Configuring two different networks for 2 separate SSID

drklrathi · December 28, 2024, 1:32pm

I was trying to configure two different networks for 2 separate SSID, below is configuration, but SSID fails to connect, what I am doing wrong?
Need help to fix this.

Router D link=DIR-853 A3
Receiving WAN from another AP.

WIFI Configuration (/etc/config/wireless)

config wifi-iface
    option device 'radio0'
    option network 'vlan1'
    option mode 'ap'
    option ssid 'SSID1'
    option encryption 'psk2'
    option key 'pass11'


config wifi-iface
    option device 'radio1'
    option network 'vlan2'
    option mode 'ap'
    option ssid 'SSID2'
    option encryption 'psk2'
    option key 'pass12'



VLAN configuration (/etc/config/network)

config interface 'vlan1'
    option ifname 'eth0.1'
    option proto 'static'
    option ipaddr '192.168.11.1'
    option netmask '255.255.255.0'

config interface 'vlan2'
    option ifname 'eth0.2'
    option proto 'static'
    option ipaddr '192.168.12.1'
    option netmask '255.255.255.0'

config switch 'eth0'
    option name 'switch0'      
    option reset '1'            
    option enable_vlan '1' 

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0t 1t'
    option vid '1'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '0t 1t'
    option vid '2'





firewall configuration (/etc/config/firewall)

config zone
    option name 'vlan1'
    option network 'vlan1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'vlan2'
    option network 'vlan2'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config rule
    option name 'block_vlan1_to_vlan2'
    option src 'vlan1'
    option dest 'vlan2'
    option target 'REJECT'
    option enabled '1'

config rule
    option name 'block_vlan2_to_vlan1'
    option src 'vlan2'
    option dest 'vlan1'
    option target 'REJECT'
    option enabled '1'

config rule
    option name 'allow_vlan1_to_wan'
    option src 'vlan1'
    option dest 'wan'
    option target 'ACCEPT'
    option enabled '1'

config rule
    option name 'allow_vlan2_to_wan'
    option src 'vlan2'
    option dest 'wan'
    option target 'ACCEPT'
    option enabled '1'


DHCP Configuration

config dhcp 'vlan1'
    option interface 'vlan1'
    option start '100'
    option limit '150'
    option leasetime '12h'

config dhcp 'vlan2'
    option interface 'vlan2'
    option start '100'
    option limit '150'
    option leasetime '12h'

Log shows as below:

daemon.notice netifd: Wireless device 'radio0' is now up
daemon.info dnsmasq[1]: read /etc/hosts - 12 names
daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 8 names
daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 4 names
daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
daemon.warn odhcpd[1605]: A default route is present but there is no public prefix on lan thus we don't announce a default route by overriding ra_lifetime!
daemon.info hostapd: phy0-ap0: STA 42:da:c2:fe:73:52 IEEE 802.11: authenticated
daemon.info hostapd: phy0-ap0: STA 42:da:c2:fe:73:52 IEEE 802.11: associated (aid 1)
daemon.notice hostapd: phy0-ap0: AP-STA-CONNECTED 42:da:c2:fe:73:52 auth_alg=open
daemon.notice hostapd: phy0-ap0: AP-STA-DISCONNECTED 42:da:c2:fe:73:52

logread | grep -i vlan
kern.info kernel: [    3.155836] 8021q: 802.1Q VLAN Support v1.8
user.notice : Added device handler type: macvlan
daemon.notice netifd: Interface 'vlan1' is enabled
daemon.notice netifd: Interface 'vlan1' is setting up now
daemon.notice netifd: Interface 'vlan1' is now up
daemon.notice netifd: Interface 'vlan2' is enabled
daemon.notice netifd: Interface 'vlan2' is setting up now
daemon.notice netifd: Interface 'vlan2' is now up
daemon.notice netifd: VLAN 'eth0.1' link is up
daemon.notice netifd: Interface 'vlan1' has link connectivity
daemon.notice netifd: VLAN 'eth0.2' link is up
daemon.notice netifd: Interface 'vlan2' has link connectivity
user.notice firewall: Reloading firewall due to ifup of vlan1 (eth0.1)
user.notice firewall: Reloading firewall due to ifup of vlan2 (eth0.2)

grep -i vlan
8021q: 802.1Q VLAN Support v1.8



root@OpenWrt:~# ifconfig eth0.1
eth0.1    Link encap:Ethernet  HWaddr EC:AD:E0:DB:8F:A6
          inet addr:192.168.11.1  Bcast:192.168.11.255  Mask:255.255.255.0
          inet6 addr: fe80::eead:e0ff:fedb:8fa6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1504  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:1308 (1.2 KiB)

root@OpenWrt:~# ifconfig eth0.2
eth0.2    Link encap:Ethernet  HWaddr EC:AD:E0:DB:8F:A6
          inet addr:192.168.12.1  Bcast:192.168.12.255  Mask:255.255.255.0
          inet6 addr: fe80::eead:e0ff:fedb:8fa6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1504  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:1198 (1.1 KiB)

logread | grep firewall
user.notice ucitrack: Setting up /etc/config/luci-splash reload dependency on /etc/config/firewall
user.notice ucitrack: Setting up /etc/config/qos reload dependency on /etc/config/firewall
user.notice ucitrack: Setting up /etc/config/miniupnpd reload dependency on /etc/config/firewall
user.notice firewall: Reloading firewall due to ifup of lan (br-lan)
user.notice firewall: Reloading firewall due to ifup of vlan1 (eth0.1)
user.notice firewall: Reloading firewall due to ifup of vlan2 (eth0.2)
user.notice firewall: Reloading firewall due to ifup of wan (wan)
user.notice firewall: Reloading firewall due to ifup of wan6 (wan)
user.notice firewall: Reloading firewall due to ifupdate of wan6 (wan)

psherman · December 28, 2024, 5:33pm

Can you please clarify this?

How is the upstream network physically connected (Ethernet or WiFi, if Ethernet to which physical port)?
I don't see any wan interfaces -- what subnet is the upstream network? Is it VLAN 1, VLAN 2, or something else?
what version of OpenWrt are you using (things look quite strange) -- please post the output of ubus call system board

drklrathi · December 28, 2024, 6:43pm

I am sharing things according to my minimal knowledge, may not answering correctly to your questions. I tried myself to go through multiple posts and figured out this configuration. If there is well defined tutorial already existing kindly direct me to that.

Upstream network physically connected via WAN port
wan interfaces : screen shot attached
version of OpenWrt:23.05.5 r24106

ubus call system board
{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "D-Link DIR-853 A3",
        "board_name": "dlink,dir-853-a3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}

psherman · December 28, 2024, 7:12pm

Whatever is happening on your device is very wrong in terms of syntax and there are also massive amounts of missing configuration code.

Please reset the device to defaults and post the resulting configuration. That should fix the primary issues.

drklrathi · December 29, 2024, 5:23am

Router reset to default.
Disconnected WAN.
Log pasted.

logread | grep network

Mon Sep 23 12:35:04 2024 user.notice ucitrack: Setting up /etc/config/dhcp reload dependency on /etc/config/network
Mon Sep 23 12:35:04 2024 user.notice ucitrack: Setting up /etc/config/network reload dependency on /etc/config/wireless
Mon Sep 23 12:35:12 2024 daemon.info dnsmasq-dhcp[1]: DHCPNAK(br-lan) 192.168.10.101 40:a8:f0:50:c3:4e wrong network
Sun Dec 29 04:19:09 2024 daemon.notice netifd: wan6 (2567): Command failed: ubus call network.interface notify_proto { "action": 0, "link-up": false, "keep": false, "interface": "wan6" } (Permission denied)
Sun Dec 29 04:19:09 2024 daemon.notice netifd: wan (2568): Command failed: ubus call network.interface notify_proto { "action": 0, "link-up": false, "keep": false, "interface": "wan" } (Permission denied)

grep | wireless
Mon Sep 23 12:35:04 2024 user.notice ucitrack: Setting up /etc/config/network reload dependency on /etc/config/wireless

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0+1'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'


cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd75:c111:463d::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'


 ifconfig
br-lan    Link encap:Ethernet  HWaddr EC:AD:E0:DB:8F:A6
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fd75:c111:463d::1/60 Scope:Global
          inet6 addr: fe80::eead:e0ff:fedb:8fa6/64 Scope:Link
          inet6 addr: fda4:b6e4:3b2c:4::1/62 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:71854 errors:0 dropped:1594 overruns:0 frame:0
          TX packets:60273 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4587155 (4.3 MiB)  TX bytes:4760197 (4.5 MiB)

eth0      Link encap:Ethernet  HWaddr EC:AD:E0:DB:8F:A6
          inet6 addr: fe80::eead:e0ff:fedb:8fa6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1504  Metric:1
          RX packets:72679 errors:0 dropped:0 overruns:0 frame:0
          TX packets:60302 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5936389 (5.6 MiB)  TX bytes:5332056 (5.0 MiB)
          Interrupt:21

lan1      Link encap:Ethernet  HWaddr EC:AD:E0:DB:8F:A6
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lan2      Link encap:Ethernet  HWaddr EC:AD:E0:DB:8F:A6
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:72679 errors:0 dropped:6 overruns:0 frame:0
          TX packets:60273 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4628167 (4.4 MiB)  TX bytes:4760197 (4.5 MiB)

lan3      Link encap:Ethernet  HWaddr EC:AD:E0:DB:8F:A6
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lan4      Link encap:Ethernet  HWaddr EC:AD:E0:DB:8F:A6
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:539 errors:0 dropped:0 overruns:0 frame:0
          TX packets:539 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:42816 (41.8 KiB)  TX bytes:42816 (41.8 KiB)

wan       Link encap:Ethernet  HWaddr EC:AD:E0:DB:8F:A9
          inet6 addr: fe80::eead:e0ff:fedb:8fa9/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:256 errors:0 dropped:3 overruns:0 frame:0
          TX packets:162 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:71844 (70.1 KiB)  TX bytes:50372 (49.1 KiB)
          Interrupt:21

iw dev
phy#1
        Interface wlan1
                ifindex 9
                wdev 0x100000001
                addr 00:0c:43:28:05:90
                type managed
                txpower 3.00 dBm
                multicast TXQ:
                        qsz-byt qsz-pkt flows   drops   marks   overlmt hashcol tx-bytes        tx-packets
                        0       0       0       0       0       0       0       0               0
phy#0
        Interface wlan0
                ifindex 8
                wdev 0x1
                addr 00:0c:43:28:05:90
                type managed
                txpower 3.00 dBm
                multicast TXQ:
                        qsz-byt qsz-pkt flows   drops   marks   overlmt hashcol tx-bytes        tx-packets
                        0       0       0       0       0       0       0       0

logread | grep firewall
Mon Sep 23 12:35:04 2024 user.notice ucitrack: Setting up /etc/config/luci-splas                                                                                                             h reload dependency on /etc/config/firewall
Mon Sep 23 12:35:04 2024 user.notice ucitrack: Setting up /etc/config/qos reload                                                                                                              dependency on /etc/config/firewall
Mon Sep 23 12:35:04 2024 user.notice ucitrack: Setting up /etc/config/miniupnpd                                                                                                              reload dependency on /etc/config/firewall
Mon Sep 23 12:35:06 2024 user.notice firewall: Reloading firewall due to ifup of                                                                                                              lan (br-lan)
Mon Sep 23 12:35:27 2024 user.notice firewall: Reloading firewall due to ifup of                                                                                                              wan (wan)
Mon Sep 23 12:35:37 2024 user.notice firewall: Reloading firewall due to ifup of                                                                                                              wan6 (wan)
Sun Dec 29 05:15:21 2024 user.notice firewall: Reloading firewall due to ifup of                                                                                                              wan (wan)
Sun Dec 29 05:15:45 2024 user.notice firewall: Reloading firewall due to ifup of                                                                                                              wan6 (wan)

psherman · December 29, 2024, 5:59am

Ok... this looks so much better. The old config was entirely invalid. Now we have a baseline that will work.

Time for some followup questions:

does the upstream router already have VLANs defined?
If not, is it capable of having multiple networks and VLANs?
(if the upstream router runs OpenWrt, the answer is yes for the capabilities and that's where we should actually start; other router vendors/firmware may or may not have VLAN support -- many do, many don't)
If it doesn't have any VLAN functionality available, does the main router support static routes?
You mentioned 2 neworks/SSIDs... is one of them the same as the upstream network (i.e. just a bridged AP)? Or is the intent to have 2 networks that are separate from the upstream (thus making a total of 3 in the equation -- an upstream + 2 downstream)?

drklrathi · December 29, 2024, 7:05am

At present Upstream (D-Link DIR-853 A3) router with PPPoE connection and serving as AP running openwrt.

I am not sure about routing option.
But I can see this option in upstream router.

3 different SSID with 3 different networks.
1st for the kids with banIP
2nd for others, handling adgurad, SQM/Bufferbloat, SAMBA, DNS-Cloudflare etc
3rd one, unfiltered (IPTV, news and other stuff)

if router need to be changed, I have an additional Linksys AC3200.

psherman · December 29, 2024, 7:15am

Since you have the main router running openwrt, all three networks should originate there. The other device will be a bridged AP, no routing needed.

Let’s start by checking the config of the main router. Same files as last time, please.

drklrathi · December 29, 2024, 7:34am

logread | grep network
Sat Dec 28 09:26:11 2024 user.notice ucitrack: Setting up /etc/config/dhcp reload dependency on /etc/config/network
Sat Dec 28 09:26:11 2024 user.notice ucitrack: Setting up /etc/config/network reload dependency on /etc/config/wireless

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0+1'
        option band '5g'
        option country 'US'
        option htmode 'VHT80'
        option channel '48'
        option cell_density '0'

config wifi-iface 'wifinet1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'SSID'
        option encryption 'psk2'
        option key '--------'
        option dtim_period '3'

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda4:b6e4:3b2c::/41'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option stp '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username '-----------'
        option password '------------'
        option ipv6 'auto'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

 grep firewall
Sat Dec 28 09:26:12 2024 user.notice ucitrack: Setting up /etc/config/luci-splash reload dependency on /etc/config/firewall
Sat Dec 28 09:26:12 2024 user.notice ucitrack: Setting up /etc/config/qos reload dependency on /etc/config/firewall
Sat Dec 28 09:26:12 2024 user.notice ucitrack: Setting up /etc/config/miniupnpd reload dependency on /etc/config/firewall
Sat Dec 28 09:26:13 2024 user.notice firewall: Reloading firewall due to ifup of lan (br-lan)
Sat Dec 28 09:26:18 2024 user.notice firewall: Reloading firewall due to ifup of wan (pppoe-wan)
Sat Dec 28 09:26:24 2024 user.notice firewall: Reloading firewall due to ifup of wan_6 (pppoe-wan)

 iw dev
phy#1
        Interface wlan1
                ifindex 9
                wdev 0x100000001
                addr 
                type managed
                txpower 3.00 dBm
                multicast TXQ:
                        qsz-byt qsz-pkt flows   drops   marks   overlmt hashcol tx-bytes        tx-packets
                        0       0       0       0       0       0       0       0               0
phy#0
        Interface wlan0
                ifindex 8
                wdev 0x1
                addr 
                type managed
                txpower 3.00 dBm
                multicast TXQ:
                        qsz-byt qsz-pkt flows   drops   marks   overlmt hashcol tx-bytes        tx-packets
                        0       0       0       0       0       0       0       0               0

 ifconfig
br-lan    Link encap:Ethernet  HWaddr 0C:0E:76:F9------
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fda4:b6e4:3b2c::1/60 Scope:Global
          inet6 addr: 2001:8f8:1------------------ Scope:Global
          inet6 addr: fe80::e0e:76ff:--------------- Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:227902 errors:0 dropped:364 overruns:0 frame:0
          TX packets:640328 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:25055033 (23.8 MiB)  TX bytes:888424414 (847.2 MiB)

eth0      Link encap:Ethernet  HWaddr 0C:0E:----------
          inet6 addr: fe80::e0e:------------------------------Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1504  Metric:1
          RX packets:230557 errors:0 dropped:0 overruns:0 frame:0
          TX packets:646030 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:29360708 (28.0 MiB)  TX bytes:893982333 (852.5 MiB)
          Interrupt:21

lan1      Link encap:Ethernet  HWaddr 0C:0E:----------------------
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9169 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10526 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2941469 (2.8 MiB)  TX bytes:6690642 (6.3 MiB)

lan2      Link encap:Ethernet  HWaddr 0C:0E:-----------------
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9534 errors:0 dropped:5 overruns:0 frame:0
          TX packets:10897 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2690386 (2.5 MiB)  TX bytes:3747733 (3.5 MiB)

lan3      Link encap:Ethernet  HWaddr 0C:0E:--------------------
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:211854 errors:0 dropped:0 overruns:0 frame:0
          TX packets:624442 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:19578827 (18.6 MiB)  TX bytes:878299569 (837.6 MiB)

lan4      Link encap:Ethernet  HWaddr 0C:0E:--------------------
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:870 errors:0 dropped:0 overruns:0 frame:0
          TX packets:870 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:123705 (120.8 KiB)  TX bytes:123705 (120.8 KiB)

pppoe-wan Link encap:Point-to-Point Protocol
          inet addr:94.59.120.147  P-t-P:94.59.120.1  Mask:255.255.255.255
          inet6 addr: 2001:8f8:1668:2288:7d9b:--------------------- Scope:Global
          inet6 addr: fe80::7d9b:2a82----------------------- Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:640929 errors:0 dropped:0 overruns:0 frame:0
          TX packets:224980 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:883326343 (842.4 MiB)  TX bytes:23760915 (22.6 MiB)

wan       Link encap:Ethernet  HWaddr 0C:0E:76----------
          inet6 addr: fe80::----------------------------------- Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:641091 errors:0 dropped:0 overruns:0 frame:0
          TX packets:225109 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:897447121 (855.8 MiB)  TX bytes:29622166 (28.2 MiB)
          Interrupt:21

drklrathi · December 29, 2024, 7:35am

Hope it is safe to paste everything here.
I am using TP-link powerline adopter as extender, which cloned SSID form upstream router, so it might show in log as disabled.

drklrathi · December 30, 2024, 5:58am

any update?

psherman · December 30, 2024, 6:43am

Sorry for the delay.

What physical port connects from the main router over to the AP? This is the one that will need to be configured as a trunk to carry all the VLANs.

Do you want the other ports to be your normal lan, or would you like to have those ports setup for use with the other networks, too? (for example, you could do 1 trunk port, and then setup 1 port per network for the other 3 ports).

Meanwhile, you can start with the process of adding the new networks... Follow the guest wifi recipe, but skip over the part that makes the wifi SSIDs -- we don't need that yet. The process will have you setup a guest network that is isolated from the main network by means of the firewall. If you want to limit access to the router and to the other networks, follow that section. If not, just add the new networks to the lan firewall zone.

Once you're done with that, post your updated network config file and I'll show you how to make the modifications to make it into VLANs.

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

drklrathi · December 30, 2024, 6:58am

This is how my setup is.
Gateway>>Dlink router/AP (Don't want to keep 3rd device, if possible)
LAN ports are for TV, desktop and powerline adopter, if those can be kept, will be better. (But I love to learn, how to assign ports to another network)

psherman · December 30, 2024, 7:00am

It does occur to me that we may have issues with the power line adapter.... not all of these devices will support VLANs. But we'll give it a shot and see what happens.

drklrathi · December 30, 2024, 7:54am


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdec:ee5c:2e9b::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username '--------'
	option password '---------'
	option ipv6 'auto'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

theMan · January 2, 2025, 7:50am

This router is DSA based and I fail to see the need to run vlans here. You just need to create separate interfaces (networks) and attach the respective lan[1-4] ports and ssids to the right interfaces.

drklrathi · January 2, 2025, 8:07am

I was managed to do that without VLAN but facing difficulty to bind Ad Guard with one SSID, ban-IP with second SSID and keeping 3rd one free to fly.

mater1984 · January 3, 2025, 8:42am

I had a few months ago nearly the same opinion with 3 seperate networks (SSID)s one for my Smarthome, one for my work/parents network and one for the childs.
I used the following config and it is working well with VLANs

root@WR1300v3:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd9f:f265:6dcf::/48'

config interface 'wan'
        option device 'wan'
        option proto 'static'
        option ipaddr '192.168.2.2'
        option netmask '255.255.255.0'
        option gateway '192.168.2.1'
        list dns '192.168.2.1'
        list dns '8.8.8.8'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option name 'phy1-ap0'

config interface 'Management'
        option proto 'static'
        option device 'lan1'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'test'
        option bridge_empty '1'
        option ipv6 '0'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'test'
        option vlan '128'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'

config interface 'kinder'
        option proto 'static'
        option device 'test.140'
        option ipaddr '192.168.140.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'test'
        option vlan '140'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'

config device
        option name 'lan1'

config bridge-vlan
        option device 'test'
        option vlan '150'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'

config interface 'Smarthome'
        option proto 'static'
        option device 'test.150'
        option ipaddr '192.168.150.1'
        option netmask '255.255.255.0'
        list dns '192.168.2.1'

config bridge-vlan
        option device 'test'
        option vlan '130'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:t'

config bridge-vlan
        option device 'test'
        option vlan '10'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config interface 'Eltern'
        option proto 'static'
        option device 'test.128'
        option ipaddr '192.168.128.1'
        option netmask '255.255.255.0'

config route
        option interface 'wan'
        option target '0.0.0.0/0'
        option gateway '192.168.2.1'

config interface 'Mgmt'
        option proto 'static'
        option device 'test.130'
        option ipaddr '192.168.130.1'
        option netmask '255.255.255.0'

My wireless config is

root@WR1300v3:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel 'auto'
        option band '2g'
        option htmode 'HT20'
        option country 'DE'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Froschi'
        option encryption 'psk2+ccmp'
        option key
        option dtim_period '1'
        option ieee80211k '1'
        option disassoc_low_ack '0'
        option ieee80211r '1'
        option ft_over_ds '0'
        option reassociation_deadline '20000'
        option bss_transition '1'
        option mobility_domain 'b2d7'
        option wnm_sleep_mode '1'
        option ft_psk_generate_local '1'
        option network 'Eltern'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option band '5g'
        option htmode 'VHT80'
        option country 'DE'
        option cell_density '0'
        option channel '36'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Froschi'
        option encryption 'psk2+ccmp'
        option key 
        option dtim_period '3'
        option ieee80211k '1'
        option disassoc_low_ack '0'
        option ieee80211r '1'
        option ft_over_ds '0'
        option reassociation_deadline '20000'
        option bss_transition '1'
        option mobility_domain 'b2d7'
        option wnm_sleep_mode '1'
        option ft_psk_generate_local '1'
        option network 'Eltern'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'ALBsmart'
        option encryption 'psk-mixed'
        option key 
        option network 'Smarthome'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'ALBkinder'
        option encryption 'psk2'
        option key 
        option network 'test kinder'

For better view in LUCI it looks like this

I configured my FRitz!Box only for PPPOE Connection.
Defined 3 VLANs and added them to OpenWRT Router.
If you can not use VLANs with your PowerLine Adapter I think you can buy new one with VLAN or you must use static routes. (I think VLAN is more secure and you have seperate networks per SSID. Also you can add every port to a seperate VLAN. I.e. in my opinion I added my Playstation via a Switch only to Smarthome network. So it is totally isolated from parents network.

drklrathi · January 3, 2025, 8:55am

Thanks for adding help, definitely I will try this.
But still the half problem will be solved.
No rescue for binding Ad Guard with one SSID, ban-IP with second SSID and keeping unbound 3rd one.

psherman · January 4, 2025, 6:58am

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!