ESSID dedicated to a VLAN using OpenWrt on the dumb AP

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi all,

First of all, please excuse my ignorance on the matter. I know what I would like to achieve but I do lack the expertise to set it up the way I would like things to work. I did read several similar instructions to what I would like to achieve and I may have missed the perfect one. If you can point me to it, that will be very much appreciated. Here is what I would like to achieve:

I would like to have a separate ESSID for the IoT devices that operates under VLAN 80 to isolate them from the rest of my LAN.

Here is what I was able to achieve so far:

  • I have a UniFi Edge Router as the firewall, router and VLAN assigner. VLANs 60 and 70 are already assigned to workstations and media PCs, and are working as intended. All of the above have wired connections to the switch below.
  • A Cisco switch directly attached to the router on its port 1, which is marked as trunk, untagged for VLAN 1 and tagged for VLANs 60, 70 and 80. Port 3 is assigned to a workstation, and is marked untagged for VLAN 60, whereas ports 5 and 6 are assigned to media PCs and are marked untagged for VLAN 70. Port 4 is what connects this switch to the Belkin RT3200, which runs the most recent stable version of OpenWRT (22.03) and is set up as a dumb AP without DHCP, firewall and dnsmasq as recommended in the relevant documentation/guide in the wiki.
  • On Open WRT I have the following interfaces, which came by default:
    • LAN (br-lan), WAN (br-wan), WAN6 (wan) with device names in parenthesis
  • I created a new bridge device (br4IoT) that includes lan1-4 as bridge ports just like the br-lan. On the Bridge VLAN Filtering tab, I added VLANs 1 and 80 both marked as local and VLAN1 marked as untagged and as Primary VLAN on lan1, which is where the cable from switch port 4 is attached. VLAN80 is marked as tagged on lan1. Enable VLAN filtering check box is checked.
  • I also created a new interface called LANIoT that uses static address (192.168.80.2/24) and br4IoT device.
  • On Wireless page, I have 2 ESSIDs added per radio: LAN (LAN-N and LAN-AX) and IoT (IoT-N and IoT-AX).
    • LAN is all with default settings and works flawlessly.
    • IoT uses LANIoT as network as opposed to LAN
  • I can see all four ESSIDs listed as wireless networks on my laptop, cell phone, etc. I can connect to LAN-N and LAN-AX as expected and without any problems. I can connect to IoT-N and IoT-AX as well, but I cannot get an IP via DHCP, although the DHCP server is set on the UniFi router and is enabled/available. I can get a static IP (e.g. 192.168.80.5) for my laptop if I choose to do so while connecting to the IoT-N/AX wireless network but with limited connectivity and cannot ping anything locally or on internet. On the other hand, while connected to LAN wireless network, I can ping 192.168.80.1 successfully so there is no firewall that blocks communication at least from LAN to VLAN 80.

I feel that I am very close but cannot achieve success. Any pointers will be very much appreciated!

Edit: I realized I can put my config files which may help. Here is /etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd11:1667:c459::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.3'
        option gateway '192.168.1.1'
        list dns '192.168.1.135'
        list dns '192.168.1.133'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option type 'bridge'
        option auto '0'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config device
        option type 'bridge'
        option name 'br4IoT'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'LANIoT'

        option device 'br4IoT'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.80.2'
        option gateway '192.168.80.1'

config bridge-vlan
        option device 'br4IoT'
        option vlan '80'
        list ports 'lan1:t'

config bridge-vlan
        option device 'br4IoT'
        option vlan '1'
        list ports 'lan1:u*'

Here is /etc/config/wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/18000000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option encryption 'psk2'
        option key '--redacted--'
        option network 'lan'
        option ssid 'LAN-N'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option encryption 'psk2'
        option key '--redacted--'
        option network 'lan'
        option ssid 'LAN-AX'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option encryption 'psk2'
        option key '--redacted--'
        option ssid 'IoT-N'
        option network 'LANIoT'

config wifi-iface 'wifinet4'
        option device 'radio1'
        option mode 'ap'
        option encryption 'psk2'
        option key '--redacted--'
        option ssid 'IoT-AX'
        option network 'LANIoT'
2

https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial

  1. One physical port cannot be a member of multiple bridges, so delete the br4IoT bridge device.
  2. Read the guide above to better understand how bridge vlan filtering works.
  3. If you need IP addresses (with a default gateway) on both interfaces, set a metric for 'br4IoT'.
  4. The type bridge option in the wan interface section is unnecessary, it is also part of the old syntax and should be removed. If you need more wired ports, you could add the wan port to the default br-lan bridge.

In general, the network configuration file should look like this:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd11:1667:c459::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.3'
        option gateway '192.168.1.1'
        list dns '192.168.1.135'
        list dns '192.168.1.133'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option auto '0'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'LANIoT'
        option device 'br-lan.80'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.80.2'
        option gateway '192.168.80.1'
	    option metric '10'

config bridge-vlan
        option device 'br-lan'
        option vlan '80'
        list ports 'lan1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
	    list ports 'lan2:u*'
	    list ports 'lan3:u*'
	    list ports 'lan4:u*'
1 Like
3

Thank you for your reply. I should have probably worked on the config file itself. Instead, I tried to get your recommended settings via LuCi and lost connection with the device. I must have done something wrong during the process. I somehow cannot connect to it with a direct cable connection either using any of the LAN or WAN slots and I am effectively locked out. I do have a working backup config but I am not sure how to restore it without being able to connect to the device. Is there a way to reset it and start from scratch? I am sorry for the trouble.

Edit: I was able connect via VLAN80, ssh'ed into the device and edited the file manually this time and it is working. Thank you very much! It is now time to do more reading about how to set up firewall rules.

Many thanks!

4

I am not familiar with your device. Try entering failsafe mode or use the reset button.

1 Like
5

Thank you, and I am sorry for the trouble. I was able to fix it and I am very thankful for your help!

1 Like
6

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.