Hi everyone,
I’d highly appreciate your support on enabling Wi-Fi SSID’s for various vlans. Plus some other small related questions.
I’m running the following setup: modem > Opnsense (wan, lan) > MT6000 router with Openwrt 23.05.5 on it
Opnsense is taking care of firewall, routing etc. OpenWRT is acting as the switch including Wi-Fi. No „dumb“ AP so far. MT6000 (OpenWRT) is the only Wi-Fi source for now.
I received amazing support in my previous thread (thanks a lot psherman!!). Compared to the suggested setup I added a mgmt vlan 99.
Ethernet port | vlan:
1 | mgmt 99
2 | dmz 10
3 | user 20
4 | iot 30
5 | ipcam 50
6 | uplink 1
I’m not an expert (yet) as you might guess. Thanks in advance for your patience.
I have four questions:
- mgmt VLAN 99: I’m not sure if this is ideal and how you would set it up. To my knowledge though I should have it as configured so I can reach all other vlans via mgmt vlan. Is there a more elegant solution? I guess it’s most secure to not make this available via Wi-Fi. Otherwise please let me know.
- I cannot reach OpenWRT (192.168.1.2) via mgmt vlan. I have to connect directly to its uplink. I manually assign an IP because Opnsense is doing the dhcp.
Anything wrong with the OpenWRT config? Thinking of „client can only connect via uplink“ or so. Could also be a wrong config somewhere else though. - My main question, as mentioned above: I’d like to add Wi-Fi SSIDs. E.g. „user“ vlan20 (port3) should be accessible via SSID „user“ and be in the same vlan20. Similar to iot, guest and ipcam. Not sure how many Wi-Fis may be created. Would be great to have
- SSID „user“: vlan 20
- SSID „iot“: vlan30
- SSID „guest“: vlan40 (Wi-Fi only, no physical port)
- SSID „ipcam": vlan50
- Once 1+2+3 are done: anything else to fix and/or optimize?
Thank you very much! Your support is highly appreciated.
This is my current config:
ubus call system board
{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "mediatek/filogic",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
/etc/config/network
config bridge-vlan
option device 'br-lan'
option vlan '99'
list ports 'eth1:u*'
list ports 'lan5:t'
config interface 'mgmt'
option device 'br-lan.99'
option proto 'none'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan5:u*'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:u*'
list ports 'lan5:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan2:u*'
list ports 'lan5:t'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'lan3:u*'
list ports 'lan5:t'
config bridge-vlan
option device 'br-lan'
option vlan '40'
list ports 'lan5:t'
config bridge-vlan
option device 'br-lan'
option vlan '50'
list ports 'lan4:u*'
list ports 'lan5:t'
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '123'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth1'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config device
option name 'lan1'
option macaddr '123'
config device
option name 'lan2'
option macaddr '123'
config device
option name 'lan3'
option macaddr '123'
config device
option name 'lan4'
option macaddr '123'
config device
option name 'lan5'
option macaddr '123'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'dmz'
option device 'br-lan.10'
option proto 'none'
config interface 'user'
option device 'br-lan.20'
option proto 'none'
config interface 'iot'
option device 'br-lan.30'
option proto 'none'
config interface 'guest'
option device 'br-lan.40'
option proto 'none'
config interface 'ipcam'
option device 'br-lan.50'
option proto 'none'
config device
option name 'eth1'
option macaddr '123'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option channel '1'
option band '2g'
option htmode 'HE20'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option channel '36'
option band '5g'
option htmode 'HE80'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
/etc/config/dhcp
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ignore ‚1'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip '123::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'