Extending IOT VLAN to dumb APs

your config include:

for guest_turris:

for lan:

too late now for any meaningful and potentially harmful work on my router :wink:
But will try to follow-up with the steps above for setting up VLANs.

Just to make sure I understand in general: I need to

  • set up VLANs as described above and then
  • tag the traffic on Lan Port 4
  • somehow make my switch aware of the VLANs
  • replicate iot/guest wifi and VLANs on my dumb APs to send tagged traffic towards my main router?

take all the time you need (do things slowly) ...

If I were you I would start with the vlan definitions on the switch Netgear GS308e, unfortunately I can't help you much here, (unless you have also added Openwrt to the switch), I don't have any switches at hand (I use switches integrated into the router i have 3 fritzbox 4040 with openwrt loaded with various functions) but I know that the user @psherman is very experienced in this and will be able help you

original firmware vlan creation:

Yes, I can help with the process of getting the VLANs over ethernet...

For this, let's see the latest complete network config file (just in case there are any differences relative to earlier).

and, we need to know what each port on the router will be used for.

1 Like

Here is the config:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd93:6410:07a0::/48'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ip6ifaceid 'eui64'
	option ip6addr 'fe80::1'

config interface 'wan'
	option device 'eth2'
	option proto 'dhcp'
	option hostname 'turris'
	option ipv6 '1'

config interface 'guest_turris'
	option enabled '1'
	option proto 'static'
	option device 'br-guest-turris'
	option ipaddr '10.111.222.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

config device 'br_guest_turris'
	option name 'br-guest-turris'
	option type 'bridge'
	option bridge_empty '1'

config device 'br_lan'
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'wan6'
	option device '@wan'
	option proto 'dhcpv6'

config device 'dev_wan'
	option name 'eth2'

config interface 'wg0'
	option proto 'wireguard'
	option listen_port '51820'
	list addresses '10.10.10.1/24'
	option private_key 'redacted'
	list dns '1.1.1.1'
	list dns '8.8.8.8'

config wireguard_wg0
	option description 'phone'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	list allowed_ips '10.10.10.2/32'
	option public_key 'redacted'
	option private_key 'redacted'

config device
	option bridge_empty '1'
	option type 'bridge'
	option name 'br-iot'

config interface 'iot'
	option device 'br-iot'
	option proto 'static'
	option ipaddr '10.0.0.1'
	option netmask '255.255.255.0'

Ports: only two are used currently:

  • WAN Port for WAN
  • Lan4 for routing traffic to switch and then to dumb APs
  • Lan 1-3 currently not in use. If they were, it would be for 'normal' use, i.e. access to LAN

Ok... so we'll start by creating bridge-VLANs:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan0:u*'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan4:t'

Next, edit the lan to use device br-lan.1:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ip6ifaceid 'eui64'
	option ip6addr 'fe80::1'

Next, delete the other bridges:

Now, edit the guest network to use br-lan.2:

config interface 'guest_turris'
	option enabled '1'
	option proto 'static'
	option device 'br-lan.2'
	option ipaddr '10.111.222.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

And your iot network to use br-lan.3:

config interface 'iot'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '10.0.0.1'
	option netmask '255.255.255.0'

Once you reboot, you will have:

  • VLAN 1 (lan) untagged on all ports
  • VLANs 2, 3 tagged on port lan4

Next, configure your managed switch to have the following configuration on the port that uplinks to the router:

  • VLAN 1 untagged + PVID
  • VLAN 2 tagged
  • VLAN 3 tagged

I would recommend (temporarily) dedicating 3 ports to test the trunk an switch configuration. You'll set one each to VLAN 1, 2, and 3; on each of these ports you'll set the respective VLAN to be untagged + PVID. Then, plug a computer into each port in turn and make sure it gets the expected connectivity.

Finally, create another trunk port (just like the uplink port) on the switch for each of the APs, and you'll configure the APs accordingly. If you need help with the APs, first test that the switch is working properly, then post the config from the APs.

1 Like

Okay, I think I understand more or less what is happening now; at least at the OpenWRT part. I still have to dive into the docs for the switch and how to implement VLANs.

However, considering that this will probably f*** massively with my network, I will look for a timeslot when I have AAAAAAMPLE of time to implement this and troubleshoot :slight_smile:
Will let you know when I take the next steps..

But just to be sure: if I implement all steps before messing with the switch correctly, there should be no actual changes to the behaviour of my network, as LAN still uses a completely untagged VLAN?

Correct. Although you'll have momentary interruptions such as when you restart the router so that those changes are properly loaded.

Just a quick question: do I need to delete this line too?

config device 'br_lan'
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan0'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

Or will this just be 'unused', because it is not referenced anymore?

No, leave it there. It is referenced by all the bridge-vlans.

Let me take a moment to appreciate you walking me through this, @psherman. Thank you, I am learning a lot here.

I have tried the config suggested yesterday and it works well while connected via wifi. However, I lose access to all other devices connected to the switch. Which - I guess - is to be expected because I have not told the switch to replicate the VLANs.

So this is my next task. Here is what the current setup looks like:

Port 3 is the trunk coming from the router, which is currently untagged.

And here PVID settings:

The dumb AP ports are 2 and 4 should replicate the regular LAN, guest and iot networks.

Just for argument's sake, let's say I want to keep my home assistant server (port 5) in the IOT VLAN, how would I need to configure Port 5?

I guess tagged and with PVID 3?

On your switch, add VLANs 2 and 3. Then assign them both as tagged to the port that connects to the router.

Next, I'd recommend using 3 ports -- 1 for each VLAN to be untagged + PVID so you can test that the trunk is working properly by simply plugging a computer into each port in turn.

Once that's done, you an configure ports 2 and 4 the same way as the port that connects to the router, and the other ports can be configured as desired.

1 Like