Access point, multiple SSIDs, firewall

I've got a "main" OpenWrt router that has two different SSIDs on different subnets that can't talk to each other. SSID/subnet 1 is for trusted computers at home, and SSID/subnet 2 is for all the random "smart home" gadgets which I'm fine with them phoning home, but I don't want them talking to anything else on the LAN.

In order to get coverage all over, I have 2 access points that are wired into a switch that's wired into the OpenWrt router. These access points have the same SSIDs as the OpenWrt router, and I'd somehow like the traffic reaching the OpenWrt router to abide by the same protections that are on the OpenWrt router (SSID/subnet 1 and SSID/subnet 2 can't talk to each other).

Is this possible? How can I make this happen? VLAN tagging (the APs tag traffic differently for each SSID)? Or can you have an access point that assigns clients of a particular SSID a particular subnet, and then the OpenWrt can firewall based on that?

Or would I just be better served by using wifi range extenders and ditching the APs? The main thing I prefer about APs is that they're wired into the main OpenWrt router (well, a switch that is connected to it) and it seems like I can space them out more than I'd need to with range extenders.

I've got something similar. Main wireless network is bridged to the LAN. IOT wireless network is bridged to an IOT bridge, separate network, separate firewall zone. The LAN and IOT networks each have a VLAN assigned, and a trunked connection from the router to the secondary AP, which uses a bridge between each wireless networks and the corresponding ethernet VLAN.

Only set up one active network on the access point; the others all should have bridges but unmanaged interfaces--you don't want the AP to be a potential escape route from the IOT network, so don't give it an IP address on the IOT network.

1 Like

Oh, and see also

Thanks! Your setup is interesting and the docs on setting up a dumb AP look good. My APs are other random routers that aren't running OpenWrt, but maybe to achieve this setup I'll need APs running OpenWrt.

Does my depiction here match what you're saying? I'm a bit of a n00b to this level of networking, so I have to parse through it all painstakingly. It sounds like the bridges are basically dumb except they will force a specific VLAN tag on anything passing through them (and reject anything with a different tag?), and that's how the router on each side will know which bridge to forward traffic to that is arriving from the trunked connection. Is that correct?

When you say to only set up one "active network" on the AP, does that only mean to not have the AP get an IP address on that network (so an evildoer on the IOT network can't try to mess with the AP), or anything in addition to that?

Good picture. Yes, the bridges are pretty dumb in this setup. Technically they are not themselves forcing the VLAN tag--that is done by putting the VLAN ethernet interface port into the bridge configuration. Then ethernet traffic on the VLAN is seen by the bridge. In OpenWrt, you add the VLAN-tagged port to the bridge, and configure the wireless network to join the same bridge. Traffic bridges between the wifi and the VLAN.

That's it!

Did you do all this config via OpenWrt's web interface, or via command line?

I'm still a little fuzzy on how the VLANs are configured, but from reading the docs it sounds like these orange switches should be added to my diagram:

The orange boxes are the N-port VLAN-enabled switch on each router.

I think those orange switches would be configured under Network->Switch in the web client or in /etc/config/network. That's what creates the VLAN interfaces you're talking about, and that's how the one physical interface can aggregate all the VLAN traffic between the main router and AP. For that physical interface, I think you'd pick a specific LAN port on the back of each router for this trunked connection, and that's the column you'd be configuring in the web interface under Network->Switch.

I'm spelling this all out to make sure I understand. Please correct me if I'm wrong :slight_smile:

Follow-up question: Why did you decide to use APs instead of wifi range extenders? That would seem to remove some complexity with VLANs and trunked connections since range extenders would just expand the reach of the "main wireless net" and "IOT wireless net" on the main router.

1 Like

Yep, that's right.

Several reasons:

  1. I wanted to use fast switching when devices moved from one base station to another, and knew that OpenWrt supported it
  2. I wanted ethernet back-haul for performance
  3. My house has in-wall cat5e from most rooms to a basement wiring panel, so I could easily set up ethernet back-haul
  4. Having a fully capable OpenWrt system as the AP means I have a spare I can swap in for the main router in case of hardware failure