Create separate VLAN for surveillance cameras

Cool. So again I would recommend doing the change in two steps. One can then delete the management interface if required afterwards.

I forgot to add that for me, when I used TL-SG108PE, I didn't have success with DHCP & VLANS at the same time. (as in for the switches' management address)

I would recommend setting the switch as a static IP regardless when switching it to vlans. This also helps as it means you can set a switch port as an untagged port to always be able to talk to the switch.

As an aside, i'm stuck too with vlan1 at home, but in reality it's best to probably not use vlan1 or any default vlan for any network but we'll continue with the design for vlan1 and vlan40. If you see my setup I'm vlan1 an vlan10.

To start I recommend creating a management interface.
Then we'll change br-lan to vlans.

Given you mentioned you preferred LuCI rather than UCI or editing configuration files I'll give some screenshots, plus the output for the changes LuCI is going to do anyway. (i.e. when you click unsaved changes it gives you the uci commands)

• Please create a backup of your existing configuration using the luci backup interface.

I will start with creating a wireless network on a different bridge so you can connect to that, and then we can do the actual changes we are after. (When you switch to vlans you need to change both your wireless and wired config in one go so there's a risk for either not being able to connect again, or you will have luci revert your config after ~90 seconds)

Also of note is i didn't say hit save and apply but you should do that after every major part. (empty bridge, add network, add wireless)

• Adding an empty bridge that we bring up
  • we go to the network/interfaces tab, then go to add a device configuration.
  • then create a bridge with a valid UCI identifier
  • then as we are creating an empty bridge we want it to be brought up always
  • then save and apply

uci add network device
uci set network.@device[-1].type='bridge'
uci set network.@device[-1].name='br-local'
uci set network.@device[-1].bridge_empty='1'

Photos:

2024-11-01-091521_1349x956_scrot1349×956 99.3 KB

2024-11-01-091839_1354x991_scrot1354×991 86.5 KB

2024-11-01-091639_1403x989_scrot1403×989 71.1 KB

• Adding an interface with static IP on the bridge, new firewall group, dhcp server
  • go to interfaces tab and click add interface
  • use an arbitrary uci compatible name.
  • pick static IP address
  • pick the bridge you created before under device
  • pick an arbitrary RFC1918 IP address. (I find 172.16.0.0/12 is less used so I suggest pick something there.)
  • pick your subnet mask. 255.255.255.0 or /24 is the smallest network available in the dropdown.
  • create a firewall zone for management (or addd it to lan if you don't care about isolating this network from the rest of your network)
  • click setup dhcp server and leave as defaults so you have DHCP available.
  • save and apply
  • you will need to go to firewall settings and change the local network input to ACCEPT.

# /etc/config/dhcp
uci set dhcp.local=dhcp
uci set dhcp.local.interface='local'
uci set dhcp.local.start='100'
uci set dhcp.local.limit='150'
uci set dhcp.local.leasetime='12h'
# /etc/config/firewall
uci add firewall zone 
uci set firewall.@zone[-1].name='local'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci add_list firewall.@zone[-1].network='local'
# /etc/config/network
uci set network.local=interface
uci set network.local.proto='static'
uci set network.local.device='br-local'
uci set network.local.ipaddr='172.31.254.1'
uci set network.local.netmask='255.255.255.0'

2024-11-01-091906_1331x717_scrot1331×717 44.7 KB

2024-11-01-092106_1296x702_scrot1296×702 37 KB

2024-11-01-092650_1441x952_scrot1441×952 57.9 KB

2024-11-01-092633_1374x789_scrot1374×789 53.3 KB

2024-11-01-092621_1336x799_scrot1336×799 46.1 KB

2024-11-01-092335_1333x754_scrot1333×754 49.6 KB

2024-11-01-104618_1024x69_scrot1024×69 5.94 KB

• adding wireless to the bridge
• you can also repeat for 5ghz but 2.4 should be sufficient
• go to network/wireless and click add on the radio in question.
• pick an arbitrary ESSID and under the network drop down select the 'local' network
• select wireless security and a password
• of note is the rest of the parameters should already be set and be the same as what you already have set up with your other wifi network.

# /etc/config/wireless
uci set wireless.wifinet2=wifi-iface
uci set wireless.wifinet2.device='radio0'
uci set wireless.wifinet2.mode='ap'
uci set wireless.wifinet2.ssid='arbitrarySSID'
uci set wireless.wifinet2.encryption='sae'
uci set wireless.wifinet2.key='arbitrarypassword'
uci set wireless.wifinet2.network='local'

2024-11-01-093013_1243x944_scrot1243×944 84.4 KB

2024-11-01-094423_871x863_scrot871×863 74.8 KB

2024-11-01-092948_1343x847_scrot1343×847 64.6 KB

You should now be able to connect to your wireless network.
Once confirmed I also suggest backing up this config so you can revert to this state if it all goes wrong with the next part.

I will write the next reply on the assumption that you have the above completed.