Guest network on one ethernet port using vlan

Thanks @eduparez

The config worked. But it stopped my wifi. Although that is the end goal, I wanted to keep both running at the same time for testing. BTW After I reverted back to the original configuration, wifi radio on the tp-link router started working again. Anyway, now I know how to do it if and when it fails.

There is no reason why you cannot have wifi running; in fact, you just need to add back the option type 'bridge' line to the config interface 'guest' section, but I cannot be sure unless you show us your wireless config file.

I am so close to having this work on an Archer C7 v2 (running LEDE) though my setup is a little different.

I want to use Apple Airports as the APs. They will work for the main wifi network and the guest network. The Airports tag all of the guest network traffic with VLAN 1003. So I need one port on the router that will accept traffic from both networks and the guest traffic needs to be firewalled from the rest of the LAN. I have this working on a smart switch where the ports that the wireless traffic passes through are untagged for VLAN 1 and tagged for VLAN 1003.

Article here: https://www.thegeekpub.com/5191/use-airport-extreme-guest-network-bridge-mode/

I believe I have LAN1 port out of the network. Not sure that I have the interface setup correctly or the VLANs setup properly. I made an attempt to create a new interface called GuestAP but I couldn't get that working.

Network

 
                                                                                                                                                                                                                                                                 
config interface 'loopback'                                                                                                    
        option ifname 'lo'                                                                                                     
        option proto 'static'                                                                                                  
        option ipaddr '127.0.0.1'                                                                                              
        option netmask '255.0.0.0'                                                                                             
                                                                                                                               
config globals 'globals'                                                                                                       
        option ula_prefix 'fdfc:e39f:a38c::/48'                                                                                
                                                                                                                               
config interface 'lan'                                                                                                         
        option ifname 'eth1'                                                                                                   
        option force_link '1'                                                                                                  
        option type 'bridge'                                                                                                   
        option proto 'static'                                                                                                  
        option netmask '255.255.255.0'                                                                                         
        option ip6assign '60'                                                                                                  
        option mtu '1500'                                                                                                      
        option dns '208.67.222.222 208.67.220.220'                                                                             
        option ipaddr '10.0.1.1'                                                                                               
                                                                                                                               
config interface 'wan'                                                                                                         
        option ifname 'eth0'                                                                                                   
        option _orig_ifname 'eth0'                                                                                             
        option _orig_bridge 'false'                                                                                            
        option proto 'dhcp'                                                                                                    
                                                                                                                               
config interface 'wan6'                                                                                                        
        option ifname '@wan'                                                                                                   
        option proto 'dhcpv6'                                                                                                  
                                                                                                                               
config switch                                                                                                                  
        option name 'switch0'                                                                                                  
        option reset '1'                                                                                                       
        option enable_vlan '1'                                                                                                 
                                                                                                                               
config switch_vlan                                                                                                             
        option device 'switch0'                                                                                                
        option vlan '1'                                                                                                        
        option ports '0 3 4 5'                                                                                                 
                                                                                                                               
config switch_vlan                                                                                                             
        option device 'switch0'                                                                                                
        option vlan '1003'                                                                                                     
        option ports '2t 0'                                                                                                    
                                                                                                                               
config switch_vlan                                                                                                             
        option device 'switch0'                                                                                                
        option vlan '2'                                                                                                        
        option ports '1 6'                                                                                                     
                                                                                                                               
config interface 'guest'                                                                                                       
        option _orig_ifname 'wlan1-1'                                                                                          
        option _orig_bridge 'false'                                                                                            
        option proto 'static'                                                                                                  
        option ipaddr '192.168.3.1'                                                                                            
        option netmask '255.255.255.0'                                                                                         
        option type 'bridge'                                                                                                   
                                                                                                                               
config interface 'modem'                                                                                                       
        option proto 'static'                                                                                                  
        option ifname 'eth0'                                                                                                   
        option ipaddr '192.168.100.2'                                                                                          
        option gateway '192.168.100.1'                                                                                         
        option netmask '255.255.255.0'                                                                                         
                                                                                                                               
config interface 'guestAP'                                                                                                     
        option proto 'static'                                                                                                  
        option ipaddr '192.168.4.1'                                                                                            
        option netmask '255.255.255.0'                                                                                         
        option type 'bridge'                                                                                                   
        option dns '208.67.222.222'                                                                                            
        option _orig_ifname 'eth0.1003'                                                                                        
        option _orig_bridge 'true'                                                                                             
        option ifname 'eth0.1003'       
               

DHCP

 

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option cachesize '500'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'guest'
        option interface 'guest'
        option start '20'
        option limit '230'
        option leasetime '2h'

config dhcp 'guestAP'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'guestAP'

Firewall


config defaults                        
        option syn_flood '1'           
        option input 'ACCEPT'           
        option output 'ACCEPT'          
        option forward 'REJECT'         
                                        
config zone                             
        option name 'lan'                       
        option input 'ACCEPT'                   
        option output 'ACCEPT'                  
        option forward 'ACCEPT'                 
        option mtu_fix '1'                      
        option network 'lan'                
                                               
config zone                                     
        option name 'wan'                       
        option input 'REJECT'                   
        option output 'ACCEPT'                  
        option forward 'REJECT'                 
        option masq '1'                         
        option mtu_fix '1'                      
        option network 'wan wan6'               
                                                
config forwarding                               
        option src 'lan'                        
        option dest 'wan'                       
                                                
config rule                                     
        option name 'Allow-DHCP-Renew'          
        option src 'wan'                        
        option proto 'udp'                      
        option dest_port '68'                   
        option target 'ACCEPT'                  
        option family 'ipv4'                    
                                                
config rule                                     
        option name 'Allow-Ping'                
        option src 'wan'                        
        option proto 'icmp'                     
        option icmp_type 'echo-request'         
        option family 'ipv4'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-IGMP'                
        option src 'wan'                        
        option proto 'igmp'                     
        option family 'ipv4'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-DHCPv6'              
        option src 'wan'                        
        option proto 'udp'                      
        option src_ip 'fc00::/6'                
        option dest_ip 'fc00::/6'               
        option dest_port '546'                  
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-MLD'                 
        option src 'wan'                        
        option proto 'icmp'                     
        option src_ip 'fe80::/10'               
        list icmp_type '130/0'                  
        list icmp_type '131/0'                  
        list icmp_type '132/0'                  
        list icmp_type '143/0'                  
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                               
config rule                            
        option name 'Allow-ICMPv6-Input'
        option src 'wan'                
        option proto 'icmp'             
        list icmp_type 'echo-request'   
        list icmp_type 'echo-reply'     
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        list icmp_type 'router-solicitation'    
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'   
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-ICMPv6-Forward'      
        option src 'wan'                        
        option dest '*'                         
        option proto 'icmp'                     
        list icmp_type 'echo-request'           
        list icmp_type 'echo-reply'             
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config include                                  
        option path '/etc/firewall.user'        
                                                
config rule                                     
        option src 'wan'                        
        option dest 'lan'                       
        option proto 'esp'                      
        option target 'ACCEPT'                  
                                                
config rule                                     
        option src 'wan'                        
        option dest 'lan'                       
        option dest_port '500'                  
        option proto 'udp'                      
        option target 'ACCEPT'                  
                                                
config zone                                     
        option name 'guest'                     
        option forward 'REJECT'                 
        option output 'ACCEPT'                  
        option input 'REJECT'                   
        option mtu_fix '1'                      
        option network 'guest LAN1 guestAP'     
                                                
config forwarding                               
        option dest 'wan'                       
        option src 'guest'                      
                                                
config rule                                     
        option target 'ACCEPT'                  
        option src 'guest'                      
        option name 'GuestDNS'                  
        option proto 'all'                      
        option dest_port '53'                   
                                                
config rule                                     
        option enabled '1'                      
        option target 'ACCEPT'                  
        option src 'guest'                      
        option name 'GuestDHCP'                 
        option proto 'udp'                      
        option dest_port '67-68'                
                                                
config include 'miniupnpd'                      
        option type 'script'                    
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'                                
        option reload '1'                                  




In general, mixing tagged and untagged on the same interface does not work. Perhaps it works for your device, but I would try to change the setup around that limitation, and see if that works.

Ah ha. So if all traffic runs through the switch, I should have two lines between the switch and the router:

  1. general traffic (untagged)
  2. VLAN 1003 (tagged)

At that point I would plug in the VLAN 1003 line to LAN1 on the router and the general traffic line can go into any of the other three LAN ports on the router.

This thread may also be helpful: Separate subnet on physical port #4

@roryking - what was working and what was having issues?

I disagree with @eduperez WRT the mixing of tagged and untagged networks on the same interface -- also known as creating a trunk. I have successfully done this with LEDE and other routers/OS's. It should work properly and reliably provided that the switch is VLAN aware (on the C7, the switch is indeed VLAN capable). Sometimes there can be issues that have more to do with the interface to the CPU than the assignment to the ports. The CPU interface must be tagged in most cases so that it can keep track of the associated VLANs.

What is working: LAN 2, 3, and 4 are working as expected for untagged traffic. The router hands out IP addresses correctly and clients can see each other on the network. LAN 1 is separate from them from what I can tell.

What is not working: the C7 is not passing through any of the VLAN 1003 traffic on either LAN 1 or LAN 4. It is also not handing out IP addresses on LAN 1.

The current router is an Apple Airport Extreme that handles mixed tagged and untagged over the same interface. It does occur to me that maybe I'm overthinking this: if I can mix tagged and untagged on the same interface then I can simplify things. I don't plan to rate limit the guest network so maybe I don't need a dedicated router port for it.

Obviously there are problems with the DHCP and firewall rules. Maybe I need to tag the CPU as well? I think that would be port 0?

@roryking -

Let's back up a few steps and determine what it is that you want to achieve. At the high level, describe your ideal network config. For example, a trusted LAN + guest network (guest has internet access, but no LAN access).

How are things connected (physical connections). For example Modem > LEDE C7 > Airport.

Do you need both wired and wireless access for guests, or only wireless?

Are there any special requirements for your network beyond the segregation of LAN and guest clients?

FWIW, the Airport products are reasonable routers if you don't have any advanced requirements (they handle normal routing, port forwarding, wired/wireless LAN, and guest wireless quite well). LEDE obviously offers a lot more in terms of custom config options and hardware selections, but keep in mind that you might be making more complexity by adding the LEDE router in the first place.

My hope is that the LEDE router will be faster and more capable of handling things like buffer bloat and IPv6 than the Airport can. I know it adds some complexity but it definitely feels snappier when the C7 is inline. Also: I think that the Airports may be EOL for Apple soon so I want to plan ahead.

Network plan:
Modem > LEDE C7 > L2 Switch > Airports (2 total)

I need the LEDE router to handle the VLAN 1003 traffic that it will receive over the LAN. The VLAN 1003 traffic will be from the guest wifi network and needs to be kept separate from the main network traffic for security. The Airports automatically add the 1003 tag to the guest wifi traffic.

Guests only need wireless access. Wireless will be provided by the Airports with ethernet backhaul to the switch.

No other special segregation.

The L2 Switch is currently sending the VLAN 1003 traffic to the router so I've gotten that far. (Current working router is an Airport; switch is a Dell 5424.)

1 Like

This is pretty straight forward on the LEDE side. I used a Linksys E3000 to mock this up, so the config files presented here may not be drop-in ready, but should give you the templates for what you need to do. Ask questions if anything is unclear.

I'd recommend that you directly connect one of your Airport devices to the trunk port on the LEDE router so that you can verify proper functionality of the VLANs without having to troubleshoot potential issues involving the switch. Once that is confirmed working, connect the trunk to the switch and the airport(s) to the switch as well.

I've also uploaded a screenshot of the LuCI switch page so you can see how the VLANs on the switch ports map out (at least for the E3000).

What you'll see below is a configuration with the following characteristics:

  1. main LAN on 192.168.1.0/24 with normal access to the router
  2. guest LAN on VLAN1003 at 192.168.2.0/24
  3. Guest LAN has firewall rules allowing DHCP and DNS requests to the router but forbidding any other access to the router or the main LAN.
  4. Both LANs can access the internet normally.
  5. main LAN on ports 1, 2, 4 (all untagged).
  6. Guest LAN on ports 3 (untagged) and 4 (tagged)

I did not explicitly test to see if the main LAN has access to the guest LAN, but the guest network should be unable to access the main LAN.

Network
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd93:c9ee:e277::/48'

config interface 'wan'
	option ifname 'eth0.1'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.1'
	option proto 'dhcpv6'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.2'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 8t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 3 4 8t'

config switch_vlan
	option device 'switch0'
	option ports '1t 2 8t'
	option vlan '1003'

config interface 'Guest'
	option proto 'static'
	option ifname 'eth0.1003'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option gateway '192.168.2.1'
DHCP
config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'Guest'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'Guest'
Firewall
config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'Guest'
	option input 'REJECT'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'Allow-GuestDHCP'
	option src 'guest'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Allow-GuestDNS'
	option src 'guest'

config forwarding
	option dest 'wan'
	option src 'guest'

06 PM

A few followup thoughts:

  • Remember that what I have done is a template for the conceptual frameworks you'll be implementing. I think that the firewall and DHCP files should be okay to drop in, but the specific details for the network config are not the same between the E3000 and the C7. This means that things like the CPU port and the numbering of the physical ports vs logical assignments will not be the same. Use my file as guidance, but not verbatim (it could mess up your config causing major headaches).

  • I am assuming that your Airport devices will serve both the main LAN and the Guest wifi networks. Make sure your Airports are configured as bridge devices (i.e. DHCP server and NAT turned off -- it is one of the preset configs you can select). IIRC, your LEDE trunk port (i.e. the one carrying both the LAN (untagged) and Guest (tagged) networks on a single port) will connect to the physical port usually used for the WAN on the Airport.

Thanks for that. It will take me some time to test out; I'll let you know when I make some progress (or get completely stuck).

I can't seem to get the router to hand out IP addresses on the VLAN 1003 interfaces. I'm trying to preserve the original 'guest' interface and add a new 'guest1003' interface (the 'guest' interface works correctly for the wireless guest network). Maybe that's wrong.

Network
config interface 'loopback'                                                                                                    
        option ifname 'lo'                                                                                                     
        option proto 'static'                                                                                                  
        option ipaddr '127.0.0.1'                                                                                              
        option netmask '255.0.0.0'                                                                                             

config globals 'globals'
option ula_prefix 'fdfc:e39f:a38c::/48'

config interface 'lan'
option ifname 'eth1'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option mtu '1500'
option ipaddr '10.0.1.1'
option dns '208.67.222.222 209.244.0.4'

config interface 'wan'
option ifname 'eth0'
option _orig_ifname 'eth0'
option _orig_bridge 'false'
option proto 'dhcp'

config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 2 3 4 5'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'

config switch_vlan
option device 'switch0'
option ports '2 3t 6t'
option vlan '1003'

config interface 'guest1003'
option proto 'static'
option ifname 'eth0.1003'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
option gateway '192.168.4.1'

config interface 'guest'
option _orig_ifname 'wlan1-1'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option type 'bridge'
option gateway '192.168.3.1'

config interface 'modem'
option proto 'static'
option ifname 'eth0'
option ipaddr '192.168.100.2'
option gateway '192.168.100.1'
option netmask '255.255.255.0'

DHCP
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option cachesize '500'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'guest'
option interface 'guest'
option start '20'
option limit '230'
option leasetime '2h'

config dhcp 'guest1003'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'guest1003'

Firewall
config defaults                                                                                                                
        option syn_flood '1'                                                                                                   
        option input 'ACCEPT'                                                                                                  
        option output 'ACCEPT'                                                                                                 
        option forward 'REJECT'                                                                                                

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
option network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
option mtu_fix '1'
option network 'guest'

config forwarding
option dest 'wan'
option src 'guest'

config rule
option target 'ACCEPT'
option src 'guest'
option name 'GuestDNS'
option proto 'all'
option dest_port '53'

config rule
option enabled '1'
option target 'ACCEPT'
option src 'guest'
option name 'GuestDHCP'
option proto 'udp'
option dest_port '67-68'

config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'

Here's a diagram of the port layout:

1 Like

A few questions:

  1. Do you need two independent guest networks (guest and guest1003)? There is no reason why you can't do this, if desired, but it adds complications and is probably not necessary.
  2. What are your physical connections to other devices and where do you want your guest network(s) to appear? (I assume WAN is uplink to another router or the ISP/modem, what is each LAN port supposed to be doing)?
  3. I assume that your guest1003 network is intended to interface with an Apple wifi product... it sounds like you'd also like wired access to either this or the other guest network -- which physical port(s) do you want to be associated with this VLAN? And should it be the 'default' VLAN for that port (i.e. untagged) or will there be VLAN aware devices downstream?

From what I can tell, your guest networks may not be assigned to the correct ethernet interface. WAN is at eth0 and LAN is on eth1. So I think you want all your guest networks should be assigned to vlans that are eth1.xxxx. So you could set:
LAN = eth1
Guest1003 = eth1.1003
[Guest=eth1.10 (this is arbitrary, but I'm avoiding VLAN1, VLAN2 as they may be your LAN/WAN).] - is this needed?

Then configure your switch so that VLAN1003 is tagged on the port connected to the apple wifi, and presumably untagged on the wired guest port.

I think that you might want it configured as follows:

config switch_vlan
  option device 'switch0’
  option vlan '1’
  option ports ‘0t 2 3 4’

config switch_vlan
  option device 'switch0’
  option vlan '1003’
  option ports ‘0t 3t 5’

config switch_vlan
  option device 'switch0’
  option vlan '2’
  option ports ‘1 6t’
  1. I don't need two independent guest networks but since guest works properly with wifi I'd like to keep it just in case.
  2. WAN is the uplink to the modem. I need one ethernet connection to the switch. All local traffic including the Airport APs will run through the switch. The switch is configured correctly to pass the VLAN1003 traffic to the current router (which is an Airport AC).
  3. In an ideal world I'd like to use any of the LAN ports which is how the current Airport AC is working in router mode. May not be possible though, but that's kinda odd to consider. How is the Airport doing it?
    So far the only traffic that is being tagged is wireless guest network traffic. All other traffic is untagged.

Note: the Lede router will have the wifi turned off. Only the Airports will provide wifi.

That last configuration suggested crashes the router and requires a reset.

Next I'm going to try tagging VLAN1003 on all the same ports as VLAN1 and see how that goes (and untagging the ports for VLAN1 and VLAN2).

I wonder if I've got the interface wrong. Not sure if it needs to bridge with the LAN and VLAN1 or should it be static? I feel like I have a better grasp of tagging/untagging the ports than how the interface should be setup.

And I'm back.

Still not having any luck even if I try to separate one LAN port instead of trying to make a trunk work. There seems to be an issue with handing out DHCP addresses but I can't figure it out. Testing out the separate LAN port with a direct connection to the computer and no DHCP address will be handed out (no WAN connection yet because I want to make sure it's working before I drop the router into the network; could that be a problem?).

I am trying to get this working on an IQRouter version of LEDE. Dunno how that would be different but I do notice I don't have a Switch tab in the GUI. I tried to update the LuCi package once but still didn't get the Switch tab. Reverted back to the IQRouter build.

Any suggestions would be greatly appreciated.

Try performing a reset to defaults (aka firstboot). Then you should at least get working DHCP and a known good staring point. At that point, you can add your VLAN, new network range with DHCP server, and critically don't forget to create a firewall zone for the guest network. That firewall rule must specifically allow DNS (UDP/TCP 53) and DHCP (UDP 67-68) from the guest network to the router (otherwise you won't get basic functionality), and should allow forwarding from guest > WAN.

Some interesting notes:

Reset everything back to default.

Spun off one of the LAN ports into its own VLAN 1003 interface (eth1.1003). Setup the firewall rules and the DHCP server as well. With that interface enabled I lose access to the internet from VLAN 1. If I stop that interface from running then internet access returns. Still cannot get DHCP addresses handed out to VLAN 1003 clients.

I feel like the fact that there is no switch tab in LuCi might be a clue why this isn't working. But the default setup does have VLAN 1 and 2 setup so maybe I'm wrong about that.

What is the difference between having the guest VLAN share a tagged port between vlan 1 and vlan 3 (guest) like it is done in the "Multiple network devices" of https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan

I.e., what's the difference between
option ports '2t 3 4 5 0t' in vlan 1
option ports '2t 0t in vlan 3
(guest-wlan openwrt user guide setup)

and

option ports '3 4 5 0t' in vlan 1
option ports '2 0t' in vlan 3
(this posted setup)