Help with VLANS with AP on LAN1

Hi, this is my current configuration below. how can I add a router on the LAN 1 as AP?

My devices are TP-Link Archer AX23 - OpenWRT v23.05.5.
will be using 2 of these, one for main and one for AP

thank you!

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf8:f373:857e::/48'
        option packet_steering '1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'br-vlan10'
        list ports 'lan1'
        list ports 'lan2'

config interface 'personal'
        option proto 'static'
        option device 'br-vlan10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'br-vlan20'
        list ports 'lan3'
        list ports 'lan4'

config interface 'iot'
        option proto 'static'
        option device 'br-vlan20'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'br-vlan30'

config interface 'guest'
        option proto 'static'
        option device 'br-vlan30'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'

You need to use dsa bridge-vlan syntax.

Your current config is invalid. It may be faster to reset and then use the tutorial to build out the additional VLANs.

If you have questions along the way, feel free to ask.

sorry im very new with this.
should i just follow all of the steps?

Kind of. I mean, yes, but you need to apply some adaptation for your specific goals. It is best to look at that article as a tutorial/learning exercise and then adapt for your environment.

I took the configuration you originally posted and tried to clean it up based on what I assume you were trying to accomplish. I can't guarantee that this will work as is:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf8:f373:857e::/48'
        option packet_steering '1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1'
        list ports 'lan2'

config interface 'personal'
        option device 'br-lan.10'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan3'

config interface 'iot'
        option device 'br-lan.20'
        option proto 'static'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan4'

config interface 'guest'
        option device 'br-lan.30'
        option proto 'static'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'

I did take the 'lan4' port off of the iot bridge-vlan and set it on the guest bridge-vlan so that each would have a port, so that was a little different than what you were doing.

Hopefully that will either get you fixed up or give you some guidance to help you get it fixed up

Please don't forget, while your network configuration could be "perfect", things like your firewall and DHCP configuration could still impact/prevent your network from working the way you're wanting.

Good luck

i tried your config but I immediately got locked out with no internet.
should a firewall be configured immediately when applying this kind of config?

the weird part is that whenever i update the config here. it locked me out.
what could be wrong?

image954×526 25.9 KB

figured it out. so by this can you confirm that i can now connect an AP to the lan2?

image908×506 20.8 KB

Thank you

In order to confirm, I would need to see the full configuration.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Wrong VLAN tag... Every lan shoud have only 1 tag vlan port e.g vlan 10 on LAN 2 and don't tag VLAN 20 and 30 on lan 2, vlan 20 must tag in lan 3 and vlan 30 in lan 4 otherwise disable to use the default lan, configure vlan interface from luci and firewall for vlan and see to it that your ap support vlan then configure the ap wan port for vlan 10

At the surface, there is nothing wrong with the port-vlan membership based on the screenshot. I can’t verify that the full config is correct yet - I need to see the text config. But with that said, your post is a bit confusing, though. Maybe you can clarify.

hi here are the details below

thank you

ubus call system board

{
        "kernel": "6.6.73",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "TP-Link Archer AX23 v1",
        "board_name": "tplink,archer-ax23-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "ramips/mt7621",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd0a:2b13:930::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'PERSONAL'
        option device 'br-lan.10'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1:u*'
        list ports 'lan2:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan2:t'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan2:t'

config interface 'IOT'
        option proto 'static'
        option device 'br-lan.20'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'

config interface 'GUEST'
        option proto 'static'
        option device 'br-lan.30'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'personal PERSONAL'
        option mode 'ap'
        option ssid 'Private'
        option encryption 'sae-mixed'
        option key 'test'
        option ocv '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'
        option channel 'auto'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'personal PERSONAL'
        option mode 'ap'
        option ssid 'Private'
        option encryption 'sae-mixed'
        option key 'test'
        option ocv '0'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'wifi_dev1'
        option encryption 'none'
        option key 'test'
        option network 'IOT'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'wifi_dev'
        option encryption 'sae-mixed'
        option network 'iot IOT'
        option key 'test'
        option disabled '1'
        option ocv '0'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Test Wifi1'
        option encryption 'none'
        option key 'test'
        option isolate '1'
        option network 'GUEST'

config wifi-iface 'wifinet5'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Test Wifi'
        option encryption 'sae-mixed'
        option network 'guest GUEST'
        option key 'test'
        option isolate '1'
        option disabled '1'
        option ocv '0'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'IOT'
        option interface 'IOT'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'GUEST'
        option interface 'GUEST'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'PERSONAL'
        option interface 'PERSONAL'
        option start '100'
        option limit '150'
        option leasetime '12h'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'Personal'
        list network 'PERSONAL'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'Personal'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'Personal'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'Personal'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'Guest'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'GUEST'

config forwarding
        option src 'Guest'
        option dest 'wan'

config zone
        option name 'IoT'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IOT'

config forwarding
        option src 'IoT'
        option dest 'wan'

config forwarding
        option src 'Personal'
        option dest 'IoT'

config forwarding
        option src 'Guest'
        option dest 'IoT'

config rule
        option name 'Allow Personal to IoT'
        list proto 'all'
        option src 'Personal'
        option dest 'IoT'
        option target 'ACCEPT'

config rule
        option name 'Block Guest to Personal'
        list proto 'all'
        option src 'Guest'
        option dest 'Personal'
        option target 'DROP'

config rule
        option name 'Block Guest to Guest'
        list proto 'all'
        option src 'Guest'
        option dest 'Guest'
        option target 'DROP'

config rule
        option name 'Block IoT to Router'
        list proto 'tcp'
        option src 'IoT'
        option dest_port '80 443 22'
        option target 'DROP'

config rule
        option name 'Block Guest to Router'
        list proto 'tcp'
        option src 'Guest'
        option dest_port '80 443 22'
        option target 'DROP'

I tried this setup before and it's working but now im using vlan on keenetic router

I see a few small issues. I can detail them in a little bit.

But some quick questions

• this is the main router, correct?
• You want to connect another AP on port lan2?
• What is your AP? And what firmware does it run?
• Will the AP be directly connected, or will there be a switch in between?

hi, here's my response

also, @psherman is the firewall correct? somehow the pc connected to lan1 (vlan10) cannot ping the laptop connected to vlan10 wifi but it can ping the iphone and android device that is connected to vlan10 wifi.

what could be the reason for this?

The general structure looks okay, but some things that should be fixed:

Make VLAN20's status on ports lan3-lan4 explicit by making them untagged+PVID (:u*) like this:

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan2:t'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

In the wifi, set the encryption to WPA2 (psk2) or WPA3 (sae), and make sure that there is only one network listed (currently there are 2; it should be only PERSONAL):

Same with this one:

And with this one:

And this one:

Now, in the firewall, the preferred method is to set an untrusted zone's input rule to REJECT and then add rules to allow DHCP and DNS. So for example, the guest zone should look like this:

config zone
        option name 'Guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'GUEST'

config rule
        option name 'Allow Guest DHCP'
        list proto 'udp'
        option src 'Guest'
        option dest_port '67'
        option target 'ACCEPT

config rule
        option name 'Allow Guest DNS'
        option src 'Guest'
        option dest_port '53'
        option target 'ACCEPT

Do the same with the IoT zone.

This isn't necessary and should be deleted (you already have a corresponding forward rule):

This isn't necessary, so delete it:

This doesn't do anything, delete it:

We fixed these by setting the input to REJECT so delete these:

And I'm guessing that you don't actually want this (I'd recommend deleting):

Reboot and test again.

thanks for this. i will update this tomorrow as it is already late night on my location and will let you know.

somehow the pc connected to lan1 (vlan10) cannot ping the laptop connected to vlan10 wifi but it can ping the iphone and android device that is connected to vlan10 wifi.
any idea what could be the reason for this?

also, what is the reason we should do this?
Make VLAN20's status on ports lan3-lan4 explicit by making them untagged+PVID

Probably the local firewall on the wifi connected laptop.

For the port config, I personally recommend explicitly defining the fact that the port is untagged (both ingress and egress).

Thanks for the information.

Do you also have a reference on how to setup the ap router for lan2 port?