Extend 2nd LAN to AP on 21.02.0

rwrjr · October 11, 2021, 4:37pm

I have an x86/64 based router and a Ubiquiti Unifi 6 LR AP. The router has two LAN interfaces configured, lan1: 192.168.1.0/24 for our work/school computers and lan2: 192.168.10.0/24 for smart TVs, XBox, other IoT devices and hopefully guest connections. eth1,2, 3 are on lan1 and eth4, 5 are on lan2.

The AP has a static IP of 192.168.1.5 and serves wifi to our phones and tablets on 192.168.1.0/24. Is it possible to setup guest wifi on the AP using the 192.168.10.0/24? I'm just confusing myself with the doc.

trendy · October 11, 2021, 4:52pm

It is possible, however you probably want to separate the guest traffic from the lan. You can either create an additional vlan on the router and the AP so that the guest interface (and dhcp, firewall) will be on the router only.
Or you could create the guest interface on the AP only according to this guide.

rwrjr · October 11, 2021, 5:07pm

I could create a 3rd lan on 192.168.20.0/24 on the router to separate the guest network from the other two. I have dnsmasq, odhcpd and firewall disabled on the AP. I like the idea of managing all that on the router only.

So if I create 192.168.20.0/24 on the router, with appropriate firewall rules for dns and dhcp, can I "bridge" this to the AP so that it serves both 192.168.1.x and 192.168.20.x and keeps both networks separate?

trendy · October 11, 2021, 5:44pm

Yes, you'll need to create an additional vlan for the guest interface, since you have only one link from the router to the dumbAP.

rwrjr · October 11, 2021, 6:24pm

Okay we're exposing my ignorance here. My router is a Protectli vault, a mini pc. As I understand it, it is just a PC with 6 separate ethernet ports, no switch.

On the router, lan and lan2 are working just fine. I setup a third lan called guest under br-lan3 with new subnet in preparation for the guest wireless network.

I appreciate you linking the doc, I think it's based on <=ver19 and between that and the fact I have no switch in the router I'm very confused at what to do VLAN wise.

Relevant portions of /etc/config/network on router shown below.

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option peerdns '0'
        list dns '9.9.9.9'
        list dns '149.112.112.112'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2620:fe::fe'
        list dns '2620:fe::9'

config device
        option name 'br-lan2'
        option type 'bridge'
        list ports 'eth4'
        list ports 'eth5'

config interface 'lan2'
        option device 'br-lan2'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option type 'bridge'
        option name 'br-lan3'

config interface 'guest'
        option proto 'static'
        option device 'br-lan3'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'

Here's network on the AP. I setup br-lan3 and guest interface on same single port as br-lan in preparation but I obviously don't know what I'm doing.

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.5'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'

config device
        option type 'bridge'
        option name 'br-lan3'
        list ports 'eth0'

config interface 'guest'
        option proto 'dhcp'
        option device 'br-lan3'

Here's wireless from the AP.

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/18000000.wmac'
        option legacy_rates '1'
        option cell_density '0'
        option htmode 'HT40'
        option channel '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key 'xxxx'
        option ssid 'Ubiq2'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11a'
        option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'VHT80'
        option cell_density '0'
        option channel '40'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key 'xxxx'
        option ssid 'Ubiq5'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'UbiqG'
        option encryption 'psk2'
        option key 'xxxx'
        option network 'guest'

What am I missing with the VLAN config on each device?

trendy · October 11, 2021, 7:52pm

You don't need to allocate a whole port on the guest vlan. Moreover all guests will connect over wifi so it is not needed.
What you need is to enable the guest vlan as tagged on the port which connects the router with the dumbAP (on both devices). Then you can create the guest SSID on the dumbAP and link it on the guest interface, which is unmanaged protocol and is connected to the tagged port.

rwrjr · October 11, 2021, 11:35pm

Is there a 21.02 specific document that discusses tagging because I'm just lost?

jaromanda · October 11, 2021, 11:49pm

You haven't set up VLANs at all - which isn't necessarily a bad thing

Not sure why EVERY response is talking about VLANs when clearly you are not using VLANs - I think that has added more confusion than clarity to your question

rwrjr · October 12, 2021, 2:24am

I have nothing against VLANs. On my Netgear R8000 I setup two additional VLANs for IoT and Guest networks. I got the tagging on versions 17, 18, 19. I just don't get it on version 21 with no switch in the router. I also don't understand what to do on the AP since a separate AP is new to me. The doc is just confusing since half of it is for <=19 and half for 21.

jaromanda · October 12, 2021, 2:36am

You'll find VLANS in interfaces->devices tab, configure say the br-lan, then you'll see bridge vlan filtering tab

You can also create vlan "devices" directly in the devices tab, but that has limitations - i.e. you can set a PVID for instance - as far as I am aware anyway