I would like to create a guest network (possibly others) with VLAN and guest WiFi using this guest network. I have NanoPi R2S as my primary router. Archer C7 and AP AC Pro are setup as dumb AP (See below). I am using OpenWrt 21.02 on all of them. Can someone help me configure VLANs on R2S and Archer C7 (with new DSA switch)? I would like to extend the VLANs to AP AC Pro but if that does not happen then I am ok with that.
In its simplest form your setup is a regular "VLAN guest network with dumb APs" setup between the R2S and the C7. On the C7 you then need to not only include LAN1 in the tagged VLAN setup, but also LAN2 so the guest network can be passed on. Then you do the same "dumb AP" setup on the Ubiquiti. However, that leg of the setup hinges on whether the switch between the Archer and the Ubiquiti can handle VLANs and leaves them untouched, which especially cheaper unmanaged switches are sometimes not.
"Simplest form" because with multiple access points there's obviously room for improvements (and thus complications) like fast transition and seamless roaming, but that's a bridge you can burn when you get there.
Edit: The "other devices" are not super well defined, obviously they cannot split off a single connection like that. If they need to have full LAN access coming from the standalone switch inbetween, it can become a bit of an issue. It is possible to mix tagged and untagged traffic but it is frowned upon for good reasons and can fail in practice. The best case is if your switch is actually a managed switch and can handle multiple VLANs on different ports.
1 Like
Hi thanks for the reply. Would you be able point me in the direction of some documents or provide instruction on which configurations need to be updated. I tried bunch of instruction based on some videos and other questions here but wasnt successful in getting it working. The switch is a non managed switch (it's a Netgear 8 port) and I think it will let the TAGs pass but again will worry about that after I get it work on R2S and C7.
I do want to work on fast transition and seamless roaming but as you put it, this would be phase 2. "Other devices" are connected to individual ports on the switch I just got lazy in drawing that. Right now everything unmanaged on that switch unless AP AC Pro and C7 somehow defaults to a VLAN.
Is that an unmanaged switch you're using? If so, a managed on can simplify things:
[ R2S ]-eth1 -- WAN
[ R2S ]-eth0 ---------[ Managed switch ]---[All other PCs]
| |
| |
[Dumb AP#1]----------------| |
[Dumb AP#2]----------------------|
Wiki dumb access point article.
In addition to the wiki I linked, there are several good videos describing VLAN setup, first, based on th current OpenWRT image:
Two part older ones for additional details and concepts but know that some of the options are moved to different places in the current image:
Thank you for these videos, I will check them out. I appreciate your suggestion but I do not have managed switch. Do you think it's possible do this without the managed switch?
Yes, totally possible. You have to daisy chain the devices as you have. The managed switch simplifies the network architecture. If that doesn't matter to you, no problem. Just another option to consider.
In addition to @darksky's answer: If you need the switch inbetween, for example to span a distance, and are asking if you can also do it with an unmanaged switch the anwer is: Maybe. Not all unmanaged switches are truly dumb, and often they mangle, remove or otherwise break VLAN tagged traffic. You can of course try and observe its behaviour, and it might just work out, just keep in mind the distinct possibility that the switch will introduce disturbances in the force.
1 Like
@darksky Thanks for the videos, they were very helpful. It seems like I am still missing something. I was able to ping 8.8.8.8 when I was connected to my main wifi and through wired on Archer C7 on my LAN (non guest) network but I could not get to the DNS. But when I connected to my guest network I was not able to ping either.
@takimata I was able to look into the switch if it can handle VLAN tag and it seems it can. Nonetheless this would be the next step after I get Archer C7 working.
Note: In the diagram above LAN1 is port 2 on the switch/config, LAN2 is port 3 and so on.
Here are my network configs. Please feel free to ask for any other as I only added the ones I thought were relevant.
/etc/config/network file on main router (R2S)
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd12:3456:789a::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config device
option name 'eth1'
option macaddr '94:e5:db:72:09:e4'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '127.0.0.1#5453'
config device
option name 'eth0'
option macaddr '94:e5:db:72:09:e3'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '1'
option ports 'eth1:t*'
config bridge-vlan
option device 'br-lan'
option vlan '6'
option ports 'eth1:t'
config interface 'guest'
option proto 'static'
option device 'br-lan.6'
option ipaddr '192.168.200.1'
option netmask '255.255.255.0'
/etc/config/network file on dumb AP (Archer C7)
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd12:3456:789b::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
list dns '192.168.1.1'
option delegate '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2t 3 4 5'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '6t 1'
option vid '2'
config switch_vlan 'switch_vlan_guest'
option device 'switch0'
option vlan '6'
option ports '0t 2t'
option vid '6'
config device
option name 'br-guest'
option type 'bridge'
list ports 'eth1.6'
config interface 'guest'
option device 'br-guest'
option proto 'static'
option ipaddr '192.168.200.2'
option netmask '255.255.255.0'
/etc/config/wireless file on dumb AP (Archer C7)
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option channel 'auto'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option key 'SecretKey123'
option encryption 'psk2+ccmp'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option channel 'auto'
option band '2g'
option htmode 'HT20'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option key 'SecretKey123'
option encryption 'psk2+ccmp'
config wifi-iface 'guest'
option device 'radio1'
option network 'guest'
option mode 'ap'
option ssid 'Guest'
option key 'SecretKey456'
option encryption 'psk2+ccmp'
option isolate '1'
P.S. Sorry for repost. I was asked to edit my previous post and I could not so I deleted that one.
1 Like
Hello, did you manage to get this network up and running somehow? I would also like to do something similar. I have NanoPi R4S and Archer C7 v5 as dumb AP and second dumb AP is Xiaomi Mi 4a Gigabit Edition.