Help with OpenWrt router + 3 dumb access points vlan setup

Grub · March 7, 2022, 8:56pm

Hi all,

My current hardware consists of one OpenWRT Belkin RT3200 having 4 LAN ports, and 3 dumb Ubiquiti AC AP (each with 2 Ethernet ports). Now I want to setup 4 VLANs (Home, Guest, IOT 1 and IOT 2) but I am quite confused how to proceed.

I am trying to follow this tutorial: https://youtu.be/4t_S2oWsBpE?t=461 but it only teaches how to setup one single dumb AP with the router. And in the video, the guy occupies 4 LAN ports just for one AP with 3 VLANs (one tagged + 3 untagged). In my case I need to install 3 APs and 4 VLANs, does that mean I need 5x3=15 LAN ports in total on my router? How does it work?

Thanks in advance for any pointer.

Borromini · March 7, 2022, 9:33pm

I haven't checked the video, but the whole point of VLANs is you can share a single physical cable between multiple networks. So no, you do not need a cable per VLAN you'd be implementing. Much to the contrary. You'd carry all those VLANs over one single cable. And yes, that takes some network design and tinkering .

eginnc · March 9, 2022, 12:55pm

OpenWrt for your RT3200 uses DSA for the switch. OpenWrt for your ath79 target dumb AP's uses swconfig. They will set up a little differently, and most tutorials you find will be for swconfig. Don't worry - they work together fine.

First, I'd suggest going for some basic background information here: DSA Tutorial Information. Followed by this simple example (not what you want, but the example will perhaps help you understand setting up your network): Example single untagged VLAN SHO setup.

What you want to do is set up all the VLAN interfaces on your RT3200 and give them all a DHCP server on your RT3200 as well. For extra credit, make your RT3200 the time keeper for your network (ntpclient so it gets time, and ntp server to your AP's) and tell your AP's (ntp clients only) to get their time from the RT3200 (ntp server). Same with DNS server-tell your AP's that your RT3200 is the DNS server for the network. You don't want four different devices all trying to do the same thing on your network. You will find it much easier to have your RT3200 manage your various network needs all in one place. Then send all those VLAN's tagged out of the three ports your dumb AP's are plugged into and down the Ethernet cables to the dumb AP's. You have multiple VLAN's going down the same wires, so all but one of them needs to be tagged to keep them all separate-no way to tell them apart otherwise.

On your dumb AP's, you'll set up a DHCP client interface (no DHCP server on your AP's - that's on your RT3200 already!) for each VLAN and connect that interface to a bridge for your wireless. Then set up wireless interfaces with unique SSID's for each VLAN and attach each to its corresponding network interface.

Finally, you'll need to set up firewall zones for each VLAN on all your devices so that each VLAN can get to the DHCP and DNS server on your RT3200. Otherwise, all those VLAN's can't get to the internet and nobody's happy.

Done. Clear as mud, right? Since your setup is so close to mine (DSA main router, 4 VLAN's, and 2 swconfig AP's for me), I'll pull my configuration files out and post them for you in a separate post.

Grub · March 10, 2022, 11:35am

Thanks for the info. I will go through it in the upcoming days. Could you share your config file? Your setup sounds very similar to mine indeed.

eginnc · March 11, 2022, 1:59am

@Grub sorry for the delay - life took up more time than I thought it would....

This post is just your RT3200, which is DSA. Next post will cover your AP's.

Your /etc/config/network file on the RT3200 should be something like this, with static IP addresses and interlace names to suit your taste of course. On my ER-X, the WAN port is labeled eth0, and the lan ports are eth1-4. Your device may or may not be different - adjust accordingly. Notice VLAN 1 (that's the ".1" on the end of "br-lan.1") is the default lan and goes untagged to ports 1-4 (let's call this your "home" network). VLAN's 10, 20 and 30 we will call your IOT 1, IOT 2 and Guest VLANs. Notice I've defined IPv4 and IPv6 DNS servers and disabled using any advertised by your ISP (friends don't let friends use their ISP DNS server )

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd93:b7a6:8354::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '10.10.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '9.9.9.9'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option peerdns '0'
	list dns '2606:4700:4700::1112'
	list dns '2620:fe::fe'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth1:t'
	list ports 'eth2:t'
	list ports 'eth3:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'eth1:t'
	list ports 'eth2:t'
	list ports 'eth3:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'eth1:t'
	list ports 'eth2:t'
	list ports 'eth3:t'

config interface 'IO1'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '10.10.11.1'
	option netmask '255.255.255.0'

config interface 'IO2'
	option proto 'static'
	option device 'br-lan.20'
	option ipaddr '10.10.12.1'
	option netmask '255.255.255.0'

config interface 'GST'
	option proto 'static'
	option device 'br-lan.30'
	option ipaddr '10.10.13.1'
	option netmask '255.255.255.0'

Now you need a DHCP server for the IOT1, IOT2 and GST VLANs you added (by default, your lan interface should already be set up), so just add this to /etc/config/dhcp:


config dhcp 'IO1'
	option interface 'IO1'
	option start '100'
	option limit '150'
	option leasetime '24h'
	list ra_flags 'none'

config dhcp 'IO2'
	option interface 'IO2'
	option start '100'
	option limit '150'
	option leasetime '24h'
	list ra_flags 'none'

config dhcp 'GST'
	option interface 'GST'
	option start '100'
	option limit '150'
	option leasetime '24h'
	list ra_flags 'none'

Finally, let's create some firewall zones for those new VLANs and give them access to the internet (DHCP and DNS) with some firewall rules. Add these to etc/config/firewall:

config forwarding
	option src 'io1'
	option dest 'wan'

config forwarding
	option src 'io2'
	option dest 'wan'

config forwarding
	option src 'gst'
	option dest 'wan'

config zone
	option name 'io1'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IO1'
	option input 'REJECT'

config zone
	option name 'io2'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IO2'
	option input 'REJECT'

config zone
	option name 'gst'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'GST'
	option input 'REJECT'

config rule
	option name 'Allow-io1-DNS'
	option src 'io1'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Allow-io1-DHCP'
	option src 'io1'
	option dest_port '67-68'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option name 'Allow-io2-DNS'
	option src 'io2'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Allow-io2-DHCP'
	list proto 'udp'
	option src 'io2'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Allow-gst-DNS'
	option src 'gst'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Allow-gst-DHCP'
	list proto 'udp'
	option src 'gst'
	option dest_port '67-68'
	option target 'ACCEPT'

eginnc · March 11, 2022, 3:15am

Your AP's are on swconfig, so /etc/config/network should look something like below. Of course, this is your 1st AP assigned to static IP 10.10.10.2 (your RT3200 is 10.10.10.1 in prior example). Your second AP needs to be 10.10.10.3, etc.

On my AP, port 6 is the CPU for the lan port(s) and port 0 is the CPU for the wan port; hence you'll see these ports tagged with every lan or wan port, respectively. You'll need to evaluate your device's setup and adjust accordingly if different.

Notice I've disabled startup of the wan interfaces (option auto '0') - this is a dumb AP, so we don't want those running. The wan is on VLAN 2. The lan, importantly, is on vlan 1, same as on your RT3200 in the previous post. And the same VLAN id's need to be used for IOT1 IOT2 and GST (10, 20, 30) too.

Notice all the VLANs are coming in tagged to port 1 (except your lan, which comes down the wire untagged as I've set things up). This is the AP lan port the Ethernet cable from your RT3200 is assumed to be plugged into. I've assumed port 2 is assigned to the wan on your AP. Now that I think about it, it's probably the reverse, but I don't have your device, so adjust accordingly.

Notice I'm assigning the vlan id's manually with:
option vid '10'
etc., instead of relying on it defaulting to a sequential number (which in this case does not match the vid on your RT3200 and would be a problem - the vid's must match up across your network!) as used in
option vlan '3'
Probably your AP's are new enough that this isn't a necessary habit, but older fast Ethernet chips will only accept values up to 16 or 128 for option vlan 'n'. Certainly your RT3200 is new enough, so I didn't bother with this for the RT3200 and just used, for example, option vlan '30' for vid '30', without specifying the vid explicitly. You can probably do the same on your AP's.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fda6:1d4a:a73c::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config device
	option name 'eth1.1'
	option macaddr 'c0:56:27:xx:xx:xx'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.10.10.2'
	option gateway '10.10.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr 'c0:56:27:xx:xx:xx'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option auto '0'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option auto '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 6t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '2 0t'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '1t 6t'
	option vid '10'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '1t 6t'
	option vid '20'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option ports '1t 6t'
	option vid '30'

config interface 'IO1'
	option proto 'dhcp'
	option device 'br-IO1'

config interface 'IO2'
	option proto 'dhcp'
	option device 'br-IO2'

config interface 'GST'
	option proto 'dhcp'
	option device 'br-GST'

config device
	option name 'br-IO1'
	option type 'bridge'
	list ports 'eth1.10'

config device
	option name 'br-IO2'
	option type 'bridge'
	list ports 'eth1.20'

config device
	option name 'br-GST'
	option type 'bridge'
	list ports 'eth1.30'

in /etc/config/dhcp, add
option ignore '1'
under the lan dhcp server - you don't want another dhcp server assigning ip addresses on your home network lan from every dumb AP. And of course, don't set up dhcp servers for your other vlans on your AP's. You've already got them on your RT3200.

Finally, set up your wireless. This should be easy enough to do in LuCI. Set up an interface for each SSID (home, IOT1, IOT2 - whatever you want to call them) and select the network that wifi interface should be attached to (lan, IO1, IO2, GST should be available as drop downs ).

I include the same firewall setup on my AP's as on my main router for consistency (there is no difference between swconfig and DSA here), and I leave firewall running (I do not disable firewall on my AP's). It shouldn't' be necessary, and it's wasted resources - a dumb AP shouldn't need a firewall running on it. But it's there as a template if I ever use them for something other than a dumb AP.

Good luck!

Grub · March 11, 2022, 6:26pm

Thanks a lot @eginnc for all your help. I finally managed to get it all working. The only thing left now is to check if fast roaming on these multiple APs work correctly; but it's only a minor step remaining.

I am a newbie to all this so I used your config files as the basis and played around with the GUI of OpenWRT until it worked.

system · March 21, 2022, 6:26pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.