Help with VLAN tagged wifi - I'm confused

Looking for some pointers on how to setup my openwrt router to work with my Wifi that has VLAN tagging. I’m a but confused/lost about the terminology and where I should be managing the settings. Or what I should be searching for a guide on how to setup.

I’m looking to create a couple of networks, 1. Trusted, 2. IoT, 3. Guests. And then I can use firewalls to control what clients can do and who they can talk to on the network.

I’ve got a couple of Unifi APs that are able to run multiple Wifi SSIDs and add VLAN tags to each.

I have a BT HH5a running LuCI openwrt-21.02 branch (git-21.295.67054-13df80d)] / OpenWrt 21.02.1 r16325-88151b8303

The router acts as the main gateway / firewall / DHCP for my network.

The router has an ADSL2+ modem which provides the WAN connection. I’ve connected one of the Unifi APs to a switch port via cable. The other AP is on the other side of the property and communicates via Wifi/Mesh.

I prefer to use LUCI over SSH, but happy with both. Here's a copy of my network config.

#cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd86:ec5f:9f6f::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'b'
        option tone 'a'
        option xfer_mode 'ptm'
        option line_mode 'vdsl'
        option ds_snr_offset '0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config device
        option name 'eth0.1'
        option macaddr '00:XX:XX:XX:XX:XX'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'

config device
        option name 'eth0.2'
        option macaddr '00:XX:XX:XX:XX:XX'

config interface 'wan'
        option proto 'dhcp'
        option mtu '1500'
        option ipv6 '0'
        option device 'dsl0.101'

config interface 'wan6'
        option proto 'dhcpv6'
        option device '@wan'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'

It is VLAN configuration.

I wasn’t aware that I’d don’t this.

So if I have a Wi-Fi AP that is tagged with VLAN 20, how should I setup the config so that it’s assisgns those devices with in the 192.168.20.0/24 range?

Hi

/etc/config/network

config device
        option type 'bridge'
        option name 'br-vlan20'
        list ports 'eth0.20'

config interface 'vlan20'
        option proto 'none'
        option device 'br-vlan20'

/etc/config/wireless

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option network 'vlan20' 

only question is, on which port you want to connect tagged vlan20 ?
on port1? 2? maybe on WAN ?

On the back of my router, the Unifi AP is plugged into switch port 3.

There are 4x LAN switch ports on the BTHH5a, 1xWAN port and 1x Phone Cable / ADSL connector (this is where the internet WAN is coming in).

The BTHH5a router / gateway / firewall provides no Wifi SSIDs, so is /etc/config/wireless needed in this case? All the Wifi SSIDs are provided by the UniFi AP.

No, you'd only need to configure the WiFi on the HH5a if it was involved in providing any of the wireless networks. If the WifI is all being done by a UniFi AP then you just need to set up the network ports on the HH5a correctly.

Thanks for clarifying.

I'm still a bit confused.

So is this still correct? Considering the Wifi AP is connected to port 3 on the 5HHa router? And the Guest Wifi, for example, is tagged with VLAN 20?

/etc/config/network

config device
        option type 'bridge'
        option name 'br-vlan20'
        list ports 'eth0.20'

config interface 'vlan20'
        option proto 'none'
        option device 'br-vlan20'

ho, it is not complete
missing the switch part of config

and to be honest, i am don't understand what you want / what you asking
it is confusing

please take a paper & pen, and start to draw your network topology

The OP is wanting to create some additional networks on their router (the HH5a), then create a VLAN trunk between the router and a UniFi AP so they can use the AP to allow wireless devices to connect to those networks.

@sentur Unfortunately I've moved all my HH5a devices to a more recent version of OpenWRT which uses a different method for VLAN tagging (it's called DSA) and it's been a long time since I've used the old style so I'm not 100% certain on the exact config changes you need to make.

The OP is wanting to create some additional networks on their router (the HH5a), then create a VLAN trunk between the router and a UniFi AP so they can use the AP to allow wireless devices to connect to those networks.

Even this is helpful, I'm unclear on what the terminology is e.g. brigding / trunking, etc to be able to start searching.

I'm not fixed on running v21. Is the process of upgrading the HH5a from 21 -> 22.03.05 (the latest recommended firmware on the router page), straight forward?

You should decide, what to use. The issue is that in 22.X version there is significant change in network configuration: DSA (https://openwrt.org/docs/guide-user/network/dsa/start).

Because of the change to DSA you can't keep configuration when upgrading, so will have to set up from scratch. But unless you've made extensive changes it shouldn't be too bad.