Configuring a VLAN for WiFi guests

I would like to configure my Open WRT WiFi access point with a Guest network tagged with a separate VLAN.

Right now, when I connect a client to my guest WiFi network, it does not have the guest rules or VLAN tag applied. What do I need to change in my network configuration?

I have a Linksys MX4000 V2 running OpenWRT (r26235-0d74b2a1e5))
It is connected to a Cisco Catalyst 2970 switch and then to a Firewalla firewall to the Internet.

The Firewalla is configured to provide DHCP for guests on VLAN 99 as 192.168.112.1/24 and all others on 192.168.173.1/24.

The Cisco switch has the Firewalla on port 13 (dot1q trunk) and the OpenWRT WiFi on port 3 (dot1q trunk).

Name: Gi0/3
Description: WiFi
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Name: Gi0/13
Description: Firewalla
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
root@DownstairsWiFi:~# ubus call system board
{
        "kernel": "6.6.30",
        "hostname": "DownstairsWiFi",
        "system": "ARMv8 Processor rev 4",
        "model": "Linksys MX4200v2",
        "board_name": "linksys,mx4200v2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r26235-0d74b2a1e5",
                "target": "qualcommax/ipq807x",
                "description": "OpenWrt SNAPSHOT r26235-0d74b2a1e5"
        }
}
root@DownstairsWiFi:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd92:eb57:c42e::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config device
        option name 'lan1'
        option macaddr 'd8:ec:5e:a7:cf:0c'

config device
        option name 'lan2'
        option macaddr 'd8:ec:5e:a7:cf:0c'

config device
        option name 'lan3'
        option macaddr 'd8:ec:5e:a7:cf:0c'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'

config device
        option name 'wan'
        option macaddr 'd8:ec:5e:a7:cf:0c'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'guest'
        option proto 'dhcp'
        option device 'br-guest.99'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'wan'

config bridge-vlan
        option device 'br-guest'
        option vlan '99'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'wan:t*'

config device
        option name 'br-guest.99'
        option type '8021q'
        option ifname 'br-guest'
        option vid '99'
root@DownstairsWiFi:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc@0/c000000.wifi'
        option channel 'auto'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc@0/c000000.wifi+1'
        option channel 'auto'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc@0/c000000.wifi+2'
        option channel 'auto'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Alpha'
        option encryption 'sae-mixed'
        option key 'REDACTED'
        option ieee80211r '1'
        option ft_over_ds '0'
        option network 'lan'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Alpha-Guest'
        option encryption 'sae-mixed'
        option key 'REDACTED'
        option ieee80211r '1'
        option ft_over_ds '0'
        option isolate '1'
        option network 'guest'

config wifi-iface 'wifinet5'
        option device 'radio2'
        option mode 'ap'
        option ssid 'BRAVO'
        option encryption 'psk2'
        option key 'REDACTED'
        option ieee80211r '1'
        option ft_over_ds '0'
        option network 'lan'
        option ft_psk_generate_local '1'

config wifi-iface 'wifinet6'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Alpha'
        option encryption 'sae-mixed'
        option key 'REDACTED'
        option ieee80211r '1'
        option ft_over_ds '0'
        option network 'lan'

root@DownstairsWiFi:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'hybrid'
        option ra 'hybrid'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
root@DownstairsWiFi:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
  • What VLAN ID is associated with your main lan?
    • Is it VLAN 1?
      • Is VLAN 1 untagged from the Cisco switch?
    • Is it safe to assume that this is the network used to manage the Linksys?
  • What physical port on the Linksys is used as the uplink?

There are no networks in your GUEST zone:

Yes, on the Cisco switch VLAN 1 is default.

Yes, I will manage the Linksys from VLAN 1. I would prefer if VLAN 99 be unable to manage the Linksys.

The firewall is on physical port 13 of the Cisco switch; the Linksys is on physical port 3 of the Cisco switch

The Linksys has physical port 1 connected to the Cisco Switch

Switch#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1, Gi0/2, Gi0/4, Gi0/6
                                                Gi0/7, Gi0/8, Gi0/9, Gi0/10
                                                Gi0/11, Gi0/12, Gi0/13, Gi0/14
                                                Gi0/15, Gi0/16, Gi0/17, Gi0/18
                                                Gi0/19, Gi0/20, Gi0/21, Gi0/22
                                                Gi0/23, Gi0/24
99   guest                            active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
99   enet  100099     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

Delete this:

And delete this, too:

Create a new bridge-VLAN:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'

Edit the bridge-vlan for VLAN 99 to look like this:

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'lan1:t'
        list ports 'lan3:u*'

Edit the lan interface to use br-lan.1 like this:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'dhcp'

And now edit the guest network to use br-lan.99 and make it unmanaged:

config interface 'guest'
        option proto 'none'
        option device 'br-lan.99'

Now, you should have the following:

  • port lan 1: VLAN 1 untagged + PVID, VLAN 99 tagged
  • port lan 2: VLAN 1 untagged + PVID
  • port lan3: VLAN 99 untagged + PVID
  • Wifi should work based on the network associations

Meanwhile, I'd recommend avoiding the use of:

  • sae-mixed encryption -- there are many devices that just don't work well with mixed mode. Use either WPA2 or WPA3, but not mixed.
  • 802.11r -- same deal that some devices don't like it. It causes more problems than it solves in many situations.
1 Like

Thank you for your suggestions.

I've made the changes you recommended and reloaded the network, but I don't see any difference in behavior. Devices connected to any of the WiFi SSIDs are on the same VLAN.

root@DownstairsWiFi:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd92:eb57:c42e::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config device
        option name 'lan1'
        option macaddr 'd8:ec:5e:a7:cf:0c'

config device
        option name 'lan2'
        option macaddr 'd8:ec:5e:a7:cf:0c'

config device
        option name 'lan3'
        option macaddr 'd8:ec:5e:a7:cf:0c'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'dhcp'

config device
        option name 'wan'
        option macaddr 'd8:ec:5e:a7:cf:0c'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'lan1:t'
        list ports 'lan3:u*'

config interface 'guest'
        option proto 'none'
        option device 'br-lan.99'

That shouldn't be the case.

Try connecting a computer to each of the downstream ports (lan2 and lan3). You can use the same computer, of course, just connecting to one port and then the next. What we want to see is lan2 joining the VLAN 1 network, and lan3 on VLAN 99. Verify based on the IP address and expected connectivity.

If that works, so too should the wifi.

Let me know what you find.

1 Like

I plugged a laptop in to port 3 on the Linksys and I'm unable to get an IP address. On port 2, I get the VLAN 1 IP address.

As an experiment, I plugged the Linksys directly in to my Firewalla (bypassing the Cisco switch). In this configuration, the guest network works as expected. To me this confirms I have an issue in my switch configuration.

If you have any suggestions, I'd be happy to try them, but this is an OpenWRT forum, not a Cisco iOS forum so I will mark this issue as resolved.

Thank you for your help @psherman.

I'm glad you ran this experiment... this helped prove that the main router and the OpenWrt configs were right and revealed the real issue.

I don't speak Cisco iOS, so I can't help. You're right that it is generally out-of-scope for these forums. That said, if someone sees this and can give you some advice, hopefully that will solve that last remaining issue. Otherwise, I'd recommend trying a forum that specializes in Cisco's switching environment.