2 SSID WiFi on different VLANs (Archer C7 / Pfsense) : Problem when I activate the second custom interface

Hello,

I use "TP-Link Archer C7 v2" router with OpenWrt 19.07.3 (OpenWrt 19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-20.178.63701-ce35d08).

My goal is to enable 2 SSID Wifi on 2 different vlans on the same physical port.
This port is connected on my Pfsense (ESXi VM). The physical port on my ESXi is trunked (Port group : VLAN ID 4095).
The 2 vlans are declared on my Pfsense.

I've been following this tutorial to help me : https://forum.netgate.com/topic/104277/tutorial-pfsense-openwrt-multiple-ssids-and-vlans

My network configuration :
LAN : 192.168.100.0/24 (PC,...)
Openwrt Management : 192.168.200.0/29 (VLAN for physical port in my TP-Link router).
SSID WIFI 1 : 192.168.20.0/24
SSID WIFI 2 : 192.168.10.0/24

It's working properly with a single SSID WIFI but when I configure a second custom interface (brigde eth1.10 and wireless) it's as if the vlans don't work anymore :
PING LAN > Openwrt Management >>> NOK
PING Openwrt Management > Openwrt Management >>> OK
PING LAN > SSID WIFI 1 >>> NOK
PING SSID WIFI 1 > SSID WIFI 1 >>> OK

And my second SSID WIFI doesn't seem to be working.
Once, the second custom interface wouldn't activate and I had the following error : Error: Network device is not present

Below, my network configuration :

With only one SSID WIFI (configuration OK ):

# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd49:2e10:9022::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option netmask '255.255.255.248'
        option ipaddr '192.168.200.2'
        option gateway '192.168.200.1'
        list dns '192.168.200.1'
        list dns '10.76.100.100'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4 5'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 2t'
        option vid '20'

config interface 'SSID_WIFI_1'
        option ifname 'eth1.20'
        option proto 'static'
        option type 'bridge'
        option ipaddr '192.168.20.2'
        option gateway '192.168.20.1'
        list dns '192.168.20.1'
        list dns '10.76.100.100'
        option broadcast '192.168.20.255'
        option netmask '255.255.255.0'

With only two SSID WIFI (configuration NOK ):

# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd49:2e10:9022::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option netmask '255.255.255.248'
	option ipaddr '192.168.200.2'
	option gateway '192.168.200.1'
	list dns '192.168.200.1'
	list dns '10.76.100.100'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 3 4 5'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 2t'
	option vid '20'

config interface 'SSID_WIFI_1'
	option ifname 'eth1.20'
	option proto 'static'
	option type 'bridge'
	option ipaddr '192.168.20.2'
	option gateway '192.168.20.1'
	list dns '192.168.20.1'
	list dns '10.76.100.100'
	option broadcast '192.168.20.255'
	option netmask '255.255.255.0'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 2t'
	option vid '10'

config interface 'SSID_WIFI_2'
	option proto 'static'
	option type 'bridge'
	option ipaddr '192.168.10.2'
	list dns '192.168.10.1'
	list dns '10.76.100.100'
	option netmask '255.255.255.0'
	option broadcast '192.168.10.255'
	option gateway '192.168.10.1'
	option ifname 'eth1.10'

Do you have any idea ?

Thanks a lot !
Best regards
Romain

In the switch, tag all the VLANs that you put on the trunk cable. Tagged and untagged packets on the same cable should be avoided and often does not work with consumer type equipment.

Since you only want a wifi to wired converter (dumb AP), use bridges of proto none to link to the Ethernet port. You do not want the router to hold an IP address or otherwise participate on the guest networks-- it only layer 2 forwards the wifi to wired.

config interface 'vlan10'
    option type 'bridge'
    option proto 'none'
    option ifname 'eth1.10'

Then in /etc/config/wireless, connect the AP to network 'vlan10'.

Hello mk24,

Thank a lot ! It's working properly :slight_smile: !
When you indicate : In the switch, tag all the VLANs that you put on the trunk cable. Tagged and untagged packets on the same cable should be avoided and often does not work with consumer type equipment.

Can you confirm that my configuration below it's OK ?

I just have two more quick questions :

  1. For my two SSIDs, do I have to use a different channel for each SSID? I really have a doubt about that :roll_eyes:
  2. In the firewall settings of the vlan10 interface, do I have to configure or create a firewall-zone ?

thank you,
best regards
romain

I would set LAN1 to tagged in VLAN1 as well, and set up PFsense so that its LAN network is tagged 1.

  1. Radio hardware only works on one channel at a time, so all the APs on a radio must operate on the same channel. Communication with different users is done on a time-multiplexed basis.

  2. Firewalling is not relevant to a layer 2 bridge. The guest users are fundamentally blocked out of the OpenWrt kernel since OpenWrt does not have an IP address on the bridge.

Hello mk24,

Ok, thanks a lot for these details !
I'm closing this case. :+1: :+1: :+1:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.