Configure guest network with vlans

Hi,

I try to create a network setup as shown in the picture. I should say I'm very new to OpenWRT and more advanced network design.

There are some remarks on my specific hardware with VLANs. But I do not yet understand what I should do with all of them. I avoid using VLAN 1 and 2:
https://openwrt.org/toh/avm/avm_fritz_box_4040#vlan_setup

My first question is whether the suggested switch VLAN configuration is correct.

When I try to change VLAN 1 to 10 in the switch setting of my router, I loose my internet connection. That is, I adjust the setting on my phone that is connected to the home ssid of one of the access points. OpenWRT reverts the change.

I am able to implement the switch VLAN settings on my access points. Then I can still use my old home ssid.

I can also create a guest ssid on my access points, and connect it to eth0.20. Obviously it does not work yet, because it cannot get an IP, since I am unable to configure my router VLAN (and thus also no DHCP).

Does anyone know what next steps would make most sense? It is a bit hard to try a lot of things, since the rest of the family doesn't like losing internet connection :slight_smile:

You don't need vlans for the guest wifi.
If you still want to add vlans, make sure you tag the CPU, otherwise it will be useless.
In OpenWrt it is fine to use vlan1. In switches too, but it can be the native vlan and act like kitchen sink. But it should be fine for your home network.

1 Like

You have to change the corresponding CPU interface at the same time, for example from eth0.1 to eth0.10.

In addition, some switch chips in OpenWrt devices require the vlan numbers to be consecutive, but you can still set vid to an arbitrary value within the allowed range.
For example:

        option vlan '1'
        # without option vid

becomes

        option vlan '1'
        option vid '10'

You might have to set this on the command line, not in LuCI.

Yes. On the CPU port, and on the ports which connect network infrastructure devices to each other, set all relevant VLANs as tagged (also called a "trunk").
On "access" ports, where end user devices connect, use only one VLAN and set it as untagged.

In general, yes, but apparently the IPQ40xx switch is a bit special. Since I don't own such a device I cannot say much more.