I'm struggling with a similar use case:
fiber internet <-> pfsense <-> EdgeRouterX <-> OpenWRT
(EdgeRouterX configured as a manged switch)
I've been able to define VLANs on pfsense, and I'd like to have VLANx <-> SSIDx so that I can segment my network and provide appropriate levels of service to my "customers" (wife, kids, work laptop, home lab etc.)
Matt
Have you used the ER-X (managed switch) to confirm that the VLANs are working properly from pfSense?
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Thank you @psherman for the help here's what I get:
ubus call system board:
{
"kernel": "5.10.161",
"hostname": "MR8300-AP",
"system": "ARMv7 Processor rev 5 (v7l)",
"model": "Linksys MR8300 (Dallas)",
"board_name": "linksys,mr8300",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.3",
"revision": "r20028-43d71ad93e",
"target": "ipq40xx/generic",
"description": "OpenWrt 22.03.3 r20028-43d71ad93e"
}
}
cat /etc/config/network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd52:b7e9:b464::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
option vlan_filtering '1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.2'
option gateway '192.168.1.1'
list dns '192.168.1.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 0 1 2 3 4'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 0t 4t'
option vid '20'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '0t 0t 4t'
option vid '10'
config interface 'IOT'
option proto 'static'
option device 'eth1'
cat /etc/config/wireless:
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option band '5g'
option country 'US'
option htmode 'VHT20'
option cell_density '1'
option txpower '20'
option channel '124'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'markham'
option key '*****'
option dtim_period '3'
option encryption 'sae-mixed'
option ieee80211r '1'
option mobility_domain '123f'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/a000000.wifi'
option band '2g'
option channel '3'
option country 'US'
option txpower '28'
option htmode 'HT20'
option cell_density '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'markham'
option key '*****'
option dtim_period '3'
option encryption 'sae-mixed'
option ieee80211r '1'
option mobility_domain '123f'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-device 'radio2'
option type 'mac80211'
option path 'platform/soc/a800000.wifi'
option band '5g'
option txpower '20'
option country 'US'
option htmode 'VHT40'
option cell_density '1'
option channel 'auto'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'markham'
option key '*****'
option encryption 'sae-mixed'
option ieee80211r '1'
option mobility_domain '123f'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option dtim_period '3'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'Markham-IOT'
option encryption 'none'
cat /etc/config/dhcp:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
list server '1.1.1.1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
list dhcp_option '6,192.168.1.1'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'DESKTOP-963NVP0'
option duid '0001000128D1CB5F2CF05D411A6C'
option mac 'XX:XX:XX:XX:XX:XX'
config host
option name 'Thermostat'
option ip '192.168.1.203'
option mac 'XX:XX:XX:XX:XX:XX'
config host
option name 'FamilyRmAppleTV'
option ip '192.168.1.186'
option mac 'XX:XX:XX:XX:XX:XX'
config host
option name 'AuxPC_1'
option ip '192.168.1.247'
option mac 'XX:XX:XX:XX:XX:XX'
config host
option name 'XBOXONE'
option ip '192.168.1.170'
option mac 'XX:XX:XX:XX:XX:XX'
config host
option name 'homeassistant'
option ip '192.168.1.208'
option mac 'XX:XX:XX:XX:XX:XX'
option duid '000487d21e2d9f1b54c779c067aed4dd58ec'
config host
option name 'WhitePC'
option ip '192.168.1.179'
option mac 'XX:XX:XX:XX:XX:XX'
config host
option duid '00010001208C1183086698E1D11A'
option mac 'XX:XX:XX:XX:XX:XX'
config host
option ip '192.168.1.112'
option mac 'XX:XX:XX:XX:XX:XX'
option dns '1'
option name 'GELaptopDock'
config host
option name 'LGwebOSTV'
option ip '192.168.1.248'
option mac 'XX:XX:XX:XX:XX:XX'
config host
option ip '192.168.1.154'
option mac 'XX:XX:XX:XX:XX:XX'
option name 'BrotherPrinter'
option dns '1'
config host
option ip '192.168.1.108'
option mac 'XX:XX:XX:XX:XX:XX'
option dns '1'
option duid '00041e9b078dbe0465f085e0b61c8a89fef6'
option name 'KevsRPI-LAN'
config host
option ip '192.168.1.134'
option mac 'XX:XX:XX:XX:XX:XX'
option name 'GELaptopLAN'
option dns '1'
config host
option name 'G5QWJ4M3E'
option ip '192.168.1.195'
option mac 'XX:XX:XX:XX:XX:XX'
config host
option name 'dellserver'
option ip '192.168.1.184'
option mac 'XX:XX:XX:XX:XX:XX'
config domain
option name 'dellserver'
option ip '192.168.1.184'
config host
option name 'Playbar'
option dns '1'
option ip '192.168.1.197'
option mac 'XX:XX:XX:XX:XX:XX'
config host
option name 'Play5'
option dns '1'
option ip '192.168.1.217'
option mac 'XX:XX:XX:XX:XX:XX'
config host
option name 'Play1LS'
option dns '1'
option ip '192.168.1.176'
option mac 'XX:XX:XX:XX:XX:XX'
config host
option name 'Play1RS'
option dns '1'
option ip '192.168.1.207'
option mac 'XX:XX:XX:XX:XX:XX'
config host
option name 'markhamAP1'
option ip '192.168.1.219'
option mac 'XX:XX:XX:XX:XX:XX'
config host
option name 'KevsRPI-WiFi'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.1.109'
config host
option name 'mmarks-iPad'
option ip '192.168.1.105'
option mac 'XX:XX:XX:XX:XX:XX'
config host
option name 'kevin-desktop'
option ip '192.168.1.125'
option mac 'XX:XX:XX:XX:XX:XX'
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule
list src_mac 'XX:XX:XX:XX:XX:XX'
list src_mac 'XX:XX:XX:XX:XX:XX'
option src '*'
option dest '*'
option target 'REJECT'
option name 'BlockTV'
list proto 'all'
option enabled '1'
config rule
option src 'lan'
option dest 'wan'
option target 'REJECT'
option name 'Aux_PC to Network Only'
list src_mac 'XX:XX:XX:XX:XX:XX'
option enabled '0'
config rule
option name 'KevsRPI to Network Only'
option src 'lan'
option dest 'wan'
option target 'REJECT'
list proto 'all'
list src_mac 'XX:XX:XX:XX:XX:XX'
list src_mac 'XX:XX:XX:XX:XX:XX'
list src_mac 'XX:XX:XX:XX:XX:XX'
config rule
option src 'wan'
list src_mac 'XX:XX:XX:XX:XX:XX'
option dest 'lan'
option target 'ACCEPT'
list dest_ip '208.67.222.222'
list dest_ip '208.67.220.220'
list dest_ip '2620:119:53::53'
list dest_ip '2620:119:35::35'
option src_port '53-443'
option name 'SchoolLaptop'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HomeAssistant'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.1.208'
option dest_port '443'
config rule
option name 'BlackFireTablet'
list src_mac 'XX:XX:XX:XX:XX:XX'
option target 'DROP'
option src 'lan'
option dest 'wan'
option enabled '0'
This is the device that I was using as my home router / firewall / access point before installing pfsense... so there is a lot of leftover stuff in these files that shouldn't be used in this config.
I'd recommend resetting to defaults to clear that out. Then we can add VLANs.
Thanks - is there a quick and easy way to do that from the command line?
firstboot -y && reboot
disconnect this from your network since it will have default settings that could conflict with your existing network config. Connect by ethernet and make the initial changes to the config.
Done. I followed the Wireless Access Point / Dumb Access Point instructions and it's up on my LAN as 192.168.1.5
great... now, what is your goal for the rest of the VLANs?
Ok... simple enough.
What are the VLAN IDs (from pfSense)?
Please post your config files:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/wireless
VLAN IDs:
Network Config
root@MR8300_AP:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd2a:a909:b4e6::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.5'
option gateway '192.168.1.1'
list dns '192.168.1.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0'
Wireless Config
root@MR8300_AP:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '100'
option band '5g'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/a000000.wifi'
option channel '1'
option band '2g'
option htmode 'HT20'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-device 'radio2'
option type 'mac80211'
option path 'platform/soc/a800000.wifi'
option channel '36'
option band '5g'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
In the network file, add this.
config switch_vlan
option device 'switch0'
option vlan '10'
option ports '1t 0t'
config device
option name 'br-iot'
option type 'bridge'
list ports 'eth0.10'
config interface 'iot'
option device 'br-iot'
option proto 'none'
Then in wireless, add an ssid and connect it with network βiotβ