I am sorry if this question is quite dumb, but I am fiddeling with that since a few days now.
So my Setup is the following: I have a self-built router with 7 LAN and 1 WAN port that is running with OpnSense. It has Multiple Networks: Service, Private, Work, Guest, IoT. These are normal LANs currently separated just by their ports.
I have setup the capability in OpnSense that all Networks can be talked to via one specific port using VLAN.
Now I have a Zyxel NWA50AX PRO thats running OpenWRT and I want to Setup this so I can have a WLAN for each network (excluding Service).
What I did is, I made VLANs (802.1q) with the following IDs (these are also set in OpnSense):
Service - 2
Private - 3
Work - 10
Guest - 100
IoT - 1000
and I set the parent as "br-lan" (the default bridge). Then I went to the bridge and activated VLAN Filtering. I want the Admin GUI only to be accessible via Service (VLAN 2) and only via Ethernet (so vlan2 has no WLAN assigned), so I set this as untagged and primary, every other ID I added as Tagged.
When Applying this configuration, I cannot access the Admin UI and I cannot use any WLAN (that has the corresponding VLAN Device) since it seems to be not able to communicate with OpnSense.
I am fairly new to VLANs and I think my error is somewhere in the tagged/untagged section.
Any Help or Document is much appreciated! Thank you!
P.S.: The VLAN Config on OpnSense is confirmed working with a Managed Switch I quickly configured and hooked up!
Okay, I seem not to be able to do this. I got infos from this Guide above and from the forums and came up with that config (Note: LAN Network is just for backup so I retain access):
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.73",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Zyxel NWA50AX Pro",
"board_name": "zyxel,nwa50ax-pro",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda7:e163:85cc::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option type '8021q'
option ifname 'eth0'
option vid '2'
option name 'eth0.2'
config device
option type '8021q'
option ifname 'eth0'
option vid '3'
option name 'eth0.3'
config device
option type '8021q'
option ifname 'eth0'
option vid '10'
option name 'eth0.10'
config device
option type '8021q'
option ifname 'eth0'
option vid '100'
option name 'eth0.100'
config device
option type '8021q'
option ifname 'eth0'
option vid '1000'
option name 'eth0.1000'
config device
option type 'bridge'
option name 'br-service'
list ports 'eth0.2'
option bridge_empty '1'
config device
option type 'bridge'
option name 'br-private'
list ports 'eth0.3'
option bridge_empty '1'
config device
option type 'bridge'
option name 'br-work'
list ports 'eth0.10'
option bridge_empty '1'
config device
option type 'bridge'
option name 'br-iot'
list ports 'eth0.100'
option bridge_empty '1'
config device
option type 'bridge'
option name 'br-guest'
list ports 'eth0.1000'
option bridge_empty '1'
config interface 'service'
option proto 'static'
option device 'br-service'
option ipaddr '10.0.0.3'
option netmask '255.255.255.0'
option gateway '10.0.0.1'
config interface 'private'
option proto 'none'
option device 'br-private'
config interface 'work'
option proto 'none'
option device 'br-work'
config interface 'iot'
option proto 'none'
option device 'br-iot'
config interface 'guest'
option proto 'none'
option device 'br-guest'
config bridge-vlan
option device 'br-guest'
option vlan '1000'
list ports 'eth0.1000:u*'
config bridge-vlan
option device 'br-iot'
option vlan '100'
list ports 'eth0.100:t*'
config bridge-vlan
option device 'br-private'
option vlan '3'
list ports 'eth0.3:t*'
config bridge-vlan
option device 'br-service'
option vlan '2'
list ports 'eth0.2:t*'
config bridge-vlan
option device 'br-work'
option vlan '10'
list ports 'eth0.10:t*'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option band '2g'
option channel '1'
option htmode 'HE20'
option cell_density '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option band '5g'
option channel '36'
option htmode 'HE80'
option cell_density '0'
config wifi-iface 'wifinet0'
option device 'radio1'
option mode 'ap'
option ssid 'Dingens'
option encryption 'sae-mixed'
option key 'BlubberBla'
option ocv '0'
option network 'service'
I would really appreciate if someone might point out my errors. The password is only temporary as I wanted to test, when connecting to the "Dingens" WiFi and try to access the admin interface via 10.0.0.3 it fails. Wireshark says that ARP requests are not answered.
Okay, I see the above may have been horribly wrong. After reading the docs about DSA, I did the following (cannot post the config, because I have no access to the AP after doing so):
Create vlan 2 with br-lan as parent
Create vlan 2 with br-lan as parent
set br-lan to vlan filtering, adding vlans 2 and 3 as tagged on port eht0
Creating the network "service" with device br-lan.2
Creating the network "prirvate" with device br-lan.3
Create WiFi with network "service"
Create WifI with network "private"
Assigning IP "10.0.0.3" to br-lan.2
Applying
Then I connect to the service wifi and reach 10.0.0.3, with no success.
There's a lot wrong in your config... I'd recommend resetting it to defaults since that's the fastest way to clean everything up. Post that default config and we'll help you get it working.
I would like to have vlan 2 and 3, vlan 2 should have IP 10.0.0.3 and the admin interface be reachable there. The Admin interface does not have to be reachable on vlan 3 (which will be in the network 10.0.10.0/24, dhcp is on OpnSense, the AP does not neccessarily need an IP there, but if it does to have one, it woulb be 10.0.10.2). Once I see how thats done I am sure to understand it and be able to configure the rest for me.
Ive used exactly what you wrote. I did not yet create the wifi, I plugged in the switch after rebooting to the server and it does not answer. I made a package capture, the packet sent to the AP is definitivley tagged and I see the 802.1Q Frame with VLAN Tag 2 going to the switch, but I never get an answer from it (I get TCP retransmissions trying to reach the router).