Help setting up VLANs + Guest Wifi

Goal: Setup VLANs so that both my home and guest network use my router as their DHCP and use my APs as dumb APs.

Router: NanoPi R4S using openwrt version OpenWrt 23.05.4 r24012-d8dd03c46f

2x APs: ZyXEL NWA50AX Pro using version OpenWrt 23.05.5 r24106-10cc5fcd00

Switch: HPE 1920-24G using version OpenWrt 24.10.0 r28427-6df0e3d02a

Network Topology:

image656×338 30 KB

The only change has been swapping out the unmanaged JGS516 for the JG924A

My current situation is still the same as it was in thread Managed switch required for guest wifi? - #5 by Magenta7602

Now that I have a managed switch I am trying to switch things over to what I stated as my goal but I pretty much get stuck at the beginning, which is getting the NanoPi setup to receive the tagged VLAN traffic. I am also a bit confused on how the zone forwarding should work and whether clamping or masquerading will be needed.

@psherman

Since the R4S is a 2 port device, I'm assuming that one is the WAN and the other will be used as a trunk with your local networks.

With that in mind, if you're just creating a single guest network, follow this guide to get started. You can ignore the part about making the SSIDs on this device, though, if you're only using Ethernet from the R4S. We'll make some adjustments from there to attach it to Ethernet.

If you run into any issues along the way, feel free to ask and we'll try to get you unstuck.

When you're done, let's see the config (we'll make those modifications once the basics are complete):

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I setup the device and interface per the guide. Basically the same as the Dumb AP setup. Obviously did not do the wifi part and skipped the firewalls section for now as well (although I can add that in if you think it makes sense right now.

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.162",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R4S",
        "board_name": "friendlyarm,nanopi-r4s",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "rockchip/armv8",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6e:64de:12d7::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0'
        option macaddr 'fc:0f:e7:16:19:58'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'switch'
        option ip '192.168.1.252'
        option leasetime 'infinite'

config host
        option name 'kitchen'
        option ip '192.168.1.2'
        option leasetime 'infinite'

config host
        option name 'basement'
        option ip '192.168.1.3'
        option leasetime 'infinite'

config host
        option name 'pihole'
        option ip '192.168.1.254'
        option leasetime 'infinite'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

Looks good so far.

Replace the device above with eth1.10.

Then implement the firewall rules as presented in the guide. Post the network config and the firewall files again when that is done - I’ll double check them.

That should be all that is necessary on the router. Three we will move to the switch and the APs.

add the vlan device eth1.10 and replace device br-guest with it. then added the firewall rules.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6e:64de:12d7::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'


config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0'


config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'eth1.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '10'
        option name 'eth1.10'

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCP-Guest'
        list proto 'udp'
        option src 'guest'
        option dest_port '67'
        option target 'ACCEPT'

Looks good. Two minor things:

The following can now be deleted:

And this 802.1q stanza is not actually necessary -- it can also be deleted (although it shouldn't cause any issues if it is kept in place):

Now, let's look at your switch config -- we need to see the /etc/config/network config file from that device and additionally we need to know the following about the ports:

• Which port connects to the router (R4S)?
• Which ports are used to connect to the APs?
• Is there a spare port we can use for verifying that the guest network is working properly? If so, what port number?

Which port connects to the router (R4S)? Port 1
Which ports are used to connect to the APs? Ports 2 & 3
Is there a spare port we can use for verifying that the guest network is working properly? If so, what port number? Ports 7-24 are all basically available. Lets go with port 16 as its simple to reach for me.

root@switch:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd05:5588:b0a3::/48'
        option packet_steering '1'

config device 'switch'
        option name 'switch'
        option type 'bridge'

config bridge-vlan 'lan_vlan'
        option device 'switch'
        option vlan '1'
        option ports 'lan1 lan2 lan3 lan4 lan5 lan6 lan7 lan8 lan9 lan10 lan11 lan12 lan13 lan14 lan15 lan16 lan17 lan18 lan19 lan20 lan21 lan22 lan23 lan24 lan25 lan26 lan27 lan28'

config device
        option name 'switch.1'

config interface 'lan'
        option device 'switch.1'
        option proto 'static'
        option ipaddr '192.168.1.252'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'

great.

So, let's make some bridge-vlans. The first is already there, but I recommend editing it -- sorry, this will be a bit tedius:

Make it look like this:

config bridge-vlan 'lan_vlan'
        option device 'switch'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
...
        list ports 'lan28:u*'

(where the ... is the rest of the ports).
Omit just one port from the above, though -- lan16, since we're going to use that for the guest verification.

Next, we'll create the bridge-VLAN for the guest network:

config bridge-vlan
        option device 'switch'
        option vlan '10'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan16:u*'

And now we'll create an unmanaged interface for the guest network:

config interface 'guest'
        option device 'switch.10'
        option proto 'none'

Restart your switch after these changes are complete.

If all goes well, you'll have the lan on all ports except for port 16 which will have the guest network. If this is true, we can start working on the APs (post the /etc/config/network config from those devices next).

Sorry but a bit confused on how to do this. I typically use the LuCI interface. Would I basically just create a bridge device for each port, enable vlan tagging, and mark it as untagged, then remove it from the original switch bridged device until im through all 24 ports, minus 16 and 25-28 (not supported).

I just directly edit the config files (text).

ahh I see. Alright this might take a me moment, pretty new to this.

I think I have the first part of your request done.

e]0;root@switch: ~aroot@switch:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd05:5588:b0a3::/48'
	option packet_steering '1'

config device 'switch'
	option name 'switch'
	option type 'bridge'
	option macaddr '2c:23:3a:25:78:da'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	list ports 'lan6'
	list ports 'lan7'
	list ports 'lan8'
	list ports 'lan9'
	list ports 'lan10'
	list ports 'lan11'
	list ports 'lan12'
	list ports 'lan13'
	list ports 'lan14'
	list ports 'lan15'
	list ports 'lan16'
	list ports 'lan17'
	list ports 'lan18'
	list ports 'lan19'
	list ports 'lan20'
	list ports 'lan21'
	list ports 'lan22'
	list ports 'lan23'
	list ports 'lan24'
	list ports 'lan25'
	list ports 'lan26'
	list ports 'lan27'
	list ports 'lan28'

config bridge-vlan 'lan_vlan'
	option device 'switch'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'
	list ports 'lan5:u*'
	list ports 'lan6:u*'
	list ports 'lan7:u*'
	list ports 'lan8:u*'
	list ports 'lan9:u*'
	list ports 'lan10:u*'
	list ports 'lan11:u*'
	list ports 'lan12:u*'
	list ports 'lan13:u*'
	list ports 'lan14:u*'
	list ports 'lan15:u*'
	list ports 'lan17:u*'
	list ports 'lan18:u*'
	list ports 'lan19:u*'
	list ports 'lan20:u*'
	list ports 'lan21:u*'
	list ports 'lan22:u*'
	list ports 'lan23:u*'
	list ports 'lan24:u*'
	list ports 'lan25:u*'
	list ports 'lan26:u*'
	list ports 'lan27:u*'
	list ports 'lan28:u*'

config device
	option name 'switch.1'

config interface 'lan'
	option device 'switch.1'
	option proto 'static'
	option ipaddr '192.168.1.252'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'

e]0;root@switch: ~aroot@switch:~#

ok. I think this is done.

from switch:

root@switch:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd05:5588:b0a3::/48'
option packet_steering '1'

config device 'switch'
option name 'switch'
option type 'bridge'
option macaddr '2c:23:3a:25:78:da'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
list ports 'lan6'
list ports 'lan7'
list ports 'lan8'
list ports 'lan9'
list ports 'lan10'
list ports 'lan11'
list ports 'lan12'
list ports 'lan13'
list ports 'lan14'
list ports 'lan15'
list ports 'lan16'
list ports 'lan17'
list ports 'lan18'
list ports 'lan19'
list ports 'lan20'
list ports 'lan21'
list ports 'lan22'
list ports 'lan23'
list ports 'lan24'
list ports 'lan25'
list ports 'lan26'
list ports 'lan27'
list ports 'lan28'

config bridge-vlan 'lan_vlan'
option device 'switch'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
list ports 'lan5:u*'
list ports 'lan6:u*'
list ports 'lan7:u*'
list ports 'lan8:u*'
list ports 'lan9:u*'
list ports 'lan10:u*'
list ports 'lan11:u*'
list ports 'lan12:u*'
list ports 'lan13:u*'
list ports 'lan14:u*'
list ports 'lan15:u*'
list ports 'lan17:u*'
list ports 'lan18:u*'
list ports 'lan19:u*'
list ports 'lan20:u*'
list ports 'lan21:u*'
list ports 'lan22:u*'
list ports 'lan23:u*'
list ports 'lan24:u*'
list ports 'lan25:u*'
list ports 'lan26:u*'
list ports 'lan27:u*'
list ports 'lan28:u*'

config device
option name 'switch.1'
option macaddr '2c:23:3a:25:78:da'

config interface 'lan'
option device 'switch.1'
option proto 'static'
option ipaddr '192.168.1.252'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.1'

config bridge-vlan 'guest_vlan'
option device 'switch'
option vlan '10'
list ports 'lan1:t'
list ports 'lan2:t'
list ports 'lan3:t'
list ports 'lan16:u*'

config interface 'guest'
option device 'switch.10'
option proto 'none'

kitchen (192.168.1.2)

root@kitchen:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd87:b812:65d6::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.1'
list dns '9.9.9.9'

config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'

config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.2.2'
option netmask '255.255.255.0'

basement (192.168.1.3)

root@basement:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fdf9:21e8:a918::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.3'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.1'

config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'

config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.2.3'
option netmask '255.255.255.0'

the 192.168.2.0/24 network is the makeshift guest network I have going on currently, that we discussed in my prior thread. My hope is for that to be fully replaced.

Switch looks good.

The following changes will be made on both APs (exactly the same for each):

Let's the guest bridge next... Edit it to look like this:

config device
    option type 'bridge'
    option name 'br-guest'
    list ports 'eth0.10'

And make the guest network unmanaged like this:

config interface 'guest'
    option proto 'none'
    option device 'br-guest'

I'm assuming you've already created the guest SSID and connected it with the guest network. If that hasn't been done, now is the time to do it.

Restart and test... if everything is configured properly, the guest network should now be functional.

it works.I will shift over everything tomorrow when the band-aid guest network isnt in use.

A few questions....

can you clarify what you meant? I am assuming im not supposed to get rid of the device..

was there some sort of verification I was supposed to do?

EDIT: never mind I get it. It worked, port 16 plugs into the guest network.

One other question. Is there a firewall rule I would need to add to allow the guest network to use my pihole (192.168.1.254) as its DNS?

I really appreciate all the help!

You have an explicit 802.1q stanza which creates a VLAN "device." But this is not necessary because the use of the bridge VLANs and/or dotted notation (depending on which device we're talking about) will automatically create the same device. Therefore, the 802.1q stanza can be deleted.

Great!

Yes. Two things you'll want to do:

1. Change the current firewall rule that allows guest DNS such that it has a destination zone of lan and a destination address of 192.168.1.254.

config rule
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'
        option dest 'lan'
        list dest_ip '192.168.1.254'

2. Add DHCP option 6 (DNS advertisements) 192.168.1.254 to the guest DHCP server. That looks like this:

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,192.168.1.254'

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.