Guest network on one ethernet port using vlan

I can't seem to get the router to hand out IP addresses on the VLAN 1003 interfaces. I'm trying to preserve the original 'guest' interface and add a new 'guest1003' interface (the 'guest' interface works correctly for the wireless guest network). Maybe that's wrong.

Network
config interface 'loopback'                                                                                                    
        option ifname 'lo'                                                                                                     
        option proto 'static'                                                                                                  
        option ipaddr '127.0.0.1'                                                                                              
        option netmask '255.0.0.0'                                                                                             

config globals 'globals'
option ula_prefix 'fdfc:e39f:a38c::/48'

config interface 'lan'
option ifname 'eth1'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option mtu '1500'
option ipaddr '10.0.1.1'
option dns '208.67.222.222 209.244.0.4'

config interface 'wan'
option ifname 'eth0'
option _orig_ifname 'eth0'
option _orig_bridge 'false'
option proto 'dhcp'

config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 2 3 4 5'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'

config switch_vlan
option device 'switch0'
option ports '2 3t 6t'
option vlan '1003'

config interface 'guest1003'
option proto 'static'
option ifname 'eth0.1003'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
option gateway '192.168.4.1'

config interface 'guest'
option _orig_ifname 'wlan1-1'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option type 'bridge'
option gateway '192.168.3.1'

config interface 'modem'
option proto 'static'
option ifname 'eth0'
option ipaddr '192.168.100.2'
option gateway '192.168.100.1'
option netmask '255.255.255.0'

DHCP
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option cachesize '500'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'guest'
option interface 'guest'
option start '20'
option limit '230'
option leasetime '2h'

config dhcp 'guest1003'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'guest1003'

Firewall
config defaults                                                                                                                
        option syn_flood '1'                                                                                                   
        option input 'ACCEPT'                                                                                                  
        option output 'ACCEPT'                                                                                                 
        option forward 'REJECT'                                                                                                

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
option network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
option mtu_fix '1'
option network 'guest'

config forwarding
option dest 'wan'
option src 'guest'

config rule
option target 'ACCEPT'
option src 'guest'
option name 'GuestDNS'
option proto 'all'
option dest_port '53'

config rule
option enabled '1'
option target 'ACCEPT'
option src 'guest'
option name 'GuestDHCP'
option proto 'udp'
option dest_port '67-68'

config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'

Here's a diagram of the port layout:

1 Like

A few questions:

  1. Do you need two independent guest networks (guest and guest1003)? There is no reason why you can't do this, if desired, but it adds complications and is probably not necessary.
  2. What are your physical connections to other devices and where do you want your guest network(s) to appear? (I assume WAN is uplink to another router or the ISP/modem, what is each LAN port supposed to be doing)?
  3. I assume that your guest1003 network is intended to interface with an Apple wifi product... it sounds like you'd also like wired access to either this or the other guest network -- which physical port(s) do you want to be associated with this VLAN? And should it be the 'default' VLAN for that port (i.e. untagged) or will there be VLAN aware devices downstream?

From what I can tell, your guest networks may not be assigned to the correct ethernet interface. WAN is at eth0 and LAN is on eth1. So I think you want all your guest networks should be assigned to vlans that are eth1.xxxx. So you could set:
LAN = eth1
Guest1003 = eth1.1003
[Guest=eth1.10 (this is arbitrary, but I'm avoiding VLAN1, VLAN2 as they may be your LAN/WAN).] - is this needed?

Then configure your switch so that VLAN1003 is tagged on the port connected to the apple wifi, and presumably untagged on the wired guest port.

I think that you might want it configured as follows:

config switch_vlan
  option device 'switch0’
  option vlan '1’
  option ports β€˜0t 2 3 4’

config switch_vlan
  option device 'switch0’
  option vlan '1003’
  option ports β€˜0t 3t 5’

config switch_vlan
  option device 'switch0’
  option vlan '2’
  option ports β€˜1 6t’
  1. I don't need two independent guest networks but since guest works properly with wifi I'd like to keep it just in case.
  2. WAN is the uplink to the modem. I need one ethernet connection to the switch. All local traffic including the Airport APs will run through the switch. The switch is configured correctly to pass the VLAN1003 traffic to the current router (which is an Airport AC).
  3. In an ideal world I'd like to use any of the LAN ports which is how the current Airport AC is working in router mode. May not be possible though, but that's kinda odd to consider. How is the Airport doing it?
    So far the only traffic that is being tagged is wireless guest network traffic. All other traffic is untagged.

Note: the Lede router will have the wifi turned off. Only the Airports will provide wifi.

That last configuration suggested crashes the router and requires a reset.

Next I'm going to try tagging VLAN1003 on all the same ports as VLAN1 and see how that goes (and untagging the ports for VLAN1 and VLAN2).

I wonder if I've got the interface wrong. Not sure if it needs to bridge with the LAN and VLAN1 or should it be static? I feel like I have a better grasp of tagging/untagging the ports than how the interface should be setup.

And I'm back.

Still not having any luck even if I try to separate one LAN port instead of trying to make a trunk work. There seems to be an issue with handing out DHCP addresses but I can't figure it out. Testing out the separate LAN port with a direct connection to the computer and no DHCP address will be handed out (no WAN connection yet because I want to make sure it's working before I drop the router into the network; could that be a problem?).

I am trying to get this working on an IQRouter version of LEDE. Dunno how that would be different but I do notice I don't have a Switch tab in the GUI. I tried to update the LuCi package once but still didn't get the Switch tab. Reverted back to the IQRouter build.

Any suggestions would be greatly appreciated.

Try performing a reset to defaults (aka firstboot). Then you should at least get working DHCP and a known good staring point. At that point, you can add your VLAN, new network range with DHCP server, and critically don't forget to create a firewall zone for the guest network. That firewall rule must specifically allow DNS (UDP/TCP 53) and DHCP (UDP 67-68) from the guest network to the router (otherwise you won't get basic functionality), and should allow forwarding from guest > WAN.

Some interesting notes:

Reset everything back to default.

Spun off one of the LAN ports into its own VLAN 1003 interface (eth1.1003). Setup the firewall rules and the DHCP server as well. With that interface enabled I lose access to the internet from VLAN 1. If I stop that interface from running then internet access returns. Still cannot get DHCP addresses handed out to VLAN 1003 clients.

I feel like the fact that there is no switch tab in LuCi might be a clue why this isn't working. But the default setup does have VLAN 1 and 2 setup so maybe I'm wrong about that.

What is the difference between having the guest VLAN share a tagged port between vlan 1 and vlan 3 (guest) like it is done in the "Multiple network devices" of https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan

I.e., what's the difference between
option ports '2t 3 4 5 0t' in vlan 1
option ports '2t 0t in vlan 3
(guest-wlan openwrt user guide setup)

and

option ports '3 4 5 0t' in vlan 1
option ports '2 0t' in vlan 3
(this posted setup)

The difference is:

Here port 2 carries two networks (VLAN 1 and VLAN 3), both of them are tagged. This is a trunk configuration where a single port/cable will link to another device that has is expecting these two tagged VLANs. If someone were to plug in a standard computer in the default configuration (which is almost always not configured to be VLAN aware), the port would appear to be non-functional

In this case, port 2 carries only a single network, VLAN 3. It is untagged. This makes port 2 an 'access port' which is the typical configuration for most network equipment... plug & play.

In general, any given port on a VLAN aware device may have zero or one untagged network, and zero, one, or many tagged network(s).

A trunk is a port that carries two or more networks, and it may be a combination of untagged and tagged (many people advise against untagged + tagged), or simply multiple tagged networks.

An access port is one that has a single, untagged network.

Tagging is what identifies what traffic belongs to each network on a trunk port, and the tags are embedded within the ethernet frame data that goes over the wire. An untagged network, if present, is associated with a VLAN by the assignment in the switch, but the ethernet frame data does not carry the identifier with it (i.e. that is why it is called untagged).

2 Likes

So if I'm using an unmanaged switch for my VLAN 3 (guest), I would need to make the "guest" port carry only a single network (the 'access port' in your description). So I'm doing that, but for some reason my internet speed drops from 150Mbps (speed if directly connected to "port 2") to 15Mbps when going through the unmanaged switch (granted it's a 100Mbps switch, but I would at least expect 90Mbps). Any ideas on what it could be? Or it's just time to trash the unmanaged switch for a new one?

edit: to be clear,
PC -> Port 2 -> Internet is 150Mbps
PC -> Unmanaged Switch -> Port 2 -> Internet is 15Mbps
(Port two being in the "option ports '2 0t' " configuration)

Maybe there is an issue with your switch or cables.

It's not the switch or cables, I tried it on the non guest side (PC -> Unmanaged Switch -> Port 3 -> Internet is 80Mbps. I'm breaking my head trying to understand what's wrong. I think I'll make a post by itself since this might be a tangent from original post.

Edit: I used the same cables and switch for both tests, and did the tests multiple times

It doesn’t make sense that you would get normal speed without the switch, but once you connect the switch there is a problem, only on one network.

Maybe that router port is not auto negotiating with the switch properly, either due to misconfiguration or some physical issue. If you change your vlan configuration to another port, does the problem follow the port or the vlan ?

Do you have any bandwidth shapers running?

Post your /etc/config/network file.

Yeah, I can't make sense of it. But I'm also not an experienced user.. however I've tried following all information available to the t. Here's the network file, thanks for taking a look at it.

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd24:63e6:f374::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option macaddr '1C:39:47:29:9F:1C'
	option peerdns '0'
	list dns '24.139.179.67'
	list dns '24.139.179.66'
	list dns '24.138.252.19'
	list dns '24.139.179.68'
	list dns '24.55.102.2'
	list dns '156.154.71.1'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'b0:be:76:09:5e:23'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option macaddr 'C0:05:C2:9E:58:9D'
	option reqaddress 'try'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option ifname 'eth0.3'
	option type 'bridge'
	option ipaddr '192.168.101.1'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 5'
	option vid '3'

edit: On my previous posts I was talking with the port numbers that the previous poster used, I'm aware that my "guest" is port 5 in my case.

Config looks fine.

Try changing the vlan to another port - maybe port 4?

Changed the guest vlan to another port, still the same problem. Then changed the vid to another number, still the same problem. Maybe it's firewall issue? just in case, I've included all current copies of network, DHCP, firewall

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd24:63e6:f374::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option macaddr '1C:39:47:29:9F:1C'
	option peerdns '0'
	list dns '24.139.179.67'
	list dns '24.139.179.66'
	list dns '24.138.252.19'
	list dns '24.139.179.68'
	list dns '24.55.102.2'
	list dns '156.154.71.1'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'b0:be:76:09:5e:23'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option macaddr 'C0:05:C2:9E:58:9D'
	option reqaddress 'try'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option type 'bridge'
	option ipaddr '192.168.101.1'
	option ifname 'eth0.4'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 4'
	option vid '4'

etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'guest'

etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option network 'guest'
	option forward 'REJECT'
	option name 'guest'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option dest 'wan'
	option src 'guest'

config rule
	option dest_port '53'
	option src 'guest'
	option name 'Guest DNS'
	option target 'ACCEPT'

config rule
	option dest_port '67-68'
	option src 'guest'
	option name 'Guest DHCP'
	option target 'ACCEPT'
	list proto 'udp'

I’m not seeing any issues. Do you have another switch you can try?

I did actually, same problem :confused:. They are both old switches however (10/100 speeds, at least I know one of them, a Linksys SE1500, is IEEE 802.3u if that says anything). But they both work fine (80Mbps speeds) in the 'lan' network, but once connected to the 'guest' network it goes down to 10-15Mbps.

I have difficulty believing it is anything in the configuration that you have shown me, and I don't understand why the switch changes the bandwidth on the port (relative to the direct connection) only for the guest network.

I'm assuming you haven't installed any bandwidth shapers or anything else, but even still, I don't know why the external switch would influence it except if auto negotiation was failing (which is still plausible, but seems less likely if you are able to prove the cables and the switch are fine on the LAN network).

My last idea is to just reset everything to defaults and recreate your settings. You can take a backup first, but I'd recommend configuring fresh and not restoring the backup as there may be some setting somewhere that is impacting this.

While you're at it, make sure you're running the latest and greatest version of OpenWrt that your device supports.

Yes, I don't have any bandwidth shapers. My network is Modem(acting as bridge)->Router(ArcherC7v5/Openwrt19.07.2)->UnmanagedGigabitSwitch->DumbAP(WNDR3700v1/Openwrt19.07.02). And from the Router I created a guest WLAN following the user guide, and on the DumbAP I created the guest WLAN following User Guide, and on both (Router & DumbAP) I added a port for the guest wlan following this thread (bridging them on the interfaces section). And from the guest "lan port", it's where I'm having this trouble. I just tested the switch on the dumbap "guest lan port", and also having the same problem (no problem when hooking it up to the normal "lan" ports. I noticed that the switch I have for the DumbAP (not the two I tested) is actually having the same problem (but instead of 15Mbps it's 50Mbps, so that's why I didn't notice).

edit: Since I'm having problems with two 10/100 switches (or three if I count the one with 50Mbps instead of 80-100Mbps on the dumb ap) on both the router and "dumb ap", I think this is a little bit over my head on diagnosing the problem. I should do this test with a gigabit switch, see if that fixes the problems on the 'guest lan ports', but unfortunately I don't have any handy with me.

Are you connecting both the guest network and the trusted LAN through the same unmanaged switch?

EDIT: I mean are you doing it at the same time?