Hi you all. I hope I am not disturbing y'all but I am too confused.
What I want to do:
I have one main router which connects to the internet. This is a fritzbox 7520 and has the standard firmware on it.
I have 4 TP-Link Archer 6 with OpenWRT 21.02.3 on it. I configured them that they would spread the wifi from the main router and I think that works fine.
What I also want is a guest wifi. I did that before but now I checked that I might have done something wrong.
The guest wifi is not created on the main router. The guest wifi is only created on the APs with OpenWRT.
The APs have an own DHCP only for the guest network. But I configured it on every AP by itself. I think that is wrong and all of them now have their own guest DHCP, not one that is working on all of them.
I read about VLANs but that is really confusing.
Is it possible to establish a guest wifi ONLY on the APs, not on the main router but keep the private wifi on the main router AND the APs AND use only one DHCP only for guest wifi?
Or is it necessary to have a main router that needs to establish the VLANS to the APs?
Yes, you can (and want) to have one single guest network, and have the APs act just as APs but for both networks.
Yes, you need to use VLANs for this. On the main router, the ports where normal devices are connected, should be assigned to the main network, untagged. The ports where the APs are connected, should be assigned to both networks and tagged.
On the APs, the WAN port should also be tagged on both networks. The LAN ports can be assigned to the network of your choice, untagged.
So what u are saying is, I have to use a main router that can apply VLANs? My main router is the fritzbox 7520 and has no VLAN options I think.
I cannot establish a VLAN connection just between the APs for the guest wifi only?
And you say "on the ports where the APs are connected..." - does that mean I have to have one physical cable from the main router for everything except the APs and one cable for only the APs? That would mean I have to enroll double the cable I already have...
My next idea would be to use the fritz.box as a modem and use a VLAN-able device as main router behind it... right?
Locally routing the guests onto local networks (with its own DHCP) isn't necessarily bad. The advantage is that the rest of the network remains very simple (a single LAN). Reasons to go to central routing would be central control (you can change how the guest network works at one point, as the guest APs are "dumb") and the potential to optimize roaming of guests between APs. That's really an advantage only if the guests are truly mobile, and the APs offer overlapping radio coverage.
I now have a different setup, but maybe you can help me as well.
I now have a Lancom Router that created VLAN 1 (Management), VLAN 100 (Private) and VLAN 200 (Guest).
I am now confused how to set up my TP-Link Archer C6 as an Access Point.
I thought I can configure the TP-Link to understand the different VLANs from the Lancom.
The Lancom is connected to the TP-Link over one single cable.
The Lancom acts as DHCP Server with 2 different networks: 192.168.100.0/24 and 192.168.200.0/24.
How do I have to configure the TP-Link that it can understand the traffic from the Lancom and that I can configure 2 different wifis on it?
The way VLANs are set up on a C6 depends on which version you have. The V2 is Atheros based and still swconfig while the V3 has entirely different chips inside-- MediaTek MT7621 which uses a DSA kernel. It is possible to do what you want with either one but if you want specific advice we need to know which one you have.
https://openwrt.org/playground/arinc9/networking-basics
Basically you need to create the new vlans on the switch page of Luci, then add the desired uplink and downlink ports as tagged for these vlans. Add new unmanaged interfaces for vlans 100 and 200. For vlan 1 use static or dhcp. This will be used for management of the device, therefore it needs an IP.
Assign the private and guest SSIDs to the unmanaged interfaces.
Since the whole point here is to bridge from wired to wireless, you will need to create bridge devices for the 100 and 200 vlans. Name them something like br-vlan100 and make it the device of the vlan100 network interfaces. This is the same as the existing br-lan bridge except the proto of the new interfaces is unmanaged. (the interface part doesn't actually do anything, but it must exist for the bridge to be instantiated.)
Before you go much further you should create a temporary "admin" network so you can log in to the router directly by wifi no matter what you do to the Ethernet. This network should have:
A /24 private IPv4 outside the range of any of your other networks (192.168.Y.1/24, where Y doesn't match any of your other networks)
a DHCP server
lan firewall zone
a separate wifi AP with encryption
Connect your PC to this AP and log in at 192.168.Y.1, and use this connection from now on until you have lan working again.
The "trunk" cable to your main router will carry the several networks on one physical link, which are split back out into separate logical networks by checking their VLAN tags. Thus in the switch you need to set all the VLANs of interest to be tagged on this cable, and the device on the other end also needs to be set to use tagged traffic with the same numbers.
The administrative (lan) network, VLAN 1, should also be tagged at both ends, and this is why I suggested setting up a separate way to log into the OpenWrt router in case this link ends up broken.
But it still does not work. When I try to connect via wifi with the 100.. I can see that a signal is establashing on the wireless site. But I get an alert that no IP is received.
Do I have to make settings in the "Bridge VLAN filtering" segment?
No you don't need to do bridge VLAN filtering (VLANs within a bridge), because each VLAN is a separate bridge. Inside the bridge, the packets are untagged. They get tagged at the boundary to Ethernet because of the notation eth0.100.
In your wifi config the network should be vlan100 etc. Then when you look at the bridge status you should see two ports, eth0.100 and a wlan.
DHCP addresses are going to be assigned by the main router, not OpenWrt. The trunk link and the main router itself must be properly configured. I would suggest opening an Ethernet port on the main router as untagged on the guest network then connect a laptop to that port and confirm it gets an IP address and has Internet access.
There is one thing I can not use so far. But this is a setting on the Lancom Router.
Have u heard of a so called Interface Tag additionally to the VLAN ID? I can set it up in the Lancom Router. The Interface Tag on all interfaces means that I can see all other networks from all networks.
I don't get an IP via WiFi...
