Help with VLAN settings on RT3200

Installing and Using OpenWrt Network and Wireless Configuration
1

So I have tried and tried to get my RT3200 working as a dumb AP with VLANs attached to my pfsense box (192.168.1.1), but for the life of me cannot wrap my head around how to get this to work. It has to be something dead simple configuration wise, but I am failing to get it working properly.

I have already created the necessary VLANs/interfaces/firewall rules, etc inside of pfsense.

VLAN10 (Misc) 192.168.10.1 - 192.168.10.20
VLAN20 (Work) 192.168.20.1 - 192.168.20.5
VLAN30 (IoT) 192.168.30.1 - 192.168.30.20

Here is where I am failing: I fire up the RT3200, go to Network > Interfaces and change the LAN to be 192.168.1.2, save & apply. Open a new tab and log into 192.168.1.2, go back to Network > Interfaces and change the LAN gateway to be 192.168.1.1, turn off DHCP on LAN, save & apply. Once again Interfaces > Devices and click Configure beside br-lan. Once on this page I click the tab for Bridge VLAN filtering. Here I put a check mark in Enable VLAN filtering, click add, then add my 3 VLAN IDs (10, 20, 30). I make sure to change Lan2 (Port 2 on the router) to Egress tagged for each VLAN ID and leave the others blank. Click Save. Click Save again. Go back to Interfaces tab and Add new interface. Name them (VLAN10, 20, 30) and then here is where I am not sure. Some things I've read/watched show to leave them as DHCP client while others show to set a static IP. I've tried both and neither work for me. Either way let's say this time I'll choose DHCP Client and then choose Software VLAN: "br-lan.10, 20, 30 for each interface respectively. Save and apply. Then I will go create my Wi-Fi SSID's with names such as VLAN10, VLAN20, VLAN30 and choose the correct network to assign to each respectively. After I save and apply I connect the LAN cable from my pfsense box to Port 2 on the RT3200 (where I set the VLAN tagging) and then I try to connect to each SSID and it either never connects or if it does connect there is no Internet.

Can someone explain this to me like I'm 5 years old so I can figure this out? I know the VLAN settings are set up correctly on the pfsense box because if I connect an older Unifi AP-AC lite to the pfsense box the VLAN settings that are set up inside the Unifi controller work without any issues. I would just use the Unifi stuff, but I would much prefer to use the pfsense + RT3200 if I can just get this sorted. Or if its even easier then just use the RT3200 as the router/AP with VLANs, but I'm not sure which set up is better. Any help is greatly appreciated.

2

In this use case, the guest, IoT etc connections in the RT3200 are only layer 2 bridges from wired to wireless, in other words it is a dumb AP on those networks. They should not hold a local IP address at all, this will deter any IP-based hacking. When an IoT or guest connects, their DHCP request is handled by the main router, which assigns them an address based on its configuration. Then all subsequent IP traffic is controlled and routed strictly by the main router.

First, designate one of the Ethernet lan ports as the trunk port add some VLANs inside br-lan for trunking. It is a good practice to tag all VLANs on the trunk cable, don't try to mix tagged and untagged.

Now you can set up some interfaces of proto Unmanaged to have a place to attach wifi. The physical device of these interfaces is br-lan.X with X being the VLAN number.

Finally configure wifi APs with their networks being the network names created in the previous step.

3

I have not been successful doing this purely through Luci. I got it working by directly adding the following sections in /etc/config/network through ssh.

config device
        option name 'br-lan10'
        option type 'bridge'
        list ports 'lan1.10'
        list ports 'lan2.10'
        list ports 'lan3.10'
        list ports 'lan4.10'

config device
        option name 'br-lan20'
        option type 'bridge'
        list ports 'lan1.20'
        list ports 'lan2.20'
        list ports 'lan3.20'
        list ports 'lan4.20'

config device
        option name 'br-lan30'
        option type 'bridge'
        list ports 'lan1.30'
        list ports 'lan2.30'
        list ports 'lan3.30'
        list ports 'lan4.30'

config interface 'lan10'
        option device 'br-lan10'
        option proto 'none'

config interface 'lan20'
        option device 'br-lan20'
        option proto 'none'

config interface 'lan30'
        option device 'br-lan30'
        option proto 'none'

I then did a reload_config and went back into luci where I added the vlan interfaces to the 'lan' firewall zone.

I then configured the new SSIDs and added each of them to the appropriate network (lan10, lan20 and so on.)

Hope this helps.