DumbAP using vlan_filtering

rucketeg · February 7, 2022, 1:43pm

I would like to setup my device as a DumbAP, with multiple VLANs (for example trusted + guest network) exposed over different SSIDs.

The usual approach is to create multiple bridge interfaces, each including a 802.1q tagged interface and a appropriate WLAN interface. This results in a quite complex setup (additional bridge + 802.1q interface for each VLAN) and raises some security concerns, especially with firewall disabled (as suggested here), as the AP itself becomes a device on the network it carries (for example guest).

Instead, I would like to create just 1 bridge consisting of (at least) the uplink port (carrying multiple tagged vlans) and all configured WLAN interfaces and utilize the vlan_filtering functionality to divide them into different vlans as needed. This not only results in a simpler config (1 bridge) but also makes it more secure - there is no AP interface to configure for each vlan (even if only with proto 'none') and AP is fully isolated from the guest traffic.
The AP management can be realized using separate VLAN.

My config looks like:

$ cat /etc/config/network
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'wan'

config interface 'mgmt'
        option proto 'static'
        option ipaddr '192.168.1.91'
        option netmask '255.255.255.0'
        option ip6assign '0'
        option device 'br-lan.300'

config bridge-vlan
        option device 'br-lan'
        option vlan '200'
        option local '0'
        list ports 'lan2:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        option local '0'
        list ports 'lan1:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '300'
        option local '1'
        list ports 'wan:t'

As for the wireless config, I would like to add 2 SSIDs and assign 1 of them to 100 VLAN and the other to the 200 VLAN. Unfortunately it seems that the network option is required under each wifi-iface while the only network I have configured is mgmt used for AP management.
So far I tested it with adding both wifi-iface into the incorrect mgmt network and later re-assigning them to the correct VLAN using a hotplug script.

My question now - is there an option to configure wireless interfaces without adding them to "network" but only to appropriate VLAN using UCI?
Has anyone else tried similiar approach and can share their experiences?

jow · February 7, 2022, 1:50pm

Unfortunately not. You do need to declare dummy config interface sections with proto none and referencing br-lan.VID as device, then target those dummy interfaces with wireless option network. There is no way around that.

rucketeg · February 7, 2022, 2:33pm

Thanks for your reply.

I just tested it and the VID used in the dummy config interface doesn't need to be set to local 1 under bridge-vlan.

So that:

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        option local '0'
        list ports 'wan:t'

config interface 'guest'
        option proto 'none'
        option device 'br-lan.100'

results in a valid config but the br-lan.100 interface is essentially disconnected from the rest of the bridge. I'm able to then use the option network 'guest' stance in the wifi-iface config.

Thanks!

system · February 17, 2022, 2:33pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.