Guest VLAN on Flint 2

Installing and Using OpenWrt
1

Greetings folks. New to OpenWRT and struggling to accomplish my goal of adding a single Guest SSID on VLAN 3 via a trunk port on lan2 on my Flint 2 router with a backened OPNSense router (OPNSense is setup with VLAN 3 and DHCP). My flint 2 is linked to OPNSense via a TL-SG108E and I've read that this switch isn't the best. I did configure the ports for vlan 3, so it should allow traffic? I've used youtube videos and guides, but those instructions usually results in one of the following:
-Enabling VLAN filtering on br-lan and adding a vlan results in lockout.
-When I select save after configuring a new SSID on Luci, the save button does nothing.
-When I add an SSID by configuring /etc/config/wireless, it broadcasts but I'm unable to connect to it.

root@OpenWrt-Pri:~# ubus call system board
{
        "kernel": "6.6.86",
        "hostname": "OpenWrt-Pri",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.1",
                "revision": "r28597-0425664679",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.1 r28597-0425664679",
                "builddate": "1744562312"
        }
}
root@OpenWrt-Pri:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd94:d51c:93c7::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        option vlan_filtering '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.153.211.200'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '10.153.211.1'
        list dns '10.153.211.1'

root@OpenWrt-Pri:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel '6'
        option htmode 'HE40'
        option txpower '20'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio0_lan'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'MAINSSID'
        option encryption 'psk2'
        option key 'PASSWORD'

config wifi-iface 'guest_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Guest'
        option encryption 'psk2'
        option key 'PASSWORD'
        option isolate '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel '36'
        option htmode 'HE80'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'MAINSSID5G'
        option encryption 'sae-mixed'
        option key 'PASSWORD'
        option ocv '0'
2

Check out some of the posts in this thread where I extended the Guest Network via VLAN to a NetGear GS108T managed switch so that I could put various wired switchports on the Guest network. I’m not running the OpenWRT firmware. I’m running the native GL.iNet firmware and there’s a glitch with the Bridge VLAN Filtering checkbox on their firmware.

Here’s what happens with the Bridge VLAN filtering checkbox on their GL.iNet firmware which I believe is just backwards of what it should do.

3

Thanks for your reply. Glad to see Navy here. I'm in the Navy and in Supply, so this VLAN thing is a bit out of my league.
I'm using vanilla openwrt, so it appears the bug extends beyond the gli version. I tried following OneMarcFifty's VLAN video, but it's a hard video for a newbie to follow since he jumps back and forth between version 19 and 21, and isn't saving and applying the changes to show the changes he works with.
Hoping to get your input on this. What I got out of the video is to:

  1. Create a bridge with desired lan port (lan2 in my case)
  2. Enable vlan filtering on the created bridge from step 1. Add and tag vlan (vlan 3 in my case)
  3. Create static interface and use software br-lan as the device
  4. Create SSID. Here I ran into the issue again where the save button will not save. I went back and changed the bridge device from software to the one I created in step 1. This is not what he does in the video, but figured I'd give it a try. This time I the SSID saves and broadcasts, but cannot connect to it.

I reviewed the video to make sure I followed the steps correctly, and I think I did, but it's hard to tell because it's a bit hard to follow.

Pretty much at a road block.

4

Greetings folks, I figured out how to create a guest interface and a guest SSID and posting my steps hoping others who have the same issue can follow this. I will try and explain what I did and the steps I took to so that any brand new person to OpenWRT can understand. This is a bit lengthy, so please bare with me.

Before I explain the steps to get this to work on OpenWRT, my network setup is as follows:
-OPNSense router with two networks: 1-my native lan, 2-guest network. My native lan is not associated to a vlan, and therefore defaults to vlan 1. Guest network is configured to vlan 3.
-TP-link TL-SG108E. Ports linked to OPNSense and OpenWRT are untagged for vlan 1, and tagged for vlan 3. PVID set to 1.
-I am using a trunk port (meaning one physical link carrying multiple vlans) from my OpenWRT to my network switch and ultimately to my OPNSense firewall.
-Flint2 router on vanilla OpenWRT.

Steps on OpenWRT to create your guest network. Do not skip steps or you will probably lock yourself out:

  1. Create a new bridge device. This is important to create the devices for vlans 1 and 3 on a new bridge:

Go to: Network > Interfaces > Devices > Add device configuration

Device type: Bridge device
Device name: br-lan1 (you can call this whatever you like)
Bridge port: the physical port switch your OpenWRT connects to the network (in my case Switch port: "lan2")

Click save. Do NOT click Save & Apply, or you will lock yourself out. Your lan interface is not yet configured to route through vlan 1.

  1. Enable vlan filtering on the newly created bridge device from step one (in my case br-lan1).

Select configure next to your new bridge device from step 1. Configure the following:
Select the Bridge VLAN Filtering tab
Ensure Enable VLAN filtering is checked
Select Add
Add in your vlans (in my case 1 and 3). Select U for vlan 1, and select T for your other vlan (this would be vlan 3 for me)

This will create two new devices called br-lan1.1 (vlan 1) and br-lan1.3 (vlan 3)
Click save. Do NOT click Save and Apply, or you will lock yourself out. Your lan interface is not yet configured to route through vlan 1.

  1. Link your lan interface to the newly created vlan 1 device.

Go to: Network > Interfaces

Edit your lan interface. Set the following:
Device: Software VLAN: "br-lan1.1" - this is vlan 1 created from step 2.

Click save. Now you can click Save & Apply, because your lan should now be routing through vlan 1.

  1. Create a guest network.

Go to: Network > Interfaces

Select Add new interface. Configure the following:
Name: guest
Protocol: Static Address
Device: Software VLAN: "br-lan1.3" - this is vlan 3 created from step 2.

Select Create Interface. Configure the following:

IPv4: Enter an IP for your guest network. In my case 192.168.3.2
IPv4 netmask: Enter your netmask. Most likely 255.255.255.0
IPv4 gateway: The IP of your guest network on OPNSense. In my case 192.168.3.1

Pause here: I am not entirely sure if the following steps are required, but I went ahead and did them. Nothing really lost by doing them, and I don't want to remove them considering the guest network is up.

Under Advanced Settings:
Use custom DNS servers: 1.1.1.1
Firewall Settings: Create/Assign firewall-zone: guest

Click Save. Save & Apply.

  1. Configure guest firewall.

Go to:
Network > Firewall

Select edit next to your guest firewall zone and configure the following, everything else leave as default:
Name: guest
Input: accept
Output accept
:Intra zone forward reject
Covered networks: guest

Click save. Save & Apply.

  1. Create guest wireless network. I was unable to create a guest SSID on the luci webui, it would not save. I conclude there is a bug on the luci webui, but I was able to create my guest network by configuring the /etc/config/ wireless. Below is the entry I added to /etc/config/ wireless. Obviously change the ssid, password, and encryption to your desire:

config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'Guest'
option encryption 'psk2'
option key '12345'
option isolate '1'
option network 'guest'

The above steps should get everything going. If you understand all the above, you should now be able to create additional networks such as for IoT and others. The key points to follow to not lock yourself out is to create the bridge device (step 1), create the vlans (step 2), and associate the required vlan to the lan interface (step 3) to NOT lock yourself out.