AP mode and VLAN Tagging

JonathanDLee24 · May 14, 2024, 6:28am

Hello fellow OpenWrt community members,

Can you please help?

I got a quick question,

I created a vlan on port 4 and it is set to 4,5t on my firewall

Another on port 2 and it is set to 2,5t

I have them both working great, one is a secure AP there other is my OpenWRT I use for unfiltered traffic Guest wifi game systems etc.

Do I also transfer one of the vlan tags into OpenWRT?

OpenWRT has an option to add a tag should I put this tag in there?

I am looking to make the VLANs not be able to talk to each other. I have done this at the firewall with different subnets and different interface assignments and blocked all traffic between them.

I am wondering if I also need to add this tag to the traffic that is exiting the OpenWRT AP, that is in AP mode.

psherman · May 14, 2024, 6:30am

It's not clear from your description the role of the OpenWrt device -- is it the router or an AP (or just a switch)?

What else is connected and where? Maybe a system topology diagram would be useful.

JonathanDLee24 · May 14, 2024, 6:31am

OpenWrt is in AP mode, it connects to my OPT1 that is VLAN tagged for 4082 with a private network of 10.0.0.0/24 my other AP is on a private network of 192.168.1.0/27 van tag 4084 they can not talk to each other however I wonder if I need to add that VLAN tag into the OpenWrt also.

psherman · May 14, 2024, 6:33am

What port on the AP is used for the uplink? Is it directly connected to your router or is there a switch in between? And what VLANs are in use? Are all VLANs tagged, or is one untagged on the trunk?

JonathanDLee24 · May 14, 2024, 6:35am

I am using port 2 on the Netgate 2100-MAX and it goes to the Archer A9 and uses port 1 with the static assignment of 10.0.0.2.

It has a built in Marvel 6000 switch

psherman · May 14, 2024, 6:35am

You didn't answer this:

JonathanDLee24 · May 14, 2024, 6:38am

Port 5 on the Marvel 6000 shows t in the photos above. So Port 4 goes to secure land with the monster proxy, and Port 2 goes over to OpenWrt

The 2100 has a built in Marvel 6000 Switch

Does it also need that info passed to the OpenWrt the "4082"?

On OpenWrt side it is just configured as AP mode the firewall handles DHCP

psherman · May 14, 2024, 6:40am

Are you using VLAN ID 1, or only 4082 and 4084?

On OpenWrt, you'll create two new VLANs -- 4082 and 4084 and they should be tagged on your uplink port.

JonathanDLee24 · May 14, 2024, 6:41am

Only 4082 and 4084

And thank you for your guidance.

Should I get rid of that one I can't remove it as it is a system default however I can delete the members of it

JonathanDLee24 · May 14, 2024, 6:44am

The other AP uses 4084 that is on the secure one I can't have anything touch it. So I still need both tags?

psherman · May 14, 2024, 6:45am

You're welcome.

Once you've created the VLANs on your OpenWrt device, create bridges that contain the VLAN -- that will be ethx.y where x is the internal CPU port (usually eth0, sometimes eth1) and y is the VLAN ID.

Then create an unmanaged interface for your guest network and use the new bridge device for it.

The other network, probably gets the IP address and uses the other bridge.

system · May 24, 2024, 6:49am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.