Dumb AP with VLAN and DHCP relay

Hello, I'm new to OpenWrt and need some help with the configuration.

I have a main router which serves the following networks on all (lan) ports:
10.0.10.0/24 -> management network, no vlan -> all network devices (switches, ap's...) are accessable here
10.0.20.0/24 -> main network, vlan 20 -> laptops, tablets... (wired + wireless)
10.0.30.0/24 -> guest network, vlan 30 -> wireless clients only
10.0.40.0/24 -> iot network, vlan 40 -> isolated iot clients (wired + wireless)

network_simple1974×842 210 KB

Now i want to add my TL-WR710N with openwrt_22.03.0 as dumb access point, only for iot devices. The following is configured:

• Port "eth1 (WAN/LAN)" is configured as DHCP client and gets an 10.0.10.* address from management network

I need some help with the following configuration:

• Ports "eth0 (LAN)" and wifi (radio0.*) shall be bridged and every connected device shall be on the iot network with vlan 40.
• All connected iot devices shall get their ip via DHCP from the main router via vlan 40 network

the last point is the tricky one, I don't really know how to configure.

This should be possible by running your APs as dumb APs with VLANs and multiple SSIDs. But there are some questions, first:

1. Does the main router already have these VLANs setup?
2. What is the hardware (brand + model) of the main router and what firmware is running on it?
3. Is switch 1 a managed or unmanaged switch?
4. What is the hardware (brand + model) of the APs 1 and 2? and what firmware is running them?
5. What firmware is running on the TL-WR701N?

Hi psherman,

The image is just a simplified view of my network:

1. yes, it's still running as seen in the image (without the TL-WR710N)
2. Unifi UDM Pro SE with firmware 2.x
3. doesn't matter for the question, because it's not involved. but all my switches are Unifi US-8-60/-150
4. doesn't matter for the question, because they're not involved. but all access points are different Unifi APs
5. i already wrote this: Latest OpenWrt 22.03.0 (it's a 710, not 701)

I don't need multiple SSIDs, the TL-WR710N shall only add access to my iot network. Nothing more.
Before the question comes up, why i just don't add another Unifi AP: I have a small corner in my house, where I don't need wifi except for some IoT devices. This is the cheapest solution for me, because i already had this small router.

Got it. Sorry for asking a few extra questions (especially for the Unifi parts that are tangential). I was trying to understand the whole topology and I wanted to make sure that the VLANs originated on the main router.

Assuming you've already setup a trunk port on your UDM-SE to which the TL-WR710N is connected, it should be pretty straightforward. You stated that the WR710N already has an address in your management network, so all you need to do is setup a bridge for the VLAN on the 710 from ethernet to wifi. The 710 does not need an address on VLAN40, so it will have protocol 'none' (or unmanaged).

If you post the following two config files, I can provide specific details on the changes you need to make (should be simple).

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option band '2g'
	option htmode 'HT20'
	option country 'DE'
	option cell_density '0'
	option channel 'auto'
	option txpower '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'IOT'
	option isolate '1'
	option encryption 'sae-mixed'
	option key 'SECRET'
	option macaddr 'MAC1'

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'HIDDEN'

config interface 'lan_mgnt'
	option proto 'dhcp'
	option device 'eth1'
	option delegate '0'

config device
	option name 'eth1'
	option ipv6 '0'

config device
	option name 'wlan0'
	option macaddr 'MAC1'

Note: i decreased txpower just for testing puposes.
eth0 and wlan0 shall be bridged as iot and get their IP addresses via eth1 port

Add the following to /etc/config/network

config device
	option name 'br-iot'
	option type 'bridge'
	list ports 'eth1.40'

config interface 'iot'
	option proto 'none'
	option device 'br-iot'

Remove this from your network file:

Then make your wireless file wifi-iface definition look like this:

config wifi-iface 'default_radio0'
	option network 'iot'
	option device 'radio0'
	option mode 'ap'
	option ssid 'IOT'
	option isolate '1'
	option encryption 'sae-mixed'
	option key 'SECRET'
	option macaddr 'MAC1'

^^^ a few notes about the above:

• I'm not sure if the macaddr option is valid or even useful here.
• many/most IoT devices are not going to be able to use WPA3 at all, and there are many devices in general that do not like WPA2/WPA3 mixed mode operation. You may need to use WPA2 (PSK) if you run into connectivity issues with some of your devices.
• You have specified the wifi isolation on this SSID. Be aware that it will work to isolate all devices directly connected to this AP, but it will not isolate your IoT devices from those connected to other APs (your Unifi APs) nor will it isolate from any wired IoT devices.
• The firewall on your UDM-SE is responsible for isolating the IoT network from the other nets (management/main LAN, guest, etc.).

EDIT: I had made an error with the network setup (now corrected). The network needs to be connected to a bridge device, and eth1.40 will be a member of the bridge. This enables the wifi radio to also connect to the bridge.

I made these changes to my configs, but i miss the connection of eth0, which is the LAN port and should also be handled like the wlan0.

Now I tried to connect a device via wifi and this seems to work correctly. -> Thx, first step done

your notes:

• i manually set the macaddr option, because openwrt automatically gave the same mac address to eth1 and wlan0, but another one to eth0? Is this the expected behavior?
• wpa2/3 mixed mode is currently for testing purposes. you are right, that most iot devices have problems with this configuration
• i have firewall rules in the UDM, to isolate devices and networks, I thought this option gives an additional layer of security to this AP

To understand your changes:

• we created a bridge device which tags the WAN/LAN port eth1 (connected to the main router) with vlan tag 40
• then the 'iot' interface connects the 'br-iot' bridge device (tagged eth1 port) and the 'radio0' device

EDIT:
okay, I just added

config device
    option name 'eth0'

and
list ports 'eth0' under config device br-iot

Now I'm also getting a valid 10.0.40.x IP address via eth0

ah... sorry.
add eth0 to the bridge as follows:

config device
	option name 'br-iot'
	option type 'bridge'
	list ports 'eth1.40'
	list ports 'eth0'

Yes, probably the expected behavior based on the previous config. It may behave differently now. The actual MAC address assignments should not be an issue even if it does use the same address for both of those interfaces. But if you want them to be different, and assuming the MAC address option you have used is valid, that is fine. (I've never needed to do this, so I can't comment on the validity of the specific line in the config and if it should be located in the network and/or wireless files).

Yes, this is the correct way to implement this. The firewall is obviously required to control inter-VLAN routing. But in the case here, the AP does not have an address on the IoT network, so it cannot be reached from the IoT devices unless it can be routed (via the UDM-SE's firewall/routing engine)... so as long as you've blocked that, you're good.

correct, that is using the dotted notation eth1.x where x is the VLAN ID. That goes in a bridge which is basically a software switch. This enables switching between the ports and interfaces associated with the bridge.

Thanks for your detailed explanations. Now it looks not that complicated I thought before

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.