Ok, I’m a OpenWRT noob and wonder if the following scenario is possible, maybe the hardware doesn’t even allow it.
I have an Archer C7, currently running Gargoyle. I would like to separate my WiFi IoT devices and guests (also isolated from each other) from my other WiFi device. In Gargoyle the ‚normal‘ WiFi and Guest WiFi don’t have any VLAN tagging options. Does OpenWRT allow this or is it even possible?
I want to avoid using a second AP just for that.
The OpenWRT would then be plugged into an OPNSense box where IoT device will then be allowed to talk to e.g. the MQTT broker on LAN.
VLANs (802.1q) are really a standard/description of what happens over traditional ethernet, and not wifi (which doesn't include a standard for tagging frames over wireless). However, this may be more pedantic than the actual intent of your question... if I understand the premise properly, you're really just looking for the ability to create 2 or more isolated networks.
Yes, OpenWrt can handle this... it can be done in a few ways, depending on your network topology and goals. Typically, I recommend that the main router handle all the routing/firewall functions, so that would presumably be your OPNSense device... you'd create the networks there and the firewall on that device would be responsible for allowing and/or blocking the inter-network routing (keeping your networks isolated and/or allowing them to communicate with whatever granularity you need to meet your goals). If the OpenWrt device is acting as a dumb AP, it will be connected to the OPNSense box via a trunk (i.e. a cable carrying multiple networks using VLANs), and then you'll create wifi SSIDs and assign each to the appropraite network. OpenWrt will not change the level of isolation between the multiple networks since it will be controlled by the main router.
If you want specific help, a diagram of your network topology would be helpful. But in general, yes -- go ahead and install OpenWrt -- it will do what you want.
On the OpenWrt device, you set up your VLAN tagged bridges (all but the management interface as proto=none) and connect your wireless AP interfaces to them, the rest is done by the router (and transported further by the switches upstream of it). The central router does all the decisions (and inter-VLAN routing).
So there’s eg a VLAN 5 tagged bridge for the main WiFi and VLAN 6 tagged bridge for the guest WiFi network? Do these bridges require a physical LAN port each or can I go with one trunk into the OPNSense box?
you can use a single trunk. VLANs 5 and 6 would both be tagged on the trunk from your upstream device (likely the switch)... you'd configure your OpenWrt device to have those same two VLANs tagged on the physical port used for the trunk. Each of those VLANs will then be assigned to a bridge, and then the bridge to a network. One of the networks is likely the one you'd be using for management of the OpenWrt device itself... for that, you'd setup a network protocol or static or dhcp. the other you'd setup a protocol of 'none' (unmanaged). Then you'd associate each network with an SSID and you're done.
I don't know the capabilities of Gargoyle. If it has the same functionality as we're describing for OpenWrt, you could use it if you want (but in that case, you'll need to use the Gargoyle forums for helo).
Hmm ok I’ll think about it and have a look. I probably revisit this thread in a few weeks because I’m waiting for the new OPNSense box that replaces my pfSense and once that is up and running I’ll upgrade my Archer C7 and try this new Wifi setup.
Thanks for the helpful info so far, I might have to pick your brains again soon.