Hello, I'm new to OpenWrt and need some help with the configuration.
I have a main router which serves the following networks on all (lan) ports:
10.0.10.0/24 -> management network, no vlan -> all network devices (switches, ap's...) are accessable here
10.0.20.0/24 -> main network, vlan 20 -> laptops, tablets... (wired + wireless)
10.0.30.0/24 -> guest network, vlan 30 -> wireless clients only
10.0.40.0/24 -> iot network, vlan 40 -> isolated iot clients (wired + wireless)
The image is just a simplified view of my network:
yes, it's still running as seen in the image (without the TL-WR710N)
Unifi UDM Pro SE with firmware 2.x
doesn't matter for the question, because it's not involved. but all my switches are Unifi US-8-60/-150
doesn't matter for the question, because they're not involved. but all access points are different Unifi APs
i already wrote this: Latest OpenWrt 22.03.0 (it's a 710, not 701)
I don't need multiple SSIDs, the TL-WR710N shall only add access to my iot network. Nothing more.
Before the question comes up, why i just don't add another Unifi AP: I have a small corner in my house, where I don't need wifi except for some IoT devices. This is the cheapest solution for me, because i already had this small router.
Got it. Sorry for asking a few extra questions (especially for the Unifi parts that are tangential). I was trying to understand the whole topology and I wanted to make sure that the VLANs originated on the main router.
Assuming you've already setup a trunk port on your UDM-SE to which the TL-WR710N is connected, it should be pretty straightforward. You stated that the WR710N already has an address in your management network, so all you need to do is setup a bridge for the VLAN on the 710 from ethernet to wifi. The 710 does not need an address on VLAN40, so it will have protocol 'none' (or unmanaged).
If you post the following two config files, I can provide specific details on the changes you need to make (should be simple).
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
I'm not sure if the macaddr option is valid or even useful here.
many/most IoT devices are not going to be able to use WPA3 at all, and there are many devices in general that do not like WPA2/WPA3 mixed mode operation. You may need to use WPA2 (PSK) if you run into connectivity issues with some of your devices.
You have specified the wifi isolation on this SSID. Be aware that it will work to isolate all devices directly connected to this AP, but it will not isolate your IoT devices from those connected to other APs (your Unifi APs) nor will it isolate from any wired IoT devices.
The firewall on your UDM-SE is responsible for isolating the IoT network from the other nets (management/main LAN, guest, etc.).
EDIT: I had made an error with the network setup (now corrected). The network needs to be connected to a bridge device, and eth1.40 will be a member of the bridge. This enables the wifi radio to also connect to the bridge.
I made these changes to my configs, but i miss the connection of eth0, which is the LAN port and should also be handled like the wlan0.
Now I tried to connect a device via wifi and this seems to work correctly. -> Thx, first step done
your notes:
i manually set the macaddr option, because openwrt automatically gave the same mac address to eth1 and wlan0, but another one to eth0? Is this the expected behavior?
wpa2/3 mixed mode is currently for testing purposes. you are right, that most iot devices have problems with this configuration
i have firewall rules in the UDM, to isolate devices and networks, I thought this option gives an additional layer of security to this AP
To understand your changes:
we created a bridge device which tags the WAN/LAN port eth1 (connected to the main router) with vlan tag 40
then the 'iot' interface connects the 'br-iot' bridge device (tagged eth1 port) and the 'radio0' device
EDIT:
okay, I just added
config device
option name 'eth0'
and list ports 'eth0' under config device br-iot
Now I'm also getting a valid 10.0.40.x IP address via eth0
config device
option name 'br-iot'
option type 'bridge'
list ports 'eth1.40'
list ports 'eth0'
Yes, probably the expected behavior based on the previous config. It may behave differently now. The actual MAC address assignments should not be an issue even if it does use the same address for both of those interfaces. But if you want them to be different, and assuming the MAC address option you have used is valid, that is fine. (I've never needed to do this, so I can't comment on the validity of the specific line in the config and if it should be located in the network and/or wireless files).
Yes, this is the correct way to implement this. The firewall is obviously required to control inter-VLAN routing. But in the case here, the AP does not have an address on the IoT network, so it cannot be reached from the IoT devices unless it can be routed (via the UDM-SE's firewall/routing engine)... so as long as you've blocked that, you're good.
correct, that is using the dotted notation eth1.x where x is the VLAN ID. That goes in a bridge which is basically a software switch. This enables switching between the ports and interfaces associated with the bridge.