DSA and VLANs help

I apologize up front because I know this is a very rudimentary question but I have never done VLANs before and I have read everything I can on VLANs, DSA, Tagging, untagged, PVID, etc. and I’m just having a hard time getting the details right.

I have a router (no WiFi) running 25.12 and an access point (not openWRT) that supposedly can handle VLANs. My end goal is to have an isolated guest WiFi on the AP that can’t reach any LAN devices. The setup is as follows:

• OpenWRT 25.12 router (plain OpenWRT other than added miniUPnP & attended sysupgrade)
• ISP to WAN port (running IP4 & IPv6)
• AP connected to LAN4 (regular WiFi and Guest WiFi)
  • Settings require a VLAN ID of 10 or higher to use VLANs? Not sure why
• Unmanaged switch on LAN1
  • All devices connected to switch are end user devices (untagged traffic)

I have read the mini DSA guide and from what I can figure out I need to send untagged traffic to LAN1 and some tagged traffic to LAN4 but that is about all I am sure about. When I try to implement settings, I lose connectivity and have to reset the router. This is what I’ve tried so far:

1. Go to Network/interfaces/Devices/Bridge VLAN Filtering
2. Check “enable VLAN filtering”
3. Click “add” VLAN button
4. Set top row to VLAN ID 10, LAN1 set to untagged, LAN4 set to tagged
5. Save and apply.

At this point I can no longer communicate with the router so clearly something is not right. Can anyone get me pointed in the right direction?

Thank you.

4. Set top row to VLAN ID 10, LAN1 set to untagged, LAN4 set to tagged
5. **Save**
6. Move LAN from br-lan -> br-lan.10
7. **Apply**

Device reverts after 90 seconds, so you don't have to reset. Use any vlan10 device to reach luci to prevent the revert.

Will that change of moving LAN to br-lan.10 put all LAN traffic on VLAN10?

Thank you.

EDIT: Do I need to have (2) VLANs? One for guest and one for all normal LAN devices? I thought I could just put guest wifi traffic on VLAN 10 and all other traffic not on that VLAN should work like a normal, basic setup but maybe that isn’t possible.

All, no. Reread the mini DSA guide.

Yes. You must define a main network vlan. Vlan10 = main, vlan20 = guest, vlan30 = iot, etc. For you that means two vlans.

Youtube videos explaining vlans and guest vlan setup (Ignore the part about the old swconfig vlan way.) :
(https://www.youtube.com/watch?v=qeuZqRqH-ug)
(https://www.youtube.com/watch?v=4t_S2oWsBpE&t)

OK, so VLAN 10 for normal LAN and VLAN 20 for guest. How does the tagged/untagged work?

VLAN 10 - LAN1 (untagged) LAN4 (tagged) Lan Port 4 will have both VLAN 10 and 20 traffic. Do I need to use “Is my primary VLAN” at all?

VLAN 20 - LAN1 (not a member) LAN4 (tagged)

Put LAN in br-lan.10. Do I need to create or move anything for br-lan.20?

Thank you!

U* = any non-vlan aware device i.e. computer, printer, etc
T = any vlan aware device; managed switch, vlan aware AP, etc

LAN4 would have T for vlan10 and vlan20. For now, just use primary * for untagged.

Just br-lan10 for lan. Any guest wifi will be put into vlan20. Watch those youtube videos as they explain exactly how to set this up what you want to achieve.

Do not attempt vlans across/through your unmanaged switch. Everything U* = everything connected is vlan10. Start saving up for a managed switch.

Thank you. This got me really close. I am able to get VLAN 10 working mostly properly. Devices connected to VLAN 10 can access the router and internet properly but they cannot access my access point. So when it is up and running, I cannot get to my AP and do things like update settings or update firmware. Any guesses?

My guest wifi VLAN 20 doesn’t get any internet traffic through to devices. I created a “guest” firewall zone and assigned device br-lan.20 to it with accept, accept, accept to WAN but still couldn’t get internet. Not sure what I am missing with VLAN 20.

Thank you so much for the help. Nice to finally get some progress that doesn’t break anything.

Let’s take a look at the complete config so we can spot where the trouble might be.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

 "kernel": "6.12.71",
        "hostname": "hEX",
        "system": "MediaTek MT7621 ver:1 eco:4",
        "model": "MikroTik RouterBOARD 750Gr3",
        "board_name": "mikrotik,routerboard-750gr3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "25.12.0",
                "firmware_url": "https://downloads.openwrt.org/",
                "revision": "r32713-f919e7899d",
                "target": "ramips/mt7621",
                "description": "OpenWrt 25.12.0 r32713-f919e7899d",
                "builddate": "1772496855"

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd8b:c166:572c::/48'
        option packet_steering '2'
        option dhcp_default_duid '0004af4770d08c264ad59671fd44c0e946c2'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config interface 'lan'
        option device 'br-lan.10'
        option proto 'static'
        option ipaddr '192.168.88.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option multipath 'off'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.3'
        list dns '1.0.0.3'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'
        option peerdns '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan2:u*'
        list ports 'lan4:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan4:t'


cat: can't open '/etc/config/wireless': No such file or directory


config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option rebind_localhost '1'
        list rebind_domain 'xxx'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option force '1'
        option ra_preference 'medium'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option leasefile '/tmp/odhcpd.leases'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piodir '/tmp/odhcpd-piodir'
        option hostsdir '/tmp/hosts'

config host
        option name 'AP3000WiFi'
        option ip '192.168.88.2'
        list mac 'xx'

config host
        option name 'AP3000Lan'
        list mac 'xx'
        option ip '192.168.88.3'



config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'br-lan.10'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

You do not actually have a network interface declared for your guest network (VLAN 20 is unused). That is a primary issue that needs to be resolved. Obviously you also do not have a DHCP server and firewall configuration for said network, either.

Ports lan3 and lan5 are also unused/undeclared, so these will be expected to be 'dead' ports.

Does your device have a lan1 port? If so, why is it missing from br-lan? Since that port (if it exists) is missing, it would also be non-functinoal.

You can follow the guest wifi guide, but instead of setting up wifi on this device, you'll use device br-lan.20 for the guest network.

Beyond the stuff above, the only specific error I see is here:

delete the device line -- it doesn't belong here in this firewall zone.

I will make these changes shortly. I will just answer your questions, first.

I know this isn’t a question, but yes. That is correct. lan3 and lan5 are not used.

lan1 is the WAN port.

OK. got those updates made. I now have full internet to VLAN 10 (both wired and wifi) and VLAN 20 (guest wifi). Only 2 issues left:

1. My AP cannot access the internet itself and I cannot reach its static IPs. So I can’t configure it.

2. devices on VLAN 20 (guest WiFi) can access the router.

Do you want me to post all my configuration outputs again?

Yes, please post your configs.

Your AP is not running OpenWrt, so it'll be harder to figure out what is wrong there. But, it should have an address on the same subnet as your main network (192.168.188.0/24). Make sure that all of the necessary information is entered into the config (or use DHCP) -- specifically you need the subnet mask/size, dns, and gateway address.

The AP actually does run OpenWRT but its a Cudy AP so it is their spin on OpenWRT.

I was able to restore access to the AP by setting VLAN 10 port lan4 to untagged instead of tagged. I guess the AP only puts VLAN tags on wifi data. Then I started having issues where wifi would disconnect after about 1-2 minutes and I would have to enter wifi password again to reconnect. I’m out of time this evening so reverted back to my old settings and will try again when I have the house to myself again.

Thank you both for all the help!

If your specific device is supported, you may want to consider installing official OpenWrt.

This suggests that the AP was indeed expecting an untagged network.

I don't think that is the way this would work...

Nominally, an AP has just one network with an address. This is the one that is used to manage the device, but it can also be broadcast as a wifi network (for example, if you use your main trusted lan to manage your network devices). The tagged or untagged status of this VLAN simply needs to match that of the upstream (router or managed switch), although there is an opinion that trunk ports should carry only tagged networks. The key is that the two sides match.

Flash vanilla openwrt on AP; pray it is also DSA.

DumbAP guide:
(https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedap#method_2configuration_via_luci)

AP
Do same br-lan.10 filtering on lan, follow dumb AP guide with br-lan.10, tagged trunk to tagged trunk on gateway will now work
Vlan20 unmanaged
Attach vlan20 to whatever guest wifi networks you create.
Attach vlan10 to whatever main wifi networks you create.

Gateway
vlan20 static e.g. 192.168.20.1/24 with dhcp turned on
do firewall zone edits as shown in youtube video for guest

Watch those youtube videos because all of this is all explained in detail in step by step instructions.

I think you are right but it is odd that VLAN 10 Wifi data and VLAN 20 wifi data was working properly but I could not get data to the AP itself.

I wanted to try and get this project done w/out putting OpenWRT on the AP. I felt this would make it easier for me to understand how to implement this for other people/family. I have put mostly everyone (that I help with their network) on an OpenWRT router but I have a few people with just retail APs that can’t run OpenWRT. But alas, it seems it will just be much easier to put OpenWRT on the AP and move on.

Does your AP have at least on one of these vlans an address? Either via DHCP or static assignments? Sorry if I missed that part.

I’m not exactly sure but I had configured the OpenWRT router to set the AP LAN mac to have a static IP on the VLAN 10 network (192.168.88.x). I had this setup done before I ever started trying to deal with VLANs. With VLANs enabled, the AP indicated it had no internet access even though VLAN 10 & 20 Wifi both had internet access.

Can you connect to the WiFi with your device and do an arp-scan -l? See if the AP responds with an address, and verify if the device can only see other devices in the same VLAN. You can also install arp-scan on your OpenWRT router and do a scan from there if you prefer. Something like arp-scan -I br-lan.10 -l from the router to scan the tagged VLAN 10 subnet.

Can you confirm if the firewall settings on your router are correct? The guest subnet should be its own zone, and Input should be set to reject or drop if you're using the web interface. Posting configs would be helpful.