Help with Archer C7 2.0 and Ubiquiti UAP-AC-Lite Guest Network

I've been tearing my hair out trying to transition from a TP-Link Archer C7 2.0 to a split setup with an Edgerouter X and one Ubiquiti UAP-AC-Lite. For some reason everytime I use my hardwired Roku 3 it crashes all connectivity with the Edgerouter X, so I'm rolling back to the Archer C7 for routing until I can get some help with the ER-X from Ubiquiti.

With the ER-X I was setting up a VLAN and subnet for the guest Wifi using instructions from here:

I can't get my head around how to replicate this on LEDE. For now I'm using the simple Guest Wifi setup from the UAP-AC-Lite which uses client isolation on the same subnet as my main WiFi, but ideally I want to try and have a separate VLAN and subnet as I was able to do with the ER-X.

Can anyone shed any light on this?

This can be all be done with LuCI or editing the config files. There is no "turn-key" UI for it.

  • Configure the VLAN you want to use on the SoC's interface used for your "inside" nets
  • Configure the VLAN you want to use on the switch
    • Assign one of the physical ports on the OpenWRT switch to carry that VLAN to the external AP
    • As well as the SoC's interface for that VLAN
  • Assign the wireless interface to be bridged to that VLAN when it comes up
  • Confirm that the firewall rules allow forwarding of connections between the guest VLAN and outside world with NAT
  • Add firewall rules to prevent forwarding of packets between the guest VLAN and your other internal VLANs

Thanks for your response. I'm very much a VLAN newb so I can't follow that very well.

Also, do I need to assign the wireless interface to be bridged even though I'm not using the C7's radios (because I have the UAP-AC-Lite)?

No, if you're not using the C7's radios, then you don't need to deal with the wireless configuration.

I did miss that you'll likely need to set up DHCP on the guest VLAN if you don't have DHCP already running on that VLAN.

Before going further, a diagram of what you want would be helpful. If your AP isn't capable of running multiple SSIDs and bridging them over VLANs to the router, things could get rather complicated.


This is a quick network diagram I knocked up with, I think that makes sense. It's where I can get to using the Ubiquiti instructions from my first post.

What I want to achieve is a separate DHCP server on the C7 in the 192.168.2.x subnet that takes the VLAN tagged traffic from the AP. I also want it to run on OpenDNS DNS servers. Basically, all the steps in the first link for the Edgerouter X up to the Unifi controller are what I want to transfer to the C7. I'm still running the Unifi Controller so the rest is the same.

The way I'd set it up would be with a separate management VLAN, assuming that the UAP-AC-Lite supports it. That way only the device(s) you have configured with an IP address in the proper range with the right VLAN tag can reach the AP. Not really a strong security mechanism, but easy enough to do and get the benefits of not being "obvious" to someone on your networks.

I show VLAN tags that make sense to me. Pick ones that make sense to you!

The switch driver in the Archer C7 only supports 128 distinct VLANs, as I recall. I explicitly supply a vid and pvid to get the proper tag, no matter the "VLAN-table number" in use.

  • VLAN 1 -- "standard, internal-only, OpenWRT" usage to tie the WAN port to the SoC
    • eth0 -- untagged (or eth0.1 -- tagged)
      • DHCP client of modem
    • WAN port -- untagged
  • VLAN 100 -- management
    • eth1.100 -- tagged
      • static IP
      • no services supplied except perhaps NTP
    • LAN 4 -- tagged
    • LAN 1-3 -- tagged (called out separately as for your "desktop" device(s) to manage the AP)
  • VLAN 150 -- private LAN
    • eth1.150 -- tagged
      • static IP
      • Supplies DHCP, DNS, NTP
    • LAN 1-3 -- untagged
    • LAN 4 -- tagged
  • VLAN 200 -- guest LAN
    • eth1.200 -- tagged
      • static IP
      • Supplies DHCP, DNS, NTP
    • LAN 4 -- tagged

You can restrict ssh, uhttp to only listen on so that only hosts on that subnet with VLAN tag 100 can have access to them

On the AP:

  • The management interface adjusted to operate on over VLAN 100
  • Two virtual APs (2.4 and 5) are bridged to VLAN 150 for "private" wireless
  • Two virtual APs (2.4 and 5) are bridged to VLAN 200 for guest wireless
  • No DHCP, DNS supplied by the AP

I'd suggest the same SSID and keying (wpa2+ccmp) for the two bands to allow clients to "pick the best band", unless you want to explicitly segregate the bands. Disabling legacy rates may be necessary to enable 802.11ac rates; check the AP manual for details.

Thanks @jeff, this is extremely comprehensive.

I think I've managed to figure out the problem with my ER-X so I've redeployed that, but this VLAN project on the Archer C7 will be resurrected on a rainy day in my homelab...

1 Like