Archer c7 v2. Trouble with VLANs for NVR

Hi, sorry for making a thread but I've tried for a few days on my own. I searched here and youtube and followed instructions, but I always end up with no success.

Simply, I have the tplink router with openwrt and I would like to set up a VLAN to separate IP cameras from my LAN and from calling home. Also I would like to be able to access the footage while away.

I am trying to use dlink dir1935 as an AP. It has a simple VLAN setting (internet, voip, IPTV). Would I be able to set up a vlan tag on this router and connect my cameras to it? Would that then connect to the tplink router through the vlan#?

Any help would be great!

switch1853×645 48.5 KB

bridge2456×1822 249 KB

devices1920×1150 86.7 KB

interfaces1920×1237 79.8 KB

I'm confused about the role the two different devices play...

• It sounds like the C7v2 is the primary router and that it is running OpenWrt. Is that correct?
• The DIR1935 is not supported by OpenWrt, despite 'almost' being possible to do. But it probably never will be because it only has 8MB of flash memory -- not enough to support future versions of OpenWrt and not likely to be added to the current release. So I don't know what VLAN capabilities it has, but if it does actually allow you to specify VLANs, you may be able to work with it... depends on the details. But what does this device do in the context of your setup?

Are the cameras wired or wireless? Do they connect directly to the C7v2 or to the DIR1935 or some other device?

Let's take a look at you config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Thank you so much. Yes the c7v2 is the main router with openwrt. I was thinking of the dlink dir1935 as an AP for it but if I can just run VLAN on the c7v2 and connect the IP cameras to it via wifi then I'd be happy.

{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
	"model": "TP-Link Archer C7 v2",
	"board_name": "tplink,archer-c7-v2",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ath79/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr ''
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix ''

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '1'
	option acceptlocal '1'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 3 4 5'
	option vid '1'
	option description 'LAN'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'
	option vid '2'
	option description 'WAN'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '5t 6t'
	option vid '30'
	option description 'NVR'

config device
	option type 'bridge'
	option name 'br-NVR'
	option bridge_empty '1'
	list ports 'eth0.2'

config interface 'NVR'
	option proto 'static'
	option device 'eth0.30'
	option ipaddr '192.168.30.4'
	option netmask '255.255.255.0'
	option gateway '192.168.30.1'
	option type 'bridge'

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid
	option encryption 'sae-mixed'
	

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option encryption 'sae-mixed'
	option network 'NVR'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid ''
	option encryption 'sae-mixed'
	option disabled '1'

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port ''
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port ''
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port ''
	option proto 'udp'
	option target 'ACCEPT'

config rule

config zone
	option name 'NVRZONE'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'NVR'

config forwarding
	option src 'lan'
	option dest 'NVRZONE'

remove the ipv6 and accept local lines from below:

Do you need any ethernet ports for the NVR + cameras?
Currently, you've got VLAN 30 tagged on logical port 5 of the switch (not sure which physical port that maps to). Because it's tagged, unless your NVR (and/or whatever else is connected there) is VLAN aware, it will not be able to use that VLAN.

Instead, let's adjust like this... first remove logical port 5 from VLAN1, then use set that port as untagged in VLAN3. Also, we'll change the CPU connction to eth1 (logical port 0 - tagged so it'll be eth1.3):

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 3 4'
	option vid '1'
	option description 'LAN'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 5'
	option vid '30'
	option description 'NVR'

Your nvr bridge is referencing the wrong VLAN... we'll fix that like this:

config device
	option type 'bridge'
	option name 'br-NVR'
	list ports 'eth1.30'

Finally, we'll fix the NVR network interface to use br-NVR and we'll fix some other issues there (the bridge type doesn't belong, and since this is the main router, it is the gateway -- you have another gateway listed which doesn't make sense):

config interface 'NVR'
	option proto 'static'
	option device 'br-NVR'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'

Your wifi for the NVR network does not have an SSID associated. Also, sae-mixed can cause problems with many devices. Use either WPA2 or WPA3, but avoid mixed mode.

You don't have a DHCP server for your NVR network... add this to the DHCP file:

config dhcp 'NVR'
	option interface 'NVR'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

Restart your router and then test again.
Connect a device via ethernet to logical port 5 (maybe physical port lan 4?? -- you might have to try all of the ports one at a time) -- it should get an address in the NVR network. And once you've fixed your wifi SSID issue for the NVR wireless, you should be able to connect by wifi as well.

thanks psherman for the advice.
I've followed everything and when I connect a laptop to port 4 it gains a vlan ip (192.168.30.228).

Now excuse the ignorance...does this mean that I can connect cameras to port 4, or the wifi (GalaNVR), and they are safe from calling home? I will also set firewall zones.

And because the ip is different from the LAN, does this mean that the vlan30 devices cannot cannot access anything on the LAN? Will setting the proper firewall zone allow one-way access to the cameras/NVR through the router if I want to access it when away?

MOTIVATED! thanks again

Fantastic. That means that the new subnet is working.

Slightly pedantic answer... What it means is that things connected to port 4 (and/or the wifi for this subnet) will join the 192.168.30.0/24 network. The rest is related to the firewall.

Continuing the point from above... It appears you already have that in place. The NVRZONE does not have forwarding allowed to anything (the only forwarding allowed is lan > NVRZONE). Therefore, you should be able to verify that a device connected to this network cannot reach the internet or even your lan; but your lan should be able to reach the devices on the NVR network (keep in mind -- local firewall/configurations on the hosts/devices on the NVR network could block inter-vlan requests, so if it doesn't work, check those devices to ensure they will allow this type of connection).

this was super helpful. Messed around 3 days with this stuff and just getting more confused. Really awesome community that helps others. Thank you!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.