Belkin RT3200/Linksys E8450 AP mode with SSID-to-VLAN tagging

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi all,

I have finished setting up a Belkin RT3200 as an access point and also managed to tag multiple SSIDs with their corresponding VLANs. Everything seems to work for now, so I will just describe it here and I would really appreciate it, if you guys could confirm whether the configuration looks correct.

  1. Flashed the UBI image (29-06-2021) from here
  2. Configured RT3200 as an access point (followed this guide: AccessPoint)
  3. Bridged WAN port with the other LAN ports
  4. Connected Opnsense firewall to the WAN port on RT3200
  5. My setup and SSIDs are as follows:
  • 3 VLANs: VLAN 50 - private LAN, VLAN 60 - IoT, VLAN 70 - guest LAN
  • One 2.4 GHz and 5 GHz linked to private LAN, another 2.4 GHz to IoT and a 5 GHz to the guest LAN

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        ula_prefix 'fd27:70fa:5c1d::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'
        option ipv6 '0'
        option stp '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '172.31.10.2'
        option gateway '172.31.10.1'
        list dns '172.31.10.1'

For VLAN tagging, I am using scripts stored in /etc/hotplug.d/
/etc/hotplug.d/iface/21-lan

#!/bin/sh
echo "IFACE: INTERFACE: $INTERFACE, DEVICE: $DEVICE, ACTION: $ACTION" >> /tmp/bridgeInit.log

[ $INTERFACE = lan -a $ACTION = ifup ] || exit 0

# enable VLAN filtering
ip link set dev br-lan type bridge vlan_filtering 1

# clear out vlan 1
bridge v del dev lan1 vid 1
bridge v del dev lan2 vid 1
bridge v del dev lan3 vid 1
bridge v del dev lan4 vid 1
bridge v del dev wan vid 1
bridge v del dev br-lan self vid 1

# set vlans wan
bridge v add dev wan vid 50
bridge v add dev wan vid 60
bridge v add dev wan vid 70

# set vlans lan1
bridge v add dev lan1 vid 50 pvid untagged

# set vlans lan2
bridge v add dev lan2 vid 50 pvid untagged

# set vlans lan3
bridge v add dev lan3 vid 50 pvid untagged

# set vlans lan4
bridge v add dev lan4 vid 50 pvid untagged

# set vlans cpu port
bridge v add dev br-lan self vid 50 pvid untagged
bridge v add dev br-lan self vid 60
bridge v add dev br-lan self vid 70

/etc/hotplug.d/net/21-wlan

#!/bin/sh
echo "NET: INTERFACE: $INTERFACE, DEVICE: $DEVICE, ACTION: $ACTION" >> /tmp/bridgeInit.log

if [ $ACTION = add ]; then
  # check for wlan0
  if [ $INTERFACE = wlan0 ]; then
    # clear out vlan 1
    bridge v del dev wlan0 vid 1

    # wait for a short time
    sleep 1

    # set vlans wlan0
    bridge v add dev wlan0 vid 50 pvid untagged
  fi

  # check for wlan1
  if [ $INTERFACE = wlan1 ]; then
    # clear out vlan 1
    bridge v del dev wlan1 vid 1

    # wait for a short time
    sleep 1

    # set vlans wlan1
    bridge v add dev wlan1 vid 50 pvid untagged
  fi

  # check for wlan0-1
  if [ $INTERFACE = wlan0-1 ]; then
    # clear out vlan 1
    bridge v del dev wlan0-1 vid 1

    # set vlans wlan0-1
    bridge v add dev wlan0-1 vid 60 pvid untagged
  fi

  # check for wlan1-1
  if [ $INTERFACE = wlan1-1 ]; then
    # clear out vlan 1
    bridge v del dev wlan1-1 vid 1

    # set vlans wlan1-1
    bridge v add dev wlan1-1 vid 70 pvid untagged
  fi
fi

exit 0

The scripts have been made executable and have also added them to /etc/sysupgrade.conf, so that they will not be deleted during sysupgrade.

With this configuration, when running bridge v after a reboot, I see the following output.

port              vlan-id
lan1              50 PVID Egress Untagged
lan2              50 PVID Egress Untagged
lan3              50 PVID Egress Untagged
lan4              50 PVID Egress Untagged
wan               50
                  60
                  70
br-lan            50 PVID Egress Untagged
                  60
                  70
wlan0             50 PVID Egress Untagged
wlan1             50 PVID Egress Untagged
wlan0-1           60 PVID Egress Untagged
wlan1-1           70 PVID Egress Untagged

What do you guys think? Did I miss anything?

2

VLAN tagging of packets within a kernel bridge is a new thing. OpenWrt doesn't really support it yet though of course if you write your own script you can do anything.

The old way, which is directly supported by UCI, is to instantiate a separate bridge for each VLAN. Packets within each bridge are untagged, and if you want to send them to users of a wifi AP for example just attach that AP to the bridge in /etc/config/wireless. Traffic existing within a particular bridge means that it is of that VLAN. Combine multiple VLANs to your trunk cable (wan) and tag them on the way out with the notation wan.50 in the vlan50 bridge, wan.60 in the vlan60 bridge etc.

3

Thanks for the suggestion. I actually started with the approach of having separate bridges, but had some problems. It could be that either the bridges were not correct or the tagging was somehow wrong.

That’s when I stumbled upon the newer approach of tagging within a single bridge and it seems to satisfy my usecase.

1 Like
4

Yes you're totally right here. I have the same model. I wanted two vlans, lan and guest. The lan is untagged on ports lan1and lan2. lan3 is untagged guest network, and lan4 is a trunk port with lan (vlan1) and guest(vlan19) both tagged.
This configuration seems to work, though I'm not sure if it's what I'm actually supposed to do:

config device
        option name 'br-eth'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'br-eth'
        option vlan '19'
        list ports 'lan3'
        list ports 'lan4:t'

config bridge-vlan
        option device 'br-eth'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan4:t'

config interface 'lan'
        option device 'br-eth.1'
        ...

config interface 'guest'
        option device 'br-eth.19'
        ...

Using separate bridges seems to almost work, except for ethernet to ethernet traffic from one of the access ports to the trunk port does not flow. That situation would be hardware switched if everything is working.

DO NOT DO THIS!  DOES NOT WORK!
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan4.1'

config device
        option name 'br-guest'
        option type 'bridge'
        list ports 'lan3'
        list ports 'lan4.19'

So all the hardware switched ports need to be in one bridge, which I called br-eth since that's really it's common function. Also if you want to switch the wan port to any other, it needs to be in br-eth as well.

1 Like