Guest VLAN for wifi (using Unifi Access Points)

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello,

I'm running OpenWrt 22.03 as my router and have a few Unifi Wifi Access Points that are not running OpenWrt but rather are just running Unifi's firmware.

My current network configuration is pretty straightforward. My OpenWrt router has a br-lan set up that bridges 3 ethernet ports and one of those ports is connected to a managed switch that is basically set with defaults so there is no VLAN configuration done on the switch.

The Unifi access points are connected to that switch. They are currently configured to use the "default" network, which is untagged or could be considered VLAN 1.

I'd like to add a VLAN 100 which is a guest wifi VLAN. I don't need any ethernet ports to use this VLAN, it will just be for wifi.

I already configured the Unifi access points to create a new SSID and assign this VLAN 100 to it. The other SSIDs I just left at the default untagged VLAN.

So now I'm trying to configure OpenWrt to create a new VLAN 100 which serves a DHCP address and allows accessing the WAN but not the rest of the LAN. I created a new 802.1q VLAN device br-lan.100 and also a GUEST interface in OpenWrt with a DHCP server.

I tried setting this up but it is not working -- wifi devices connecting to this SSID never receive a DHCP address.

I'm wondering if someone could help me figure out what I'm doing wrong. I'll copy my config files below. Thanks.

root@OpenWrt:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'
        option vlan_filtering '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.20.0.1'
        option ipv6 '0'
        option delegate '0'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.3'
        list dns '1.0.0.3'
        option ipv6 '0'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '1.1.1.3'
        list dns '1.0.0.3'
        option auto '0'

config route
        option interface 'wan'
        option target '192.168.100.0/24'
        option netmask '255.255.255.0'
        option metric '1'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '100'
        option name 'br-lan.100'

config interface 'guest'
        option device 'br-lan.100'
        option proto 'static'
        option ipaddr '10.20.100.1'
        option netmask '255.255.255.0'


/etc/config/dhcp:

.......

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
2

I've been advised by many to avoid pass untagged traffic with tags.

so for example you will have to create 2 vlans:

no. 10 LAN connection
no. 100 guest link

so I suggest you too configure your br-lan with tag.

before making this change, if you have a usb - ethernet adapter and your router has a usb port, I advise you to configure a new interface connected to the ethernet adapter in order to avoid losing access to your system.

I await your info on the availability of for example:

obviously if you follow my advice you will need to create 2 vlans on the switch as well.

in your next reply please specify which router you have and which switch you have (brand/model)

1 Like
3

There are two ways to setup a guest network...

  1. use the unifi guest network function. It actually can create an isolated guest network that is managed by the AP itself. This is a feature you'll find in the Unifi Network App.

  2. Create an additonal network/VLAN on your OpenWrt router and then connect that with an SSID on the AP (using UNA to configure appropriately).

This is not actually necessary, and it won't solve the issue here because you need to use DSA syntax for creating a bridge VLAN.

Are the APs connected to this switch? If so, you must configure the switch accordingly. And if so, we need to know the port number from the OpenWrt router that is connected to the switch -- this matters for the DSA configuration.

Actually, by definition you do need ethernet since that is how the Unifi APs are connected to the router. So you'll be using VLANs on the router (and presumably on the switch).

Can you provide a basic drawing of your network topology -- please include port numbers so that it is clear where things are connected.

2 Likes
4

Ah, I knew Unifi had the guest network option but didn't realize it would work without using their gateway. I'm just going to go with this for the time being as it does what I'm looking for, which is isolating guest wifi on my home network. At some point I'd like to get VLANs working but I think for today the isolated wifi is sufficient. Thanks for the help!

5

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.