Hello,
I was hoping someone would be able to walk me through how to setup a VLAN configuration for my home network within the LuCi interface (version 23.05.04). I would like to create three SSIDs (IoT, Main, and Guest) and 2 separate PC (connected via ethernet only) VLANs. I would like all 5 of these VLANs completely isolated from each other. Please see the diagram below.
Thank you for any assistance!
You can create new networks for the guest and iot networks quite easily using the guest wifi wiki tutorial.
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface
With that, you can also create the separated ethernet network -- it'll just need a few minor tweaks. The details of those tweaks depend on your device.
All that said, try the guest wifi link above and see if that gets you going. If you run into issues or have questions, or if you get through it and just need guidance to get the ethernet network to function as desired, we'll need to see the config to assist at that point.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Thank you for the fast reply! I will take a look at that link.
That documentation in your link is great, even for new kids on the O-Wrt block:-}
I was searching for such functionality for Smart home devices and some streaming devices.
Now I do have some further questions:
Do I need to setup for each VLAN a separate DHCP server? Will that stress my router much or is that no problem at all?
For the streaming devices I need to set that VLAN to be only allowed (outgoing) via Wireguard VPN. Is that a big story?
I assume I first setup that VLAN as described in the documentation and in a second step I can enhance the VPN functionality, correct?
Thanks
Typically, yes. It's not required if you configure each of the client devices manually, but that is an uncommon and often inconvenient method. So, yes, normally a DHCP server is enabled per-VLAN.
No stress... it's quite simple.
If you want to have different networks egress via different interfaces (i.e. normal wan vs VPN), it's not complicated, but you need to use Policy Based Routing.
Not exactly sure what you mean here, but typically it's best practice to setup your networks, prove they are working in general, then add the VPN (and PBR) to steer them to the desired outbound interface. This is just so that you have confidence that things are working at each step, and makes troubleshooting easier.
Thanks a lot
To the last point, yes exactly what I meant I first setup the two or even three VLANs and later I will add VPN and PBR functionality to one of the VLANs for some streaming devices/IPs exclusively.
You added a link for the PBR function is there also such a document available how to add a Wireguard VPN (I am using Cyberghost) to a VLAN?
Obviously, you'll use the addresses and public key from by the VPN service provider, and you'll need the private/publc key pair for your side. Depending on how the service works, you'll either generate your own pair and then exchange the public key, or it's possible that they generate the key pairs for you and you download the private key.
Need coming back to the VLAN and DHCP server.
I`m planning to setup my new infrastructure using a separate DSL modem and 3 Cudy WR3000s and flashing my existing TPLink EAP 225 v3 outdoor also to Open-WRT whereby the first is the main router and the others linked with via ethernet backhaul. So I would like to structure my home network a bit and get rid of the all-in-one devices only offering simple settings.
Questions:
No, but I just finished helping someone do the same thing. Your devices may be a bit different, but start by reading this thread and then ask questions as they come up.
All on the main router. The rest will be transparent bridges.
Yes, but it is more complicated and may not work the way you want.
Maybe you can advice me a bit for the generic settings for my devices? I do have a modem in bridge mode.
Next will be the open-wrt router serving DHCP, 2.4 and 5 GHz Wlan and Ethernet. So I assume not having trouble with double NAT.
I will connect 3 further Open-WRT devices via Lan.
Now some questions:
Is this backhaul or do I miss something?
Should I define the other devices as AP without DHCP?
What about the SSID for all devices, all the same, all the same per frequence, all different per device, what is you recommendation, taking under consideration that I will later setup some VLANs and was assuming these VLANs available on each of these devices?
If the modem is set to bridge mode, your OpenWrt router will get the ISP issued IP address on its wan. Therefore, no double NAT (unless the ISP issued address is not actually a public IP). But double NAT isn't really a big problem for most users anyway.
If you're connecting via ethernet, we call that wired/ethernet backhaul.
Yes. Follow the bridged AP tutorial.
This doesn't affect the radio configuration. And nothing discussed thus far would hinder the deployment of VLANs.
OK, but how to handle e g. a separate VLAN for some WLAN Smart home devices?
I would like to have them in a separate VLAN or WLAN, don't understand fully the logic of VLANs yet. Is it not necessary to use separate SSID for that?
So far I am separating these devices by assigning fixed IPs in the device e.g. tasmota flashed devices, but stupid Tuya devices landing somewhere and even don't share their names....
In OpenWrt the term "VLAN" specifically refers to tagged packets on an Ethernet cable and/or inside an Ethernet switch. In other networking OS it is often applied to the general concept of separate networks even if they are not distributed by tagging and sharing an Ethernet cable.
If your IoT network is wifi only (no Ethernet) you would create a new Bridge for it (optional, but needed if you want IoT on both bands of a dual band router) and an Interface for it. This is a separate network and separate SSIDs would be used.