Wed Apr 07, 2021 4:47 pm
What is special in this setup is that there are two VLANs (with different tag) that together form 1 subnet. I.e. they are bridged together.
The router has its IP address, filter rules, etc. all on the bridge and externally there are these two VLANs.
The reason is that I want to extend the wireless network, which now has a couple of different SSIDs with WPA2-PSK each attached to a VLAN, with an extra SSID that has WPA2-EAP and that has dynamically assigned VLAN depending on the user/pass or certificate presented to the AP.
So I want certain users of SSID A to be put in VLAN 62 (existing situation), SSID B users are on VLAN 63, etc. Now I want users of the new EAP SSID C that use certain usernames to be on that same network, others on the second network, etc.
However, unfortunately the APs of the competitor do not allow to have the same VLAN ID both as a static VLAN for fixed VLAN mapping and as a dynamic VLAN for dynamic VLAN users. Dynamically assigned VLANs must be different from any statically assigned (fixed to SSID) VLANs...
Stupid limitation, they are promising to remove that, but they are promising that for 3 years already and until now it has only happened in beta firmware that I do not want to run. So the situation is not too different from what we know from MikroTik :-)
So, this "clever" workaround. Until now, the bridge was already present but it had only the ether5.vlan62 as external port, it was set to "fast forward", and no learning.
I have removed the fast forward, enabled auto learning, and added the extra VLAN and it appears to work OK, but as described the host table is printed incorrectly.
The ARP table is OK because it has the bridge interface as interface in the table.
(based on earlier experience I now configure CCR routers always like this: one bridge per "application" (like WAN1, WAN2, LAN, GUEST1, GUEST2) and then put it in fast forward mode and one external port. it causes little overhead, and it has several advantages: you can easily move some application to another port, when replacing the router with another type with different port layout it is easy to adapt the confguration (e.g. old vs new model CCR1009), and it also allows bridge filtering which I use to do some ARP filtering)