Dedicated Router + DumbAPs: add VLANs

TheHellSite · December 25, 2020, 9:51am

Hello guys,

I curretly have one single LAN network. In this network is an openwrt x86 router without WiFi doing firewall, vpn, dhcp,... and so on. For WiFi I am using some Archer C7 v2's configured as dumb APs.

Since I am about to add some IOT devices to my network I would like to get things seperated by adding a IOT-VLAN on my main x86 router and a 2nd "VLAN-IOT" wifi ssid on the 2.4 GHz band on my APs.

I already read the wiki but didn't understand how to do it properly.

Below are the relevant configs of my x86 router and my APs.

router_network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
    option ifname 'eth2'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.0.1'
    option netmask '255.255.255.0'

config interface 'wan'
    option ifname 'eth0.7'
    option proto 'pppoe'
    option username '----'
    option password '----'
    option peerdns '0'
    option dns '185.121.177.177 169.239.202.202'
    option ipv6 '0'

config interface 'modem'
    option ifname 'eth1'
    option proto 'static'
    option ipaddr '192.168.1.2'
    option netmask '255.255.255.0'

ap_network


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ipaddr '192.168.0.2'
	option netmask '255.255.255.0'
	option gateway '192.168.0.1'
	list dns '192.168.0.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

ap_wireless

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option htmode 'HT20'
	option country 'DE'
	option path 'platform/ahb/18100000.wmac'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ft_over_ds '1'
	option ssid 'WLAN-TRUSTEDLAN'
	option encryption 'psk2+ccmp'
	option ft_psk_generate_local '1'
	option key '----'
	option ieee80211r '1'

faser · December 25, 2020, 10:14am

Generally you would need to "enable" the VLAN on the ports to which your AP's are connected by marking the ports as "tagged" on your newly created IOT-VLAN (Network -> Swtich).

On your AP's you do the same, create the IOT-VLAN and mark it as "tagged" on the prot that connects to the router.
Then you bridge the wifi VLAN-IOT ssid to the IOT-VLAN.

eduperez · December 25, 2020, 10:18am

What you need is called "trunking", and I am sure that there are several posts about similar setups in the forum.

TheHellSite · December 25, 2020, 10:05pm

Ok so I just changed changed the network config on my main router.

config interface 'lan'
    option ifname 'eth2'
    option proto 'static'
    option ipaddr '192.168.0.1'
    option netmask '255.255.255.0'

config interface 'iot'
    option ifname 'eth2.25'
    option proto 'static'
    option ipaddr '192.168.25.1'
    option netmask '255.255.255.0'

After that I configured one wired client to use vlan 25, but I was unable to get an ip address.
For testing I added the iot interface to my lan firewall zone and added another dhcp config for the iot interface.
But the vlan 25 client didn't receive any IP.

mk24 · December 26, 2020, 2:52am

The AP's switch needs to be configured to pass each VLAN through from the CPU eth port to the trunk cable.

Don't try to mix tagged and untagged on the cable. Establish a VLAN for your "trusted" LAN network and tag it as well. The process of setting this up has a high risk of losing contact with the AP's OpenWrt due to having something misconfigured and not being able to log in over the Ethernet. To prevent that, temporarily set up a completely separate "management" network that only has a wifi AP and log in by wifi. Then you can do whatever configuration with the Ethernet and you still have access.

TheHellSite · December 26, 2020, 9:11am

So I am not able to run let's say eth2 and eth2.25 over a single wire?
I would need to change eth2 to eth2.1?

All my APs are connected in series from the basement to the top floor. So they basically share one wire coming from the main Router (basement).
I know this is not ideal, but I don't need high bandwith on my Wi-Fi.

eduperez · December 26, 2020, 9:34am

If you use eth2.1 for your LAN, then all devices must be configured to use VLANs, too.

To avoid mixing tagged and untagged, you could try to separate the ports on the router's switch, and dedicate some to LAN devices and some to the APs.

TheHellSite · December 26, 2020, 10:24am

Also my Wi-Fi devices?
Shouldn't my OpenWrt APs be able to "decipher" the VLANs for both my wired and wireless clients?
The Archer C7 has 4 LAN Ports and only one/two will be used to run my lan cable between the routers. These ports will run in tagged mode to support my new VLAN1 (LAN) and VLAN25 (IOT).

I only have 4 LAN Ports on my x86 router: 1x WAN, 2x LAN and 1x Modem-Access.
1 LAN port is connected to the APs in my upper floors and the other LAN port is connected to the AP in the basement. So I don't have any port left, that I could dedicade to just a VLAN.

faser · December 26, 2020, 11:17am

Why not? That is clearly within any definition and works very well on Openwrt.

TheHellSite · December 26, 2020, 2:12pm

Could you tell me how to do this then?

faser · December 26, 2020, 2:58pm

I already gave you the concept above

If that is not enough info here my config I use for adding VLAN101 (Port 4 is my trunk where the AP is connected)

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 4t'
	option vid '101'

And on the AP the trunk port is 1

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 6t 2 3 4 5 1'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '101'
	option ports '6t 2t 1t'

To be honest it is quite easy to configure that on LUCI.

Last step on the AP is to bridge the WLAN to the VLAN

eduperez · December 26, 2020, 6:06pm

WiFi devices do not use VLANs, but you can bridge a SSID to a VLAN.

TheHellSite · December 27, 2020, 4:53pm

I have now successfully configured the VLAN 107 (IOT) on my X86 router and my 3 Archer APs.
As @faser pointed out there was no need to change anything about my main lan network, it is still just eth2 for lan and now the extra eth2.107 for my iot-vlan.

My problem now is that I would like to have access to my VLAN107 from my LAN.
VLAN107 shall not be able to access anything in my main network. Right now, the only thing I can access from VLAN107 is WAN and the webinterface of my x86 router but only using its LAN ip address.

relevant firewall config

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'wan'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan'

config forwarding
    option src 'lan'
    option dest 'wan'

config zone
    option name 'iot'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'iot'

config forwarding
    option src 'iot'
    option dest 'wan'

#config forwarding --> not working
#    option src 'lan'
#    option dest 'iot'

TheHellSite · December 27, 2020, 9:53pm

So I played around for a few hours now.

config forwarding
    option src 'lan'
    option dest 'iot'

This is what I want but it is not working. Clients in my LAN network cannot access anything in the IOT vlan. All network requests time out or the target is unreachable.

config forwarding
    option src 'iot'
    option dest 'lan'

This is working perfectly fine but it is not what I want.. Clients in my IOT vlan can access everything in my main LAN network. But I only want my LAN Clients to be able to connect to my IOT vlan.

TheHellSite · December 28, 2020, 1:51pm

Ok I made some progress.

The rule below is now working! I don't really know what has been the issue.

config forwarding
    option src 'lan'
    option dest 'iot'

However...
I am still unable to access the IOT-VLAN from remote using wireguard.

relevant firewall config

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'wan'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan wg_server'

config forwarding
    option src 'lan'
    option dest 'wan'


config rule
    option name 'Allow-Wireguard-Server'
    option src 'wan'
    option dest_port '50001'
    option proto 'udp'
    option target 'ACCEPT'

relevant network config

config interface 'lan'
    option ifname 'eth2'
    option proto 'static'
    option ipaddr '192.168.0.1'
    option netmask '255.255.255.0'

config interface 'iot'
    option ifname 'eth2.25'
    option proto 'static'
    option ipaddr '192.168.25.1'
    option netmask '255.255.255.0'

config interface 'wg_server'
    option proto 'wireguard'
    option private_key '----'
    list addresses '192.168.56.1/24'
    option listen_port '50001'

EDIT:
I just sorted it out. I had to add the IOT-VLAN subnet in my wireguard configs to the "AllowedIPs" option.

system · January 7, 2021, 1:51pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.