I curretly have one single LAN network. In this network is an openwrt x86 router without WiFi doing firewall, vpn, dhcp,... and so on. For WiFi I am using some Archer C7 v2's configured as dumb APs.
Since I am about to add some IOT devices to my network I would like to get things seperated by adding a IOT-VLAN on my main x86 router and a 2nd "VLAN-IOT" wifi ssid on the 2.4 GHz band on my APs.
I already read the wiki but didn't understand how to do it properly.
Below are the relevant configs of my x86 router and my APs.
Generally you would need to "enable" the VLAN on the ports to which your AP's are connected by marking the ports as "tagged" on your newly created IOT-VLAN (Network -> Swtich).
On your AP's you do the same, create the IOT-VLAN and mark it as "tagged" on the prot that connects to the router.
Then you bridge the wifi VLAN-IOT ssid to the IOT-VLAN.
After that I configured one wired client to use vlan 25, but I was unable to get an ip address.
For testing I added the iot interface to my lan firewall zone and added another dhcp config for the iot interface.
But the vlan 25 client didn't receive any IP.
The AP's switch needs to be configured to pass each VLAN through from the CPU eth port to the trunk cable.
Don't try to mix tagged and untagged on the cable. Establish a VLAN for your "trusted" LAN network and tag it as well. The process of setting this up has a high risk of losing contact with the AP's OpenWrt due to having something misconfigured and not being able to log in over the Ethernet. To prevent that, temporarily set up a completely separate "management" network that only has a wifi AP and log in by wifi. Then you can do whatever configuration with the Ethernet and you still have access.
So I am not able to run let's say eth2 and eth2.25 over a single wire?
I would need to change eth2 to eth2.1?
All my APs are connected in series from the basement to the top floor. So they basically share one wire coming from the main Router (basement).
I know this is not ideal, but I don't need high bandwith on my Wi-Fi.
Also my Wi-Fi devices?
Shouldn't my OpenWrt APs be able to "decipher" the VLANs for both my wired and wireless clients?
The Archer C7 has 4 LAN Ports and only one/two will be used to run my lan cable between the routers. These ports will run in tagged mode to support my new VLAN1 (LAN) and VLAN25 (IOT).
I only have 4 LAN Ports on my x86 router: 1x WAN, 2x LAN and 1x Modem-Access.
1 LAN port is connected to the APs in my upper floors and the other LAN port is connected to the AP in the basement. So I don't have any port left, that I could dedicade to just a VLAN.
I have now successfully configured the VLAN 107 (IOT) on my X86 router and my 3 Archer APs.
As @faser pointed out there was no need to change anything about my main lan network, it is still just eth2 for lan and now the extra eth2.107 for my iot-vlan.
My problem now is that I would like to have access to my VLAN107 from my LAN.
VLAN107 shall not be able to access anything in my main network. Right now, the only thing I can access from VLAN107 is WAN and the webinterface of my x86 router but only using its LAN ip address.
relevant firewall config
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'iot'
config forwarding
option src 'iot'
option dest 'wan'
#config forwarding --> not working
# option src 'lan'
# option dest 'iot'
config forwarding
option src 'lan'
option dest 'iot'
This is what I want but it is not working. Clients in my LAN network cannot access anything in the IOT vlan. All network requests time out or the target is unreachable.
config forwarding
option src 'iot'
option dest 'lan'
This is working perfectly fine but it is not what I want.. Clients in my IOT vlan can access everything in my main LAN network. But I only want my LAN Clients to be able to connect to my IOT vlan.