Configure vlan for untrusted devices on OpenWrt 22.03

this is my network topology.

the wireless access point is a 'dumb' access point it has no dns, no dhcp etc. it is a netgear router thus not running openwrt because of broadcom support. it is running dd-wrt.

the openwrt router has no wifi.

the pihole is the dns server for all the network

I would like to configure vlans on the openwrt router so that the devices on the right (ip camera, guests smarphones) only have internet access and get an ip address like 192.168.188.x

i already tagged the virtual wlan nics of the access point to vlan id 188.. all i would like to do in openwrt is create a vlan 188 with a dhcp server. I then create a pbr rule so that all hosts in go through the wan interface

I just don't know which base device to choose.

I do not know exactly which port is the wireless access point connected. because it is connected to a unmanaged switch as the other ports in the openwrt router are taken. should I choose eth0 as base device and therefore create a eth0.188 device and then a guest interface? or should i create a bridge?

this is my current network config

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr ''
	option netmask ''

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr ''
	option ipv6 '0'
	option delegate '0'

config device
	option name 'wan'
	option macaddr '62:38:e0:c5:36:18'

config interface 'wan'
	option proto 'dhcp'
	option ipv6 '0'
	option device 'wan.1081'
	option metric '20'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'wan.1081'
	option reqaddress 'try'
	option reqprefix 'auto'

config device
	option type '8021q'
	option ifname 'wan'
	option vid '1081'
	option name 'wan.1081'

thank you

Well first you have find out what lan port on the openwrt router is connected to the switch. Then you make a vlan on that port. I’m not sure if vlan/non-vlan can coexist on the same port. But if it doesnt then remove that lan port from br-lan, give the devices on the left a vlan id from the ap and the router as well, then add that vlan to the br-lan bridge.

For the devices on the right, just make a guest interface, add the guest devices’ vlan to that and follow the openwrt recipe for configuring a guest network

this is not possible as other devices are connected to the switch that need access to lan

this is somewhat important to know and be sure.

what/where is the openwrt recipe?

Are you sure your unmanaged switch even passes VLAN tags? I'm not familiar with how tagged traffic is handled by such switches, but with OEM firmwares you pay for that kind of functionality.

Shouldn't be an issue on most modern consumer hardware even, although you would need to define the default (untagged) VLAN, which is usually VID 1.

I can remove the unmanaged switch and connect the AP directly to the router. but i also connect to AP wirelessly from other devices that should not be on the vlan 188.. eg the laptop (on my network schema).

I think most if not all unmanaged switches will pass the 4 extra bytes as is, but I’m sure there are some edge cases.

Yes, but if you need to define a default vlan then it’s not really coexisting, and you’d need to add that default vlan to the br-lan bridge as well.

Especially >8 port unmanaged switches are often technically managed switch SOCs, hard-strapped (no firmware) to an unmanaged configuration, this can lead to very surprising outcomes. A lot of unmanaged switches (especially those with a partial understanding of VLANs, such as the ones lined out above) behave really badly in the presence of multiple VLANs, some may just work - until you hit some corner case that confuses them enough to do bad things…

1 Like

you want to find out what lan port on your router your switch is connected to. It shouldn’t be too hard, just take a look on the back of the router.

Google openwrt guest network

what about those devices connected to the switch that should not connected to the guest and the wifi devices such as the laptop that mustn't be on the guest such as the laptop?

It has been a very long time since I used dd-wrt. Before you go too far down the path, make sure that you can setup multiple ssids and tie them to different VLANs. If you can’t do that, you will need a different ap.

There shouldn't be any harm in just setting up the tagged VLANs on all ports of the router if he doesn't know or want to keep track of which port the switch is connected to.

I did mention that. Those other devices should ideally be tagged with another VLAN, and then that VLAN should be bridged together with br-lan. (Or you could define a primary vlan id for non-tagged packets, I just think it’s more neat to tag but that might just be me, in either case you then have to add either a tagged vlan or primary vlan id to br-lan)

That would complicate things even more for him. At least with dsa filtering. I tried a few times for the sake of it but it doesnt work. I think it’s a certain logic to it; the moment you vlan filter a bridge, then it will not pass non-vlan packets at all. At the very least you’d need to define a primary vlan and modify br-lan accordingly.

i removed the unmanaged switch.
i connecte the access point to lan3. on the Openwrt router.
lan1,lan2, lan4 have connected devices on the openwrt router which should be in the lan.
the ap in lan3 serves a wifi connection that is to be in the lan as well as the guest vlan so both tagged and untagged traffic should co-exist.

i just not sure what to tick. here.