Another VLANs with OPNsense>OPENWRT DumbAP/Switch. setup help

Hello,
I recently got into the world of OPNsense and have learned quite a bit in a short time. I understand that having VLANs is a great way to isolate networks for say IOTs and guests and future kids. So I started doing some digging but I cannot get things going the way I want. Attached is a diagram of my current network. I have set up OPNsense as the main router in a miniPC with four nics, port0>wan port2+port3 are bridged and assigned as the LAN interface so I can get the full 1.5Gb download at my main pc.
Current network gateway is 10.100.0.1, I've set up a VLAN30 in OPNsense with 10.100.30.1 Static ipv4 as well as it's DHCP server and firewall rules following the guide mentioned in this thread and the homenetworkguy videos.
Currently I have an Asus TUF AX4200 running OpenWRT 23.05.3 set up as a dumb AP and also switch where I have a minipc(plex server) and NAS connected.
I've tried doing the VLAN filtering thing in the br-lan and tagging it to LAN1(connection to OPNsense) but when saving and applying it doesn't work, in some cases it has frozen and reverted so I gave up and kept reading. I saw how @phsherman helped out others with similar situations but I don't know if my case is the same since I plan to plug in devices via ethernet to the back of the AX4200 effectively using it as a switch as well as the AP.
Any help will be appreciated it. I can try SSH with putty to the router and figure out how to get stuff from there and make changes with cli, this is new to me but I'm a quick learner. Thanks for looking

This should be pretty straight forward.

You have two networks -- your normal LAN and VLAN30. In order to help you, we need to know:

  • What is the configuration on the router for the port that connects to the AP
    • specifically, is the main lan untagged or tagged?
    • please confirm that VLAN 30 is present on that port and tagged.
  • What is the VLAN-port membership you want to achieve?
    • the wan port appears to be the uplink to the OPNsense router
    • What about ports lan1-lan4 -- what VLAN should be on each (and are any of them trunks to link to another VLAN aware device?

Then, let's see the details of your current configuration:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp

What is the configuration on the router for the port that connects to the AP

  • specifically, is the main lan untagged or tagged?*
  • please confirm that VLAN 30 is present on that port and tagged.*

Thank you for chiming in!
The router(opnsense) ports are as follows eth0 is WAN, eth1 is unused and eth2+eth3 are bridged>this is assigned to the LAN interface which has the DHCP4 server enabled for my network here at home. I have my main PC connected to eth2(want the full blast 1.5gbit internet) and the eth3 cable is connected to openwrt(ax4200 dumbAP/switch) lan1.

Do I have to have two/three VLANs? one for my local network and the other ones for Guest/IOTs or whatever else I want? Or can I just leave the LAN as is and have a single VLAN for my IOTs, another one for guest etc?

The openwrt has two cables going out to: NAS(WAN port) and a miniPC(LAN4) Plex server, hence I want them in the same LAN so that my TVs and other devices can stream from the Plex locally.
The opnsense VLAN40 I created has parent eth3 port and tag40. That's all I know. This is all new to me.
On openWRT I tried tagging the vlan40 to LAN2 since it was empty, added an interface to it and a wifi ssid and was able to connect a phone and get internet access but it was not the IP range I selected on the router side. Probably did that wrong as I was just trying things out(again, new to networking)

Here is the info from the ssh:

 "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "ASUS TUF-AX4200",
        "board_name": "asus,tuf-ax4200",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde3:538b:f63f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option vlan_filtering '0'

config device
        option name 'lan1'
        option macaddr '...........'

config device
        option name 'lan2'
        option macaddr '..........'

config device
        option name 'lan3'
        option macaddr '............'

config device
        option name 'lan4'
        option macaddr '............'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.100.0.2'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '10.100.0.1'

config device
        option name 'eth1'
        option macaddr 'xxxxxxxx'

config bridge-vlan
        option device 'br-lan'
        option vlan '40'
        list ports 'lan2:t'

config interface 'VLAN40'
        option proto 'static'
        option device 'br-lan.40'
        option ipaddr '10.100.40.2'
        option netmask '255.255.255.0'
        option gateway '10.100.40.1'
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

I am now confused. You said earlier that you wanted to use VLANs... do you have multiple networks currently configured on OPNsense, or is there just a single flat network?

Is 10.100.40.1 defined on the main (OPNsense) router and connected with VLAN 40?

Sorry for the confusion. I only have one network in opnsense. But in order to isolate iot devices so they don't see my LAN devices I've read the best way to do that is through VLANS. Should I then configure one VLAN for my home network devices and extra vlans for other devices such as iots and guests as an example?

Yes. If you want to provide protection of your trusted devices from your untrusted ones, VLANs are the primary tool to do this.

While it is possible to do this on a dumb AP (see this guide), that technique is only recommended when a user's main router is not VLAN capable.

In your case, since OPNsense can be configured with VLANs, my recommendation would be to setup the additional network(s) and VLAN(s) on the main router and then use your OpenWrt device purely as a managed switch and dumb AP.

Configuring OPNsense is out of scope for these forums -- please refer to their support channels for help on this topic. But you've gone through the process and proven that it works on the router, you can then move on to setting up OpenWrt to achive the switch/AP functions with the VLANs.

Yes that is my goal. But after looking at several guides and videos, once I try to tag the VLAN40 on the switch/ap port thats connected to the router and apply, it fails to apply and reverts. See pic, that change wont save/apply. I think that's whats preventing me from getting further. Is there a way to set this up via cli? Also can I have the following set up then?
VLAN10 as my home network which will have these devices connected to it:
mainPC on router port eth2
plex server on switch/ap port lan4
NAS on switch/ap port wan
two SSIDs: 2.4G for printer and wifi 5/6 for laptops phones ipad TVs

VLAN40 for iots
VLANXX for guest
and so on.
I just need help getting it setup in the openwrt device. I can take care of the router side
thanks

I can help you with the OpenWrt side, and I actually do it by (recommending) direct edits of the config files.

But all of it is pointless if you don't have OPNsense setup with the VLANs in question because you won't have a way to verify that things are working as expected (aside from not getting locked out).

Start with OPNsense and once that's done, we'll tackle the AP.

Ok thanks, I will give it a try later this weekend or tomorrow evening. Will post back when I have it all set up and ready for OpenWrt

Great.

Pro-tip...

Temporarily (or maybe even permanently) set one of your router's ethernet ports such that is an access port for your new VLAN -- this way you can test and make sure it has the desired connectivity on the OPNsense side of things. Then, you'll set the port that connects to the AP to trunk your two VLANs and we can go from there.

I decided to plug the PC back in one of the OpenWrt switch going forward. So what are the cli codes to set it up?
I am ready, I will need all devices connected(wired) to the OpenWrt in the same VLAN, which will be VLAN10

Are all ports now going to be connecting to VLAN 10 on your OpenWrt switch? Is the uplink tagged or untagged?

What is the current output of:

cat /etc/config/network

Yes, and then I want to create another interface with VLANs20/30 for iot/guest which will be assigned to specific wireless networks. The uplink will be tagged so the opnsense can do it's thing accordingly?
heres the output atm:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4b:cb55:7965::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr '----'

config device
        option name 'lan2'
        option macaddr '----'

config device
        option name 'lan3'
        option macaddr '----'

config device
        option name 'lan4'
        option macaddr '----'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.100.0.2'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '10.100.0.1'

config device
        option name 'eth1'
        option macaddr '----'

The connection from the router is coming into eth1(wan port) on the OpenWrt, two PCs and a NAS will be connected to the LAN ports on openwrt.

Ok... so this is pretty straight forward.

Right now, all ports are untagged on the same VLAN. If that's your goal, there's nothing more to do.

But, it sounds like you want to have 3 VLANs on this device, correct? If I'm understanding your intent (please correct anything that is wrong here), it would look like this:

  • WAN port (eth1?): uplink to main router, VLANs 10, 20, 30 all tagged.
  • LAN ports (1-4): VLAN 10 untagged on all ports.
  • Wifi SSID for VLAN 20, no ethernet for VLAN 20 aside from the wan port uplink
  • Wifi SSID for VLAN 30 no ethernet for VLAN 30 aside from the wan port uplink
  • (maybe Wifi SSID for VLAN 10)

Is this correct?

This is all very confusing to me tbh.
I have a cable running from the router(opnsense) LAN port to the switch(openwrt) eth1(my switch calls its WAN port this: eth1)... This forms my local area network where I have my PCs and NAS, its all in the br-lan interface on the switch and I assign the appropiate SSIDs for laptops phones tvs and printer, as in the main picture I posted on day one.
Now, I want to separate iots and guests using VLANs. So here are my questions
Why do i need my home devices on a VLAN, why can't they just stay in the LAN?
can't I just create two VLANs and assign them to the same port that the LAN is on the router? then enable the interface, enable DHCP4 server and add firewall rules to access the internet.
Then create the VLANs on the switch and tag them on the same port(cable coming from router) so that the router can see these tags and assign the IPs accordingly?
Is this logical or what am I missing here?
What do I need to do on the switch end so I can start testing things out?
I have created the vlans with a tag, enabled dhcp, firewall rules added and assigned to an interface in the router.
Thank you and sorry for the long post.

Well, what we're trying to sort out simple -- what are your goals with respect to physical connectivity on a per-port (and wifi) basis.

They can stay on your regular lan if you want... but that contradicts your statement:

If you're talking about the connection between the router and the switch, sure... but if you're talking about for the end-devices to connect, for all practical purposes, no. It is actually possible, but doing this would mean a significantly more complex (and highly overkill) set of configurations.

Yes. You can do this in the form of a trunk (a single port/cable carrying multiple networks), but to do this, the additional networks need to be tagged and will not be possible for a non-vlan aware device to use (i.e. most normal devices). So you need to connect a VLAN aware device -- i.e. a managed switch such as your OpenWrt device -- to "break out" the VLANs.

It kind of seems like you do actually have an understanding of the idea of tags and connecting the router to the switch... but it's not clear what your end goal is in terms of port-vlan membership.

how can I enable bridge vlan filtering via the CLI? Because throught Luci it doesn't let me apply and save.

I do it via direct edits of the config file. I just need to know what ports are used for what VLANs and I can show you.

It would be a trunk setup. With the LAN, and two vlans running through it. VLAN10 VLAN20, on port eth1

Are all three networks (lan included) tagged? or is the lan untagged on the trunk?

And what about the other ports? Do the lan ports only carry the lan network, or will one or more ports be dedicated to the other VLANs?