Create separate VLAN for surveillance cameras

I'm trying to configure my router to separate my surveillance cameras from the rest of the network.

I would like cameras to be able to access internet, but not any devices on the local network, except for NVR which has a static address 192.168.1.32.

Cameras currently have static ip address in a range 192.168.1.41-49.

I'm struggling to make it work hope to get some pointers in the right direction.

below is my configuration:

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxx:xxx:xxx::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'

config interface 'wan_eth'
	option proto 'dhcp'
	option device 'lan1'
	option metric '10'

config interface 'wan_lte'
	option proto 'qmi'
	option device '/dev/cdc-wdm0'
	option auth 'none'
	option pdptype 'ipv4'
	option metric '20'

config interface 'lan'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config device
	option name 'wwan0'

You need to create a separate network, have a look at the guest wifi tutorial. Then add access to the NVR, or put it in the same network as the cameras.

How can I configure a separate network to exclusively serve my cameras?
My router is connected to a switch, which assigns a VLAN tag with an ID of 40 to the ports connected to the cameras. So I need to configure OpenWRT to separate camera-VLAN packets from all other packets

We should start with what target you have and your entire configuration.

Are you more comfortable using uci, editing the configuration files or using luci?

The short of it I see is as follows

• you want to use vlans on your wired network
• you want both networks to route to the internet but not to each other (You need to know how to set up the firewall configuration for the new 'network' you create)
• you need a specific IP range for your security cameras

Is there a switch I'm not seeing? Or are all devices plugged into your current router? Or does the NVR also act as a switch?

Please give a block diagram of your network.
Also please call at least ubus call system board and uci show (redacting PII) so we can figure out what we're working with here.

Thanks for your reply.

I usually use Luci, but have no problems editing configuration files, if that is required.

Yes, your points are correct. And there is a switch connected to my router. My router has only one LAN port, so I connected it to a switch and assigned VLAN tags to some of the switch ports.

Here I tried to draw my network diagram

Screenshot 2024-10-31 at 07.28.181518×846 58.3 KB

And here are outputs from terminal

root@OpenWrt:~# ubus call system board
{
	"kernel": "6.6.58",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Zyxel LTE5398-M904",
	"board_name": "zyxel,lte5398-m904",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"description": "OpenWrt SNAPSHOT",
		"revision": "r27935-bcd95cb9c4",
		"target": "ramips/mt7621",
		"builddate": "1730120512"
	}
}
root@OpenWrt:~# uci show
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].cachesize='1000'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.@dnsmasq[0].interface='lan'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv4='server'
dhcp.lan.ra='server'
dhcp.lan.ra_flags='managed-config' 'other-config'
dhcp.lan.dns_service='0'
dhcp.lan.force='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.@host[0]=host
dhcp.@host[0].name='nginx'
dhcp.@host[0].Mac='XXXXXX
dhcp.@host[0].ip='XXXXXX'
dhcp.@host[1]=host
dhcp.@host[1].name='hassio'
dhcp.@host[1].Mac='XXXXXX'
dhcp.@host[1].ip='XXXXXX'
dhcp.@host[2]=host
dhcp.@host[2].name='Proxmox'
dhcp.@host[2].Mac='XXXXXX'
dhcp.@host[2].ip='XXXXXX'
dhcp.@host[3]=host
dhcp.@host[3].name='pfSense'
dhcp.@host[3].Mac='XXXXXX'
dhcp.@host[3].ip='XXXXXX'
dhcp.@host[4]=host
dhcp.@host[4].name='garden.cam'
dhcp.@host[4].ip='XXXXXX'
dhcp.@host[4].Mac='XXXXXX'
dhcp.@host[5]=host
dhcp.@host[5].name='front.cam'
dhcp.@host[5].Mac='XXXXXX'
dhcp.@host[5].ip='XXXXXX'
dhcp.Arlo=dnsmasq
dhcp.Arlo.rebind_protection='0'
dhcp.Arlo.localservice='0'
dhcp.Arlo.interface='arlo'
dhcp.arlo=dhcp
dhcp.arlo.interface='arlo'
dhcp.arlo.start='100'
dhcp.arlo.limit='150'
dhcp.arlo.leasetime='12h'
dhcp.@host[6]=host
dhcp.@host[6].name='entrance.cam'
dhcp.@host[6].Mac='XXXXXX'
dhcp.@host[6].ip='XXXXXX'
dhcp.@host[7]=host
dhcp.@host[7].name='openvpn'
dhcp.@host[7].ip='XXXXX'
dhcp.@host[7].Mac='XXXXXXXX'
dropbear.@dropbear[0]=dropbear
dropbear.@dropbear[0].PasswordAuth='on'
dropbear.@dropbear[0].RootPasswordAuth='on'
dropbear.@dropbear[0].Port='22'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6' 'wan_eth' 'wan_lte'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='HTTPS to Nginx'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='443'
firewall.@redirect[0].dest_ip='XXXXXX'
firewall.@redirect[0].dest_port='443'
firewall.@zone[2]=zone
firewall.@zone[2].name='arlo'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].network='arlo'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='arlo'
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='arlo'
firewall.@forwarding[2].dest='wan'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='lan'
firewall.@forwarding[3].dest='arlo'
firewall.@redirect[1]=redirect
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].name='HTTP to Nginx'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].src_dport='80'
firewall.@redirect[1].dest_ip='XXXXX'
firewall.@redirect[1].dest_port='80'
firewall.@redirect[2]=redirect
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].name='OVPN to ProxMox'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].src_dport='1194'
firewall.@redirect[2].dest_ip='XXXXXX'
firewall.@redirect[2].dest_port='1194'
firewall.@redirect[2].proto='tcp' 'udp'
firewall.@redirect[3]=redirect
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].name='Arlo Server'
firewall.@redirect[3].family='ipv4'
firewall.@redirect[3].src='arlo'
firewall.@redirect[3].src_dport='4000'
firewall.@redirect[3].dest_ip='XXXXXX'
firewall.@redirect[3].dest_port='4000'
firewall.@rule[9]=rule
firewall.@rule[9].name='Profiles'
firewall.@rule[9].src='lan'
firewall.@rule[9].dest='wan'
firewall.@rule[9].dest_ip='XXXXXXXXX'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='0'
firewall.@rule[10]=rule
firewall.@rule[10].name='block mbp'
firewall.@rule[10].src='lan'
firewall.@rule[10].src_mac='XXX:XX:XXX:XXX'
firewall.@rule[10].dest='wan'
firewall.@rule[10].target='REJECT'
firewall.@rule[10].enabled='0'
luci.main=core
luci.main.lang='auto'
luci.main.mediaurlbase='/luci-static/bootstrap'
luci.main.resourcebase='/luci-static/resources'
luci.main.ubuspath='/ubus/'
luci.flash_keep=extern
luci.flash_keep.uci='/etc/config/'
luci.flash_keep.dropbear='/etc/dropbear/'
luci.flash_keep.openvpn='/etc/openvpn/'
luci.flash_keep.passwd='/etc/passwd'
luci.flash_keep.opkg='/etc/opkg.conf'
luci.flash_keep.firewall='/etc/firewall.user'
luci.flash_keep.uploads='/lib/uci/upload/'
luci.languages=internal
luci.sauth=internal
luci.sauth.sessionpath='/tmp/luci-sessions'
luci.sauth.sessiontime='3600'
luci.ccache=internal
luci.ccache.enable='1'
luci.themes=internal
luci.themes.Bootstrap='/luci-static/bootstrap'
luci.themes.BootstrapDark='/luci-static/bootstrap-dark'
luci.themes.BootstrapLight='/luci-static/bootstrap-light'
luci.apply=internal
luci.apply.rollback='90'
luci.apply.holdoff='4'
luci.apply.timeout='5'
luci.apply.display='1.5'
luci.diag=internal
luci.diag.dns='openwrt.org'
luci.diag.ping='openwrt.org'
luci.diag.route='openwrt.org'
luci-opkg.main=core
luci-opkg.main.lang='auto'
luci-opkg.main.mediaurlbase='/luci-static/bootstrap'
luci-opkg.main.resourcebase='/luci-static/resources'
luci-opkg.main.ubuspath='/ubus/'
luci-opkg.flash_keep=extern
luci-opkg.flash_keep.uci='/etc/config/'
luci-opkg.flash_keep.dropbear='/etc/dropbear/'
luci-opkg.flash_keep.openvpn='/etc/openvpn/'
luci-opkg.flash_keep.passwd='/etc/passwd'
luci-opkg.flash_keep.opkg='/etc/opkg.conf'
luci-opkg.flash_keep.firewall='/etc/firewall.user'
luci-opkg.flash_keep.uploads='/lib/uci/upload/'
luci-opkg.languages=internal
luci-opkg.sauth=internal
luci-opkg.sauth.sessionpath='/tmp/luci-sessions'
luci-opkg.sauth.sessiontime='3600'
luci-opkg.ccache=internal
luci-opkg.ccache.enable='1'
luci-opkg.themes=internal
luci-opkg.apply=internal
luci-opkg.apply.rollback='90'
luci-opkg.apply.holdoff='4'
luci-opkg.apply.timeout='5'
luci-opkg.apply.display='1.5'
mwan3.globals=globals
mwan3.globals.mmx_mask='0x3F00'
mwan3.m_wan_eth=member
mwan3.m_wan_eth.interface='wan_eth'
mwan3.m_wan_eth.metric='10'
mwan3.m_wan_eth.weight='1'
mwan3.m_wan_lte=member
mwan3.m_wan_lte.interface='wan_lte'
mwan3.m_wan_lte.metric='20'
mwan3.m_wan_lte.weight='1'
mwan3.wan_eth=interface
mwan3.wan_eth.enabled='1'
mwan3.wan_eth.initial_state='online'
mwan3.wan_eth.family='ipv4'
mwan3.wan_eth.track_ip='1.1.1.1' '8.8.8.8'
mwan3.wan_eth.track_method='ping'
mwan3.wan_eth.reliability='1'
mwan3.wan_eth.count='1'
mwan3.wan_eth.size='56'
mwan3.wan_eth.max_ttl='60'
mwan3.wan_eth.timeout='4'
mwan3.wan_eth.interval='10'
mwan3.wan_eth.failure_interval='5'
mwan3.wan_eth.recovery_interval='5'
mwan3.wan_eth.down='2'
mwan3.wan_eth.up='2'
mwan3.wan_lte=interface
mwan3.wan_lte.enabled='1'
mwan3.wan_lte.initial_state='online'
mwan3.wan_lte.family='ipv4'
mwan3.wan_lte.track_ip='1.1.1.1' '8.8.8.8'
mwan3.wan_lte.track_method='ping'
mwan3.wan_lte.reliability='1'
mwan3.wan_lte.count='1'
mwan3.wan_lte.size='56'
mwan3.wan_lte.max_ttl='60'
mwan3.wan_lte.timeout='4'
mwan3.wan_lte.interval='10'
mwan3.wan_lte.failure_interval='5'
mwan3.wan_lte.recovery_interval='5'
mwan3.wan_lte.down='2'
mwan3.wan_lte.up='2'
mwan3.eth_only=policy
mwan3.eth_only.last_resort='unreachable'
mwan3.eth_only.use_member='m_wan_eth'
mwan3.lte_only=policy
mwan3.lte_only.last_resort='unreachable'
mwan3.lte_only.use_member='m_wan_lte'
mwan3.balanced=policy
mwan3.balanced.last_resort='unreachable'
mwan3.balanced.use_member='m_wan_eth' 'm_wan_lte'
mwan3.https=rule
mwan3.https.proto='tcp'
mwan3.https.dest_port='443'
mwan3.https.sticky='1'
mwan3.https.timeout='600'
mwan3.https.logging='1'
mwan3.https.use_policy='balanced'
mwan3.default_rule_v4=rule
mwan3.default_rule_v4.family='ipv4'
mwan3.default_rule_v4.proto='all'
mwan3.default_rule_v4.dest_ip='0.0.0.0/0'
mwan3.default_rule_v4.sticky='0'
mwan3.default_rule_v4.use_policy='balanced'
mwan3-opkg.globals=globals
mwan3-opkg.globals.mmx_mask='0x3F00'
mwan3-opkg.wan=interface
mwan3-opkg.wan.enabled='1'
mwan3-opkg.wan.track_ip='1.0.0.1' '1.1.1.1' '208.67.222.222' '208.67.220.220'
mwan3-opkg.wan.family='ipv4'
mwan3-opkg.wan.reliability='2'
mwan3-opkg.wan6=interface
mwan3-opkg.wan6.enabled='0'
mwan3-opkg.wan6.track_ip='2606:4700:4700::1001' '2606:4700:4700::1111' '2620:0:ccd::2' '2620:0:ccc::2'
mwan3-opkg.wan6.family='ipv6'
mwan3-opkg.wan6.reliability='2'
mwan3-opkg.wanb=interface
mwan3-opkg.wanb.enabled='0'
mwan3-opkg.wanb.track_ip='1.0.0.1' '1.1.1.1' '208.67.222.222' '208.67.220.220'
mwan3-opkg.wanb.family='ipv4'
mwan3-opkg.wanb.reliability='1'
mwan3-opkg.wanb6=interface
mwan3-opkg.wanb6.enabled='0'
mwan3-opkg.wanb6.track_ip='2606:4700:4700::1001' '2606:4700:4700::1111' '2620:0:ccd::2' '2620:0:ccc::2'
mwan3-opkg.wanb6.family='ipv6'
mwan3-opkg.wanb6.reliability='1'
mwan3-opkg.wan_m1_w3=member
mwan3-opkg.wan_m1_w3.interface='wan'
mwan3-opkg.wan_m1_w3.metric='1'
mwan3-opkg.wan_m1_w3.weight='3'
mwan3-opkg.wan_m2_w3=member
mwan3-opkg.wan_m2_w3.interface='wan'
mwan3-opkg.wan_m2_w3.metric='2'
mwan3-opkg.wan_m2_w3.weight='3'
mwan3-opkg.wanb_m1_w2=member
mwan3-opkg.wanb_m1_w2.interface='wanb'
mwan3-opkg.wanb_m1_w2.metric='1'
mwan3-opkg.wanb_m1_w2.weight='2'
mwan3-opkg.wanb_m1_w3=member
mwan3-opkg.wanb_m1_w3.interface='wanb'
mwan3-opkg.wanb_m1_w3.metric='1'
mwan3-opkg.wanb_m1_w3.weight='3'
mwan3-opkg.wanb_m2_w2=member
mwan3-opkg.wanb_m2_w2.interface='wanb'
mwan3-opkg.wanb_m2_w2.metric='2'
mwan3-opkg.wanb_m2_w2.weight='2'
mwan3-opkg.wan6_m1_w3=member
mwan3-opkg.wan6_m1_w3.interface='wan6'
mwan3-opkg.wan6_m1_w3.metric='1'
mwan3-opkg.wan6_m1_w3.weight='3'
mwan3-opkg.wan6_m2_w3=member
mwan3-opkg.wan6_m2_w3.interface='wan6'
mwan3-opkg.wan6_m2_w3.metric='2'
mwan3-opkg.wan6_m2_w3.weight='3'
mwan3-opkg.wanb6_m1_w2=member
mwan3-opkg.wanb6_m1_w2.interface='wanb6'
mwan3-opkg.wanb6_m1_w2.metric='1'
mwan3-opkg.wanb6_m1_w2.weight='2'
mwan3-opkg.wanb6_m1_w3=member
mwan3-opkg.wanb6_m1_w3.interface='wanb6'
mwan3-opkg.wanb6_m1_w3.metric='1'
mwan3-opkg.wanb6_m1_w3.weight='3'
mwan3-opkg.wanb6_m2_w2=member
mwan3-opkg.wanb6_m2_w2.interface='wanb6'
mwan3-opkg.wanb6_m2_w2.metric='2'
mwan3-opkg.wanb6_m2_w2.weight='2'
mwan3-opkg.wan_only=policy
mwan3-opkg.wan_only.use_member='wan_m1_w3' 'wan6_m1_w3'
mwan3-opkg.wanb_only=policy
mwan3-opkg.wanb_only.use_member='wanb_m1_w2' 'wanb6_m1_w2'
mwan3-opkg.balanced=policy
mwan3-opkg.balanced.use_member='wan_m1_w3' 'wanb_m1_w3' 'wan6_m1_w3' 'wanb6_m1_w3'
mwan3-opkg.wan_wanb=policy
mwan3-opkg.wan_wanb.use_member='wan_m1_w3' 'wanb_m2_w2' 'wan6_m1_w3' 'wanb6_m2_w2'
mwan3-opkg.wanb_wan=policy
mwan3-opkg.wanb_wan.use_member='wan_m2_w3' 'wanb_m1_w2' 'wan6_m2_w3' 'wanb6_m1_w2'
mwan3-opkg.https=rule
mwan3-opkg.https.sticky='1'
mwan3-opkg.https.dest_port='443'
mwan3-opkg.https.proto='tcp'
mwan3-opkg.https.use_policy='balanced'
mwan3-opkg.default_rule_v4=rule
mwan3-opkg.default_rule_v4.dest_ip='0.0.0.0/0'
mwan3-opkg.default_rule_v4.use_policy='balanced'
mwan3-opkg.default_rule_v4.family='ipv4'
mwan3-opkg.default_rule_v6=rule
mwan3-opkg.default_rule_v6.dest_ip='::/0'
mwan3-opkg.default_rule_v6.use_policy='balanced'
mwan3-opkg.default_rule_v6.family='ipv6'
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='XXX:XX:XXX::/48'
network.globals.packet_steering='1'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan2'
network.wan_eth=interface
network.wan_eth.proto='dhcp'
network.wan_eth.device='lan1'
network.wan_eth.metric='10'
network.wan_lte=interface
network.wan_lte.proto='qmi'
network.wan_lte.device='/dev/cdc-wdm0'
network.wan_lte.apn='XXXX'
network.wan_lte.pincode='XXXX'
network.wan_lte.auth='none'
network.wan_lte.pdptype='ipv4'
network.wan_lte.metric='20'
network.lan=interface
network.lan.proto='static'
network.lan.device='br-lan'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.arlo=interface
network.arlo.proto='static'
network.arlo.ipaddr='172.14.1.1'
network.arlo.netmask='255.255.255.0'
network.arlo.device='br-arlo'
network.@device[1]=device
network.@device[1].type='bridge'
network.@device[1].name='br-arlo'
network.@device[2]=device
network.@device[2].name='wwan0'
rpcd.@rpcd[0]=rpcd
rpcd.@rpcd[0].socket='/var/run/ubus/ubus.sock'
rpcd.@rpcd[0].timeout='30'
rpcd.@login[0]=login
rpcd.@login[0].username='root'
rpcd.@login[0].password='$p$root'
rpcd.@login[0].read='*'
rpcd.@login[0].write='*'
system.@system[0]=system
system.@system[0].hostname='OpenWrt'
system.@system[0].timezone='CET-1CEST,M3.5.0,M10.5.0/3'
system.@system[0].ttylogin='0'
system.@system[0].log_size='64'
system.@system[0].urandom_seed='0'
system.@system[0].compat_version='1.1'
system.@system[0].zonename='Europe/Oslo'
system.@system[0].log_proto='udp'
system.@system[0].conloglevel='8'
system.@system[0].cronloglevel='5'
system.ntp=timeserver
system.ntp.server='0.openwrt.pool.ntp.org' '1.openwrt.pool.ntp.org' '2.openwrt.pool.ntp.org' '3.openwrt.pool.ntp.org'
system.usb_power=gpio_switch
system.usb_power.name='Power USB Port'
system.usb_power.gpio_pin='usb_power'
system.usb_power.value='1'
system.lte_power=gpio_switch
system.lte_power.name='Power LTE modem'
system.lte_power.gpio_pin='lte_power'
system.lte_power.value='1'
system.led_internet=led
system.led_internet.name='LTE/3G Internet Activity'
system.led_internet.sysfs='green:internet'
system.led_internet.trigger='netdev'
system.led_internet.mode='rx tx'
system.led_internet.dev='wwan0'
ubootenv.@ubootenv[0]=ubootenv
ubootenv.@ubootenv[0].dev='/dev/mtd1'
ubootenv.@ubootenv[0].offset='0x0'
ubootenv.@ubootenv[0].envsize='0x1000'
ubootenv.@ubootenv[0].secsize='0x80000'
ucitrack.@network[0]=network
ucitrack.@network[0].init='network'
ucitrack.@network[0].affects='dhcp'
ucitrack.@wireless[0]=wireless
ucitrack.@wireless[0].affects='network'
ucitrack.@firewall[0]=firewall
ucitrack.@firewall[0].init='firewall'
ucitrack.@firewall[0].affects='luci-splash' 'qos' 'miniupnpd'
ucitrack.@olsr[0]=olsr
ucitrack.@olsr[0].init='olsrd'
ucitrack.@dhcp[0]=dhcp
ucitrack.@dhcp[0].init='dnsmasq'
ucitrack.@dhcp[0].affects='odhcpd'
ucitrack.@odhcpd[0]=odhcpd
ucitrack.@odhcpd[0].init='odhcpd'
ucitrack.@dropbear[0]=dropbear
ucitrack.@dropbear[0].init='dropbear'
ucitrack.@httpd[0]=httpd
ucitrack.@httpd[0].init='httpd'
ucitrack.@fstab[0]=fstab
ucitrack.@fstab[0].exec='/sbin/block mount'
ucitrack.@qos[0]=qos
ucitrack.@qos[0].init='qos'
ucitrack.@system[0]=system
ucitrack.@system[0].init='led'
ucitrack.@system[0].exec='/etc/init.d/log reload'
ucitrack.@system[0].affects='luci_statistics' 'dhcp'
ucitrack.@luci_splash[0]=luci_splash
ucitrack.@luci_splash[0].init='luci_splash'
ucitrack.@upnpd[0]=upnpd
ucitrack.@upnpd[0].init='miniupnpd'
ucitrack.@ntpclient[0]=ntpclient
ucitrack.@ntpclient[0].init='ntpclient'
ucitrack.@samba[0]=samba
ucitrack.@samba[0].init='samba'
ucitrack.@tinyproxy[0]=tinyproxy
ucitrack.@tinyproxy[0].init='tinyproxy'
uhttpd.main=uhttpd
uhttpd.main.listen_http='0.0.0.0:80' '[::]:80'
uhttpd.main.listen_https='0.0.0.0:443' '[::]:443'
uhttpd.main.redirect_https='0'
uhttpd.main.home='/www'
uhttpd.main.rfc1918_filter='1'
uhttpd.main.max_requests='3'
uhttpd.main.max_connections='100'
uhttpd.main.cert='/etc/uhttpd.crt'
uhttpd.main.key='/etc/uhttpd.key'
uhttpd.main.cgi_prefix='/cgi-bin'
uhttpd.main.lua_prefix='/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
uhttpd.main.script_timeout='60'
uhttpd.main.network_timeout='30'
uhttpd.main.http_keepalive='20'
uhttpd.main.tcp_keepalive='1'
uhttpd.main.ucode_prefix='/cgi-bin/luci=/usr/share/ucode/luci/uhttpd.uc'
uhttpd.main.ubus_prefix='/ubus'
uhttpd.defaults=cert
uhttpd.defaults.days='730'
uhttpd.defaults.key_type='ec'
uhttpd.defaults.bits='2048'
uhttpd.defaults.ec_curve='P-256'
uhttpd.defaults.country='ZZ'
uhttpd.defaults.state='Somewhere'
uhttpd.defaults.location='Unknown'
uhttpd.defaults.commonname='OpenWrt'
uhttpd-opkg.main=uhttpd
uhttpd-opkg.main.listen_http='0.0.0.0:80' '[::]:80'
uhttpd-opkg.main.listen_https='0.0.0.0:443' '[::]:443'
uhttpd-opkg.main.redirect_https='0'
uhttpd-opkg.main.home='/www'
uhttpd-opkg.main.rfc1918_filter='1'
uhttpd-opkg.main.max_requests='3'
uhttpd-opkg.main.max_connections='100'
uhttpd-opkg.main.cert='/etc/uhttpd.crt'
uhttpd-opkg.main.key='/etc/uhttpd.key'
uhttpd-opkg.main.cgi_prefix='/cgi-bin'
uhttpd-opkg.main.lua_prefix='/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
uhttpd-opkg.main.script_timeout='60'
uhttpd-opkg.main.network_timeout='30'
uhttpd-opkg.main.http_keepalive='20'
uhttpd-opkg.main.tcp_keepalive='1'
uhttpd-opkg.defaults=cert
uhttpd-opkg.defaults.days='397'
uhttpd-opkg.defaults.key_type='ec'
uhttpd-opkg.defaults.bits='2048'
uhttpd-opkg.defaults.ec_curve='P-256'
uhttpd-opkg.defaults.country='ZZ'
uhttpd-opkg.defaults.state='Somewhere'
uhttpd-opkg.defaults.location='Unknown'
uhttpd-opkg.defaults.commonname='OpenWrt'
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.path='1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
wireless.radio0.channel='auto'
wireless.radio0.band='2g'
wireless.radio0.htmode='HT20'
wireless.radio0.cell_density='0'
wireless.radio0.disabled='1'
wireless.radio1=wifi-device
wireless.radio1.type='mac80211'
wireless.radio1.path='1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
wireless.radio1.channel='36'
wireless.radio1.band='5g'
wireless.radio1.htmode='VHT80'
wireless.radio1.disabled='1'
wireless.wifinet2=wifi-iface
wireless.wifinet2.device='radio0'
wireless.wifinet2.mode='ap'
wireless.wifinet2.ssid='ARLO_VMB_1691162793'
wireless.wifinet2.encryption='psk-mixed'
wireless.wifinet2.key='XXXXXX'
wireless.wifinet2.network='arlo'
wireless.wifinet2.disabled='1'

Is your PoE switch managed or unmanaged? What model is it?

It is a "smart" switch, TP-Link TL-SG108PE. Among a few things, it allows me to set or remove tags on its ports.

Cool.

As an FYI from a security standpoint the management interface accepts inputs from all vlans.

Plus be careful with sending it BPDU's (i.e. spanning tree on). I've had them completely lock up....

But other than that I can't foresee any issues with using that switch for what you want?

I'm hoping psherman or someone else can take over else I'll check in tomorrow =)

To start I suggest:

• add a wifi network (given you don't have a management port or serial port?) separate from your br-lan purely for management so you don't get locked out when trying to do this change?
• Do a full config backup from luci backup/restore in case you need to factory reset to get back

Ok. So you need to tag the camera network on the router port that connects to the switch. Likewise, you need to set the switch to accept that same vlan tagged on the corresponding port. Then, on the ports that connect to the cameras and nvr, you will set that vlan as untagged + pvid.

What port on the router connects to the switch?

Can I trouble you to post your config as it appears in the text files (I find this easier to read than uci format):

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Switch is connected to lan2 on my router. lan1 is used for WAN interface.

Here is my config

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXXXX::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'

config interface 'wan_eth'
	option proto 'dhcp'
	option device 'lan1'
	option metric '10'

config interface 'wan_lte'
	option proto 'qmi'
	option device '/dev/cdc-wdm0'
	option apn 'XXXX'
	option pincode 'XXX'
	option auth 'none'
	option pdptype 'ipv4'
	option metric '20'

config interface 'lan'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config interface 'arlo'
	option proto 'static'
	option ipaddr '172.14.1.1'
	option netmask '255.255.255.0'
	option device 'br-arlo'

config device
	option type 'bridge'
	option name 'br-arlo'

config device
	option name 'wwan0'

config interface 'lan_setup'
	option proto 'static'
	option device 'radio0.network2'
	list ipaddr '192.168.2.1'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel 'auto'
	option band '2g'
	option htmode 'HT40'
	option cell_density '0'
	option country 'NO'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'ARLO_VMB_1691162793'
	option encryption 'psk-mixed'
	option key 'XXXX'
	option network 'arlo'
	option disabled '1'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'ap'
	option ssid 'a-Setup'
	option encryption 'psk2'
	option key 'XXXX'
	option network 'lan_setup'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list interface 'lan'
	list notinterface 'lan_setup'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option dns_service '0'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'arlo'
	option interface 'arlo'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'lan_setup'
	option interface 'lan_setup'
	option start '90'
	option limit '9'
	option leasetime '6h'
	option ignore '1'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wan_eth'
	list network 'wan_lte'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTPS to Nginx'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.1.12'
	option dest_port '443'

config zone
	option name 'arlo'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'arlo'

config forwarding
	option src 'arlo'
	option dest 'lan'

config forwarding
	option src 'arlo'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'arlo'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTP to Nginx'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.1.12'
	option dest_port '80'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'OVPN to ProxMox'
	option src 'wan'
	option src_dport '1194'
	option dest_ip '192.168.1.31'
	option dest_port '1194'
	list proto 'tcp'
	list proto 'udp'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Arlo Server'
	option family 'ipv4'
	option src 'arlo'
	option src_dport '4000'
	option dest_ip '192.168.1.32'
	option dest_port '4000'

config rule
	option name 'Profiles'
	option src 'lan'
	option dest 'wan'
	list dest_ip 'XXXXX'
	option target 'REJECT'
	option enabled '0'

config rule
	option name 'block mbp'
	option src 'lan'
	list src_mac 'XXXXX'
	option dest 'wan'
	option target 'REJECT'
	option enabled '0'

config zone
	option name 'setup'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan_setup'

config forwarding
	option src 'setup'
	option dest 'lan'

config forwarding
	option src 'setup'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'setup'

config forwarding
	option src 'wan'
	option dest 'setup'

Cool. So again I would recommend doing the change in two steps. One can then delete the management interface if required afterwards.

I forgot to add that for me, when I used TL-SG108PE, I didn't have success with DHCP & VLANS at the same time. (as in for the switches' management address)

I would recommend setting the switch as a static IP regardless when switching it to vlans. This also helps as it means you can set a switch port as an untagged port to always be able to talk to the switch.

As an aside, i'm stuck too with vlan1 at home, but in reality it's best to probably not use vlan1 or any default vlan for any network but we'll continue with the design for vlan1 and vlan40. If you see my setup I'm vlan1 an vlan10.

To start I recommend creating a management interface.
Then we'll change br-lan to vlans.

Given you mentioned you preferred LuCI rather than UCI or editing configuration files I'll give some screenshots, plus the output for the changes LuCI is going to do anyway. (i.e. when you click unsaved changes it gives you the uci commands)

• Please create a backup of your existing configuration using the luci backup interface.

I will start with creating a wireless network on a different bridge so you can connect to that, and then we can do the actual changes we are after. (When you switch to vlans you need to change both your wireless and wired config in one go so there's a risk for either not being able to connect again, or you will have luci revert your config after ~90 seconds)

Also of note is i didn't say hit save and apply but you should do that after every major part. (empty bridge, add network, add wireless)

• Adding an empty bridge that we bring up
  • we go to the network/interfaces tab, then go to add a device configuration.
  • then create a bridge with a valid UCI identifier
  • then as we are creating an empty bridge we want it to be brought up always
  • then save and apply

uci add network device
uci set network.@device[-1].type='bridge'
uci set network.@device[-1].name='br-local'
uci set network.@device[-1].bridge_empty='1'

Photos:

2024-11-01-091521_1349x956_scrot1349×956 99.3 KB

2024-11-01-091839_1354x991_scrot1354×991 86.5 KB

2024-11-01-091639_1403x989_scrot1403×989 71.1 KB

• Adding an interface with static IP on the bridge, new firewall group, dhcp server
  • go to interfaces tab and click add interface
  • use an arbitrary uci compatible name.
  • pick static IP address
  • pick the bridge you created before under device
  • pick an arbitrary RFC1918 IP address. (I find 172.16.0.0/12 is less used so I suggest pick something there.)
  • pick your subnet mask. 255.255.255.0 or /24 is the smallest network available in the dropdown.
  • create a firewall zone for management (or addd it to lan if you don't care about isolating this network from the rest of your network)
  • click setup dhcp server and leave as defaults so you have DHCP available.
  • save and apply
  • you will need to go to firewall settings and change the local network input to ACCEPT.

# /etc/config/dhcp
uci set dhcp.local=dhcp
uci set dhcp.local.interface='local'
uci set dhcp.local.start='100'
uci set dhcp.local.limit='150'
uci set dhcp.local.leasetime='12h'
# /etc/config/firewall
uci add firewall zone 
uci set firewall.@zone[-1].name='local'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci add_list firewall.@zone[-1].network='local'
# /etc/config/network
uci set network.local=interface
uci set network.local.proto='static'
uci set network.local.device='br-local'
uci set network.local.ipaddr='172.31.254.1'
uci set network.local.netmask='255.255.255.0'

2024-11-01-091906_1331x717_scrot1331×717 44.7 KB

2024-11-01-092106_1296x702_scrot1296×702 37 KB

2024-11-01-092650_1441x952_scrot1441×952 57.9 KB

2024-11-01-092633_1374x789_scrot1374×789 53.3 KB

2024-11-01-092621_1336x799_scrot1336×799 46.1 KB

2024-11-01-092335_1333x754_scrot1333×754 49.6 KB

2024-11-01-104618_1024x69_scrot1024×69 5.94 KB

• adding wireless to the bridge
• you can also repeat for 5ghz but 2.4 should be sufficient
• go to network/wireless and click add on the radio in question.
• pick an arbitrary ESSID and under the network drop down select the 'local' network
• select wireless security and a password
• of note is the rest of the parameters should already be set and be the same as what you already have set up with your other wifi network.

# /etc/config/wireless
uci set wireless.wifinet2=wifi-iface
uci set wireless.wifinet2.device='radio0'
uci set wireless.wifinet2.mode='ap'
uci set wireless.wifinet2.ssid='arbitrarySSID'
uci set wireless.wifinet2.encryption='sae'
uci set wireless.wifinet2.key='arbitrarypassword'
uci set wireless.wifinet2.network='local'

2024-11-01-093013_1243x944_scrot1243×944 84.4 KB

2024-11-01-094423_871x863_scrot871×863 74.8 KB

2024-11-01-092948_1343x847_scrot1343×847 64.6 KB

You should now be able to connect to your wireless network.
Once confirmed I also suggest backing up this config so you can revert to this state if it all goes wrong with the next part.

I will write the next reply on the assumption that you have the above completed.

Okay so firstly apologies I had to do an edit as I missed that the default on my example was input reject now for a new firewall group. It's always good to test your own instructions hahahaha.

Anyway. Witih the following instructions I've switched devices to something that's the closest I have to your target. Which is an aerohive ap330. (i.e. two network devices).

in this example it's eth0 for wan and eth1 for lan. But it shouldn't matter for the "switch to vlans" example.

Basically in UCI it'd be the following: (i.e. this is what I copied out of luci unsaved changes)

# /etc/config/network
uci add network bridge-vlan # =cfg09a1b0
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='1'
uci add_list network.@bridge-vlan[-1].ports='eth1:u*'
uci add network bridge-vlan # =cfg0aa1b0
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='40'
uci add_list network.@bridge-vlan[-1].ports='eth1:t'
uci set network.lan.device='br-lan.1'

Your steps are to go to your bridge device, hit configure, turn on bridge vlan filtering.
The easiest will be then add vlan1, make it untagged and primary VID.
Then add vlan 40 as tagged.

Then before saving you need to also go to the network section and change your "lan" network from br-lan to br-lan.1.

Pictures:

2024-11-01-105247_1044x630_scrot1044×630 55.7 KB

2024-11-01-105341_1404x859_scrot1404×859 60.1 KB

2024-11-01-105352_1443x812_scrot1443×812 53.8 KB

2024-11-01-105437_1413x835_scrot1413×835 52.2 KB

2024-11-01-105237_1404x902_scrot1404×902 75.4 KB

2024-11-01-105528_1336x815_scrot1336×815 50.9 KB

2024-11-01-105501_1412x967_scrot1412×967 84.9 KB

An important item to note is you will need to restart your wireless or brute force all of networking after you save your changes as you need your wireless to reconnect to the bridge. (i.e. othherwise devices may not connect to your AP correctly). After restarting wireless you should then check that your existting wifi and wired clients work correctly.

Now that we're at this stage, we should make another effort to back up the configuration. (i.e. before we change IP address ranges, then configure vlan40, do switch config. Also backing up your switch config is probably a good idea at this time).

When we get to this point, we are now at the stage for configuring VLAN40 and the network that will be for your CCTV. However up to here We shouldn't have actually impacted the wired network / cctv yet as we set PVID1 / untagged vlan 1 on the same IP address.

Once we get to here it's more complicated =(

I believe to start, your IP range for br-lan will conflict with your CCTV desired static IP's? So one would need to switch your br-lan IP range....

Then we have switch configuration.... I don't have your switch on hand. I think tp-link has emulators for some stuff but It will be challenging and switch dependent....

I think the next steps would be configure your switch for vlans and a static IP address. With all ports untagged PVID vlan 1.
We then need to configure the switch to accept tagged vlan40 on the port connected to your router.
Then configure vlan 40 to untagged vlan 40 and PVID 40 without vlan1 on the CCTV connected ports.
It's then a case of add a network of the appropriate IP range for your router on br-lan.40.

thank you so much for your reply, I'll try to dive into it during the weekend and will report back

No worries. No rush. I hope it goes OK =)

Learning on what I presume is your prod network can take a while to get a service window.

edit:
I pulled one of the TL-SG108PE's out of retirement to send some screen captures iko3's way. Turns out there's a firmware upgrade from 2023-09-07 at least for my v4.20 model which claims to fix security and management issues. Not sure if it would fix my locking up issue on my spanning tree enabled network but eh.
Also said it fixes a DHCP issue, which may have addressed my DHCP issue.

Thank you again for your great help! I finally got time to update my config, and it worked perfectly. I'm now able to manage traffic on different VLAN interfaces.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.