Cheapest option to bridge a RPi4 router to a dumb AP for VLANs tagging to work if the dumb AP goes down

Problem: if my dumb AP goes down none of my wired devices can use the internet and I cannot even ssh into my router.
Question: how can I change my network architecture to retain VLAN tagging and still have all wired devices connected to the unmanaged switch work if the dumb AP goes down?

I'm using VLAN tagging/segregation on the RPi4 (router/firewall) which are received on the dumb AP. The dumb AP also has physical connections to an unmanaged switch and a 2nd PoE switch. Both of these need be on separate VLANs as you see in the figure below.

I am thinking since the RPi4 only has a eth0 and eth1, I have to insert a 5th device between it and the dumb access point. Am I wrong? I am also thinking that new device could be either a small managed switch or another device running OpenWRT that just handles the VLAN/port assignments. Am I over complicating things?

[ RPi4 ]-eth1 -- WAN
[ RPi4 ]-eth0 --------------WAN port-[ Dumb AP ]
                                     [ Dumb AP ]-lan0
                                     [ Dumb AP ]-lan1 ---- [ Unmanaged Switch ]
                                     [ Dumb AP ]-lan2
                                     [ Dumb AP ]-lan3 ---- [ PoE Switch ]

For reference:

Router's /etc/config/network
config interface 'loopback'
  option device 'lo'
  option proto 'static'
  option ipaddr '127.0.0.1'
  option netmask '255.0.0.0'

config globals 'globals'
  option ula_prefix 'fd1a:184b:b879::/48'
  option packet_steering '1'

config device
  option name 'eth0'
  option ipv6 '0'

config device
  option name 'eth1'
  option ipv6 '0'

config device
  option name 'wg0'
  option ipv6 '0'

config device
  option type 'bridge'
  option name 'lxcbr0'
  option ipv6 '0'
  option bridge_empty '1'

config device
  option name 'eth0.1'
  option type '8021q'
  option ifname 'eth0'
  option vid '1'
  option ipv6 '0'

config device
  option name 'eth0.3'
  option type '8021q'
  option ifname 'eth0'
  option vid '3'
  option ipv6 '0'

config device
  option name 'eth0.5'
  option type '8021q'
  option ifname 'eth0'
  option vid '5'
  option ipv6 '0'

config interface 'wan'
  option device 'eth1'
  option proto 'dhcp'
  option peerdns '0'
  option delegate '0'
  list dns '1.1.1.1'
  list dns '1.0.0.1'

config interface 'lxc'
  option device 'lxcbr0'
  option proto 'static'
  option ipaddr '10.0.4.1'
  option netmask '255.255.255.0'

config interface 'lan'
  option device 'eth0.1'
  option proto 'static'
  option ipaddr '10.9.8.1'
  option netmask '255.255.255.0'

config interface 'guest'
  option device 'eth0.3'
  option proto 'static'
  option ipaddr '10.9.7.1'
  option netmask '255.255.255.0'

config interface 'iot'
  option device 'eth0.5'
  option proto 'static'
  option ipaddr '10.9.5.1'
  option netmask '255.255.255.0'

config interface 'wg0'
  option proto 'wireguard'
# details omitted for privacy
Dumb AP's /etc/config/network

config interface 'loopback'
  option device 'lo'
  option proto 'static'
  option ipaddr '127.0.0.1'
  option netmask '255.0.0.0'

config globals 'globals'
  option ula_prefix 'fd90:d55a:8500::/48'
  option packet_steering '1'

config device
  option name 'br-lan'
  option type 'bridge'
  option ipv6 '0'
  list ports 'lan1'
  list ports 'lan2'
  list ports 'lan3'
  list ports 'lan4'
  list ports 'wan'

config interface 'lan'
  option device 'br-lan.1'
  option proto 'dhcp'

config interface 'guest'
  option proto 'none'
  option device 'br-lan.3'

config interface 'iot'
  option proto 'none'
  option device 'br-lan.5'

config bridge-vlan
  option device 'br-lan'
  option vlan '1'
  list ports 'lan1:t'
  list ports 'lan2:u*'
  list ports 'wan:t'

config bridge-vlan
  option device 'br-lan'
  option vlan '3'
  list ports 'lan1:t'
  list ports 'wan:t'

config bridge-vlan
  option device 'br-lan'
  option vlan '5'
  list ports 'lan1:t'
  list ports 'lan4:u*'
  list ports 'wan:t'

config device
  option name 'br-lan.1'
  option type '8021q'
  option ifname 'br-lan'
  option vid '1'
  option ipv6 '0'

config device
  option name 'br-lan.3'
  option type '8021q'
  option ifname 'br-lan'
  option vid '3'
  option ipv6 '0'

config device
  option name 'br-lan.5'
  option type '8021q'
  option ifname 'br-lan'
  option vid '5'
  option ipv6 '0'

config device
  option name 'wlan1'
  option ipv6 '0'
config device
  option name 'wlan1-1'
  option ipv6 '0'

config device
  option name 'eth0'
  option ipv6 '0'

config device
  option name 'lan1'
  option ipv6 '0'

config device
  option name 'lan2'
  option ipv6 '0'

config device
  option name 'lan3'
  option ipv6 '0'

config device
  option name 'lan4'
  option ipv6 '0'

config device
  option name 'wan'
  option ipv6 '0'

Here is the VLAN tagging page on the Dumb AP:

Use the home lan as native untagged. In case the dumbAP goes off you can connect the unmanaged switch and communicate with the RPi.
On dumbAP make lan1 as lan2 in vlan1. In RPi change lan device into eth0.

Or get an inexpensive managed switch (in range of $30-40 for an 8 port one), they are like swiss army knives for networking, everyone should have at least one.

1 Like

I guess replacing the unmanaged switch with a managed one would get the job done.

[ RPi4 ]-eth1 -- WAN
[ RPi4 ]-eth0 ---------[ Managed switch ]---[All other PCs]
                           |   | 
                           |   | 
[Dumb AP]------------------|   |
[PoE switch]-------------------|

I never used a managed switch before. I am using three VLANs:

  • 1 (LAN)
  • 3 (guest)
  • 5 (IOT)

I guess I take care of the port/VLANs assignments in the managed switch's web GUI. 1,3,5 to port mapping on the managed switc

Would the configuration on the router remain the same (all 3 tagged on eth0)? I guess the dumb AP have a single connection having only VLANs tagged VLANs 1+3.

As a rule of thumb, you shouldn't be using any unmanaged switches when you have tagged VLANs. You didn't show an unmanaged switch in your topology earlier.

A managed switch is the best option here. Not only that, you can get a managed switch with PoE if you want to eliminate your extra switch there.

I did actually in the first post :smiley:

doh! I looked at one of the posts in the middle.

This is an interesting suggestion. If I did go with a managed PoE switch to replace the two I have, I assume all devices, the router, the AP, and the managed switch would be configured with matching VLAN tagging, no? I never considered a managed switch option and need to read about them.

This would be a matter of network design, but yes, in general, what you said would be true.

The trunk configurations between any two connected devices should generally match, but you can decide what VLANs are active on each port.

As an example, let's say you had 3 VLANs, as an example: 10, 20, 30. Your router and your switch should have their respective ports setup as trunks carrying 10, 20, and 30. But maybe your AP doesn't need VLAN 20, so you set that switch port to 10, 30 (and your AP would be set the same). You can configure a managed switch such that each port carries exactly the networks it needs to -- trunks (multiple networks, all tagged or 1 untagged + 1 or more tagged), or access ports (i.e. a single network, untagged), as needs on a per-port basis.

1 Like

I think my needs are simple: one port on the switch for 1 VLAN.

VLAN10 = LAN
VLAN3 = Guest
VLAN5 = IoT

For my setup, only the wireless networks offer access to the guest VLAN. Wired access will be for either LAN or IoT.

  1. Am I correct in needing basic 802.1Q VLANs to each port?
  2. Does one generally an "admin" VLAN and then restrict access to the management software on the switch to that?

If 2 is true, I guess I need just one port that will allow access to both the LAN (10) and that admin VLAN.

Yup. On the Pi, you'll use simple dotted notation (eth0.x). The setup of the dumb AP depends on the specific device in use, but yes, you're adding VLANs in a similar fashion.

This is a matter of network design/preference. If you trust all of your devices (and users) on the main LAN, you can probably safely have your infrastructure management on the same VLAN, but you'll get different opinions on this, of course.

Thanks for the reply. I think I'll figure out an admin VLAN just for kicks (let's call it 99). Stupid question but does the router need to be aware of the admin VLAN as well? I am thinking to assign port 1 on the managed switch to use VLANs 10 and 99, and then connect my workstation to that port.

Maybe...

  • Do you want the router to be part of the management network? For example, making the administration features of the router inaccessible to the other networks and only available to the management network?
  • Do you want the management network to have a DHCP server and is the router the only device you have that would run said DHCP server on the management network?
  • Do you want any of your devices on any other network (i.e. a trusted machine on the main LAN) to be able to communicate with the management network without having to change it's network connection?

If the answer to any of the above is 'yes,' that means you'll want the router to be aware of (and probably controlling) the management network.

  • The router is accessible thought LuCI or via ssh currently only available on the "Lan" VLAN. No one in the guest or IoT VLANs can access it. I'd like to keep the switch firewalled as such as well.
  • The router has 3 interfaces on it each serving DHCP.
  • I only wan the single workstation to be able to access the switch's management web interface.

If I make a 4th interface on the router for admin, I guess I can just make it a static IP and when I want to access the switch, just use a static network config on my workstation's NIC to do it. Maybe I am ignorant to the ins-and-outs of a managed switch setup. I am all ears for suggestions by people more knowledgeable than I.

@psherman - OK ... I made an "admin" interface (10.1.10.1) on the router serving DHCP and a corresponding eth0.90. I guess the first thing I need to do on the switch is to select a port for uplink, and set it up for incoming tagged for all four VLANs (3, 5, 10, and 90). Then setup a second port for the workstation to use and allow untagged VLANs 10 and 90 (Lan and Admin).

Questions: since I have 4 interfaces (admin, lan, guest, and iot), how can I control which of them assigns an IP address to the switch? Perhaps better to use a static IP on the switch and avoid DHCP from the router?

After getting an IP assign to the switch, I think I would go about assigning VLANs to each port. In the case of the workstation, I want it to be on both 10 and 90 so I can access web server on the swtich. I am unsure about having two untagged VLANs on the same port/never did that before. Do I need to define the PVID=10?

You can only have a single untagged network. It must be one or the other.
However, you can allow inter-VLAN routing (on the router) such that your workstation (on VLAN 10) can access the devices on VLAN 90 (i.e. your infrastructure). And with respect to the router itself, you can set it up so that it accepts connections from VLAN 10 and VLAN 90 as a whole, or selectively (maybe on VLAN 10, only your selected workstation will have access, just as an example).

This depends on the switch. Most managed switches (but not all) allow you to set a management VLAN. You set that first, and then set either DHCP or static IP from there). If you have a switch that doesn't allow selection of the management VLAN (such as the TP-Link TL-SG1xxE series), you'll need to set a static IP in the desired subnet.

Depends on the details of the switch itself, but yes, generally speaking you'll set the PVID accordingly (10 in this case). Many switches also require that you set the port to be an untagged member of the desired VLAN.

1 Like

OK thanks. Perhaps things will become more clear when the switch actually arrives and I play with it.

Related thought about setup of the dumb access point when the managed switch is in the mix.

As I posted above, currently have the router directly connected to the dumb AP and the dumb AP is configured as shown below (managing all 3 VLANs).

In the managed switch setup, nothing will be connected to the AP (just wireless clients on either VLAN 3 or 10). Am I correct in simplifying it like this:

Note that I still want to be able to ssh into it/use LuCI but I think those packets would enter it through the uplink (all tagged) port, no?

Yes, this would be fine.

Tagged vs untagged is not really the factor here -- what is important is which VLAN is associated wit hate network interface as defined in the dumb AP.

More specifically -- the dumb AP can basically operate as just a bridge between wired and wireless. For this to happen, the you just need a bridge configuration that links the wired connection and gives it a network name that can then be used in the wifi SSID configuration. If the proto that is used is "none", it means that the specific network simply passes through the router, but the router won't respond to anything on that network.

In order to have the dumb AP respond on the network, it has to have a protocol setup -- either DHCP client or static IP, and that needs to be associated with one of the networks (and of course, the firewall has to be configured to accept those connections). So if you want to use VLAN 90 (your management network) for this purpose, you'd add VLAN 90 to the uplink port, and associate that with a network interface with either DHCP or static IP (and if static, it must be set to the correct subnet).

Thanks for the detailed reply. Now both the router and the AP have get a new "admin" interface and corresponding VLAN (90). I don't know how to have the router assign the AP an IP on that interface.

Here is the interfaces tab on the AP and below it, /etc/config/network ... what am I doing wrong? Note that the managed switch is not part of the setup yet. I am getting the two devices setup before I introduce it to the mix.

/etc/config/network (on AP)
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd90:d55a:8500::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config interface 'lan'
	option proto 'dhcp'
	option device 'br-lan.10'

config interface 'guest'
	option proto 'none'
	option device 'br-lan.3'

config interface 'iot'
	option proto 'none'
	option device 'br-lan.5'

config interface 'admin'
	option proto 'dhcp'
	option device 'br-lan.90'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:u*'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'lan4:u*'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '90'
	list ports 'wan:t'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '90'
	option name 'br-lan.90'
	option ipv6 '0'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config device
	option name 'br-lan.3'
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'
	option ipv6 '0'

config device
	option name 'br-lan.5'
	option type '8021q'
	option ifname 'br-lan'
	option vid '5'
	option ipv6 '0'

config device
	option name 'wlan1'
	option ipv6 '0'

config device
	option name 'wlan1-1'
	option ipv6 '0'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'lan1'
	option ipv6 '0'

config device
	option name 'lan2'
	option ipv6 '0'

config device
	option name 'lan3'
	option ipv6 '0'

config device
	option name 'lan4'
	option ipv6 '0'

config device
	option name 'wan'
	option ipv6 '0'

Did you setup a dhcp server on the main router for vlan 90?