fq_codel master br0 state UP qlen 1000
link/ether 46:7b:6f:6c:58:6f brd ff:ff:ff:ff:ff:ff
3: eth1: mtu 1500 qdisc fq_codel master br0 state UP qlen 1000
link/ether 46:e7:06:80:e2:27 brd ff:ff:ff:ff:ff:ff
4: tunl0@NONE: mtu 1480 qdisc noop state DOWN qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
5: br-dtdlink: mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 02:2e:93:d6:09:be brd ff:ff:ff:ff:ff:ff
inet 10.143.151.64/8 brd 10.255.255.255 scope global br-dtdlink
valid_lft forever preferred_lft forever
inet6 fe80::2e:93ff:fed6:9be/64 scope link
valid_lft forever preferred_lft forever
6: br0: mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 46:7b:6f:6c:58:6f brd ff:ff:ff:ff:ff:ff
inet6 fe80::447b:6fff:fe6c:586f/64 scope link
valid_lft forever preferred_lft forever
7: br0.2@br0: mtu 1500 qdisc noqueue master br-dtdlink state UP qlen 1000
link/ether 46:7b:6f:6c:58:6f brd ff:ff:ff:ff:ff:ff
8: br-lan: mtu 1500 qdisc noqueue state UP qlen 1000
link/ether dc:2c:6e:4a:a4:ac brd ff:ff:ff:ff:ff:ff
inet 10.85.37.129/29 brd 10.85.37.135 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fe80::de2c:6eff:fe4a:a4ac/64 scope link
valid_lft forever preferred_lft forever
9: br0.3@br0: mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether 46:7b:6f:6c:58:6f brd ff:ff:ff:ff:ff:ff
10: br-wan: mtu 1500 qdisc noqueue state UP qlen 1000
link/ether dc:2c:6e:4a:a4:ab brd ff:ff:ff:ff:ff:ff
inet 192.168.214.155/24 brd 192.168.214.255 scope global br-wan
valid_lft forever preferred_lft forever
inet6 fe80::de2c:6eff:fe4a:a4ab/64 scope link
valid_lft forever preferred_lft forever
11: br0.4@br0: mtu 1500 qdisc noqueue master br-wan state UP qlen 1000
link/ether 46:7b:6f:6c:58:6f brd ff:ff:ff:ff:ff:ff
12: wlan0: mtu 1500 qdisc noqueue state UP qlen 1000
link/ether dc:2c:6e:4a:a4:b0 brd ff:ff:ff:ff:ff:ff
inet 10.74.164.176/32 brd 255.255.255.255 scope global wlan0
valid_lft forever preferred_lft forever
inet6 fe80::de2c:6eff:fe4a:a4b0/64 scope link
valid_lft forever preferred_lft forever
----------------------------------------------------------------------------------------
root@W7MSH-Ka-AD7UF-Cab:~# cat /etc/aredn_include/swconfig
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '4 3 2 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1t 0t'
root@W7MSH-Ka-AD7UF-Cab:~#
Start fresh with factory.bin firmware.
(Note: I did 'not muddy the discussion by discussing *why* you want to do such a thing.)
73, Chuck
Omit step 6.
It's like I complain that my new car caught on fire when I put gas in it so I can go somewhere, so you suggest that I get a new car and not put gas in it. :-)
Dear ad7uf:
I would like to note that you crippled possible responses in your original post.
I can by-pass that and respond to your last post with:
Why are you using AREDN .vs. the manufacturer's OS?
73, Chuck
Sorry for waiting nearly a week to reply, Chuck. I was doing some more testing and composing a [rather long] reply, when...bad things happened that took me out of circulation for a few days -- and when I came back, somehow I lost my draft. That's probably not bad; this reply will doubtlessly be more concise! (though less informative in places)
First off, I apologize for misreading your post #4, mistaking your humorous advice to skip the "Boom!" with simply telling me to eliminate "Set VLAN" step. I agree: boom bad. No boom.
Answering the questions of "Why AREDN" and "Why mess w/ VLAN": I'm using AREDN specifically for AREDN in an education/experimentation lab. I also have a very low power budget, so wanted to use the hAP to fill multiple roles. My intent for messing with the VLAN was to be able to emulate configs we have elsewhere where we're carrying AREDN LAN & WAN traffic on the same wire, w/ the former on VLAN 5.
That said, I realize now that messing w/ the VLANs on this device using the AREDN GUI, with little thought given to what was going on "under the hood", and expecting it to work was unwise. Everyone knows that these multi-port devices are "special" -- things don't always work the way they do w/ most other devices. These are preconfigured for easy use, hiding VLAN use.
If I'd looked before I started to tamper, I would've seen that while the GUI shows that it's using VLAN #1 for LAN, the packets coming out of the Ethernet port aren't tagged, and internally it makes extensive use of bridge devices. I'd forgotten that it originally showed VLAN1, not untagged. (I'm so used to seeing default VLAN #1 on switches that I mentally equated it to "nothing".)
I'm certainly not an expert on these devices, but I that that what's going on is that the computer doesn't see 5 Ethernet devices, but rather a single device: a fancy 5-port switch. The Linux networking stack then uses the VLANs *internally* to route traffic to the switch ports, where it's untagged on egress. I've seen this trick used on other low-cost routers.
When I changed the VLAN, I broke the internal routing and it could no longer send LAN traffic to the correct port(s).
So why couldn't I fix it? There may be more reasons, but there's at least this: The default VLAN for LAN is #1. The abilty to customize the LAN VLAN in the AREDN WebUI is a fairly new feature, added to the nightlies in Aug or Sep 2025, IIRC. I remember tring to use the feature to set a VLAN <5 and couldn't figure out why it didn't work. I was informed that VLANS 1-4 are all reserved and using them is prohibited, even though the UI showed that it had changed. Code was added so that the UI, while not displaying an error message if you try to enter a disallowed VLAN, at least reverted the change so that what the UI showed matched reality.
THE WebUI BUG: It allows me to change the VLAN# for LAN from the default of #1 to something else (which breaks LAN entirely on this device), but it will NOT allow me to change it back to #1 -- only untagged for 5+. The only way to fix it (at least without going to the CLI and knowing more than I do) is to reset/restore the config. I tested this several times.
I know that this device is sunsetted, so it may not be worth the devs' time to mess with it, esp. given the low number of people likely to run into this problem. (I'm sure that the vast majority of people use it "turnkey", happy not to worry about VLANs.) I have not yet taken the time to see if its more powerful successors have the same issue.
Curious, I took the "ip a" output & swconfig contents from a working router, and compared it to that of one in the broken state (shown in post #1). swconfig was identical, and the only differences in the "ip a" output are:
- different generated MAC addresses (expected); only br-lan, br-wan, and wlan0 have fixed MACs (w/ Routerboard's OUI)
- Every interface shows <BROADCAST,MULTICAST,UP,LOWER_UP> options; none of them showed those when "broken". Perhaps any networking change made by the GUI removes them; I didn't test. (I'm also running a week-newer release than I was on the 1st test.) Interesting, if inconsequential here.
ANYWAY... I'm going to leave the LAN VLAN alone on this device, and enjoy its untagged goodness. When I want to provide tagged traffic for people to play with, I'll either temporarily insert a a cheap smart switch to tag it or put out a single-port AREDN device to target.
"These are preconfigured for easy use, hiding VLAN use."
You are right. These indoor devices are 'residential' grade.
Maybe not best as lab/educational tools.
You seem to know much more about VLANs than I.
"I also have a very low power budget,"
Understood.
I picked up 5 (24 or 48, 100Mbit) 3Com VLAN switches at a hamfest for $5/each.
I have a VLAN switch on a table at home.
I have another VLAN switch in my unattached garage.
I trunk WAN from the house to the garage.
I trunk VLANs between the house and garage.
Using VLANs I can configure a LAN port in the house for an AREDN node in the garage.
Using VLANs I can configure a LAN port in the garage for an AREDN node in the house.
That is as much as I have learned to do with VLANs.
73, Chuck
$5? Not bad! I'll be keeping my eyes open for deals like that. In years past I've passed up deals on good 100Mbps switches, because I had plenty of 100Mbps switches and was still upgrading to Gigabit in many places; I didn't realize at the time that at some point in the future they'd come in handy for AREDN installations!
Lately, I've been using cheap Chinese smart switches ($8-15 new) in a lot of AREDN installations. They're not perfect -- I love that they're small, efficient, and are flexible power (9-56VDC or PoE) but they do have a bit higher failure rate than the big brands (I'm not putting another one in a crowded cabinet 40' up a tree again! Failed 3 weeks after installation...), VLAN support is minimal (but sufficient for mixing AREDN w/ other traffic), and on mixed networks I sometimes have to dump unwanted traffic (e.g. everytime an ARP query's seen for any IP address, the switch waves its arms and responds "Hey, don't worry about that other guy; *I'm* here at 10.0.0.1!", making some network auditing tools rightfully unhappy) -- but the price is right, and since I'm working on an AREDN buildout with nearly 100 sites, I'm putting some effort into optimizing money and labor outlay. I've only been using the super-cheap switches for about 8 months, so I'm still being cautious about where I put them, knowing that going cheap may yet bite me.
Until a year ago I only had "executive-level" knowledge of VLANs; it was one of those "Some day I ought to learn more about..." things. When I started getting serious about AREDN installations and needed to to trunk & split traffic, I dove in and started reading & playing. For AREDN I appreciate the flexibility of routing traffic for multiple networks over a single connection (like you're doing between your house and garage), esp. for making use of existing cabling ("That conduit's full, but..."), and being able to split it out via software when convenient. But in spite of all the time I've spent with it, I'm still far from a seasoned expert when it comes to VLAN management, and though I dabbled a bit w/ AREDN/Hamnet/HSMM/ even back in the WRT54G days, I still feel like a complete newb in practical application; I have a lot to learn.
I appreciate you responding to my questions -- and for making me think.