For the AP, you'll want the following:
PERSONAL) will have an address on the same subnet either by DHCP or static IP.
If you need specific help, post the /etc/config/network file from the AP.
Using this guide: https://saudiqbal.github.io/Linux/openwrt-vlan-setup-guide-using-luci-for-iot-and-wireless-with-dsa.html
First you must need to create a vlan port don't edit the existing vlan and then follow the guide.
Suffice to say that the guide you followed is not from the official OpenWrt project.
The device you're using appears to be swconfig based, not DSA. Thus the method of configuring VLANs is different and does not apply to the OP's situation.
Further, I'm not entirely certain that you're using official OpenWrt on your device. But that's less relevant here.
We have guides here on OpenWrt. These are preferred against those that are hosted on other sites because the OpenWrt community has vetted them for accuracy.
Moreover, the guide you've just linked does't really address VLANs properly. It only shows how to remove a port from br-lan and use that elsewhere. As such, it's not a true VLAN example.
This is my understanding (i'm not a super hacker):
Wireless can only work if the network (interface) you assign it to is assigned directly to a bridge. (as far as I know)
From what I can see, you aren't doing any tagging on any port, so there's zero reason to use vlans.
If you want to stick with using vlans, basically, you can put a bridge ontop of a bridge. E.g..
I'm not sure if you should actually use the name switch0 but the idea is there.
Second way is to use all one bridge and I kinda go over it here VLANs issues on OpenWRT v24.x.x - #10 by ssosipov, essentially, you make an unmanaged interface, set it to use the bridge with everything in it including the wireless device of the network (that you add in manually) what I don't say in my post there is you can actually do this pretty easily because it lets you name the wireless device for each network, so it's actually really easy to then add them in manually as ports of the bridge and untag it onto whatever network you like in the filtering. Then you set the wireless to use that, but you set up the interfaces as you'd expect with the bridge.id.
Multiple bridges may not work with DSA. It might work for the simple case of untagged external ports. It will not work to have the same physical port (tagged with different VLANs) in multiple bridges. The switch hardware won't be set up properly. At least that was the case when DSA first appeared.
It is possible to place an IP address directly on an Ethernet port or a wifi AP interface without involving a bridge. This setup only allows one port. A dual band router with an AP on each band to the same network requires a bridge.
Ah yeah I know what you mean, that's where you create like lanx.x and bridge those as you like.
hi, these are the current config. can you verify that this is all good for now as the main router?
will do full testing on main router if this is ok. thanks for the help
for now, this is ok. im currently testing something that the guest needs access to IoT devices.
config forwarding
option src 'Guest'
option dest 'IoT'
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0a:2b13:930::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'PERSONAL'
option device 'br-lan.10'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:u*'
list ports 'lan2:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan2:t'
list ports 'lan3:u*'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'lan2:t'
config interface 'IOT'
option proto 'static'
option device 'br-lan.20'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
config interface 'GUEST'
option proto 'static'
option device 'br-lan.30'
option ipaddr '192.168.30.1'
option netmask '255.255.255.0'
cat /etc/config/wireless (Dont mind the encryption for now, will change it once everything is finalized together with the wifi password)
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel '1'
option band '2g'
option htmode 'HE20'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'Private'
option encryption 'sae-mixed'
option key 'test'
option ocv '0'
option network 'PERSONAL'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
option band '5g'
option htmode 'HE80'
option cell_density '0'
option channel 'auto'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid 'Private'
option encryption 'sae-mixed'
option key 'test'
option ocv '0'
option network 'PERSONAL'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'wifi_dev1'
option encryption 'none'
option key 'test'
option network 'IOT'
option disabled '1'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'wifi_dev'
option encryption 'sae-mixed'
option key 'test'
option disabled '1'
option ocv '0'
option network 'IOT'
config wifi-iface 'wifinet4'
option device 'radio0'
option mode 'ap'
option ssid 'Test Wifi1'
option encryption 'none'
option key 'test'
option isolate '1'
option network 'GUEST'
option disabled '1'
config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'Test Wifi'
option encryption 'sae-mixed'
option key 'test'
option isolate '1'
option disabled '1'
option ocv '0'
option network 'GUEST'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'IOT'
option interface 'IOT'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'GUEST'
option interface 'GUEST'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'PERSONAL'
option interface 'PERSONAL'
option start '100'
option limit '150'
option leasetime '12h'
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'Personal'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'PERSONAL'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'Personal'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'Personal'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'Personal'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'Guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'GUEST'
config forwarding
option src 'Guest'
option dest 'wan'
config zone
option name 'IoT'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IOT'
config forwarding
option src 'IoT'
option dest 'wan'
config forwarding
option src 'Personal'
option dest 'IoT'
config forwarding
option src 'Guest'
option dest 'IoT'
config rule
option name 'Allow Guest DHCP'
list proto 'udp'
option src 'Guest'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Allow Guest DNS'
list proto 'udp'
option src 'Guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow IoT DHCP'
list proto 'udp'
option src 'IoT'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Allow IoT DNS'
list proto 'udp'
option src 'IoT'
option dest_port '53'
option target 'ACCEPT'
also, is this still the updated document to setup the ap for openwrt v24?
Remove the proto line from the DNS rules (removing it will cause it to be default TCP + UDP):
Do the same for the respective rule for the IoT network.
Otherwise, everything looks good.
thanks for the confirmation.
how about this documentation? is this still updated and can I use this?
but Im not sure how the vlans from main router would work though. any idea?
You're welcome.
Yes. I actually did a major overhaul of that article a few months ago. It should be good.
Yes, it can work with VLANs. Get it setup with the primary network (the one used to manage the device) first. Then the others will be added as unmanaged. If you've got an AP that uses DSA, the config will largely be the same except for the additional networks using proto 'none'.
Keep in mind that the wifi client isolation only works on a per-AP basis. That is to say that your guest wifi clients will not be able to see other clients that are connected to the same AP, but they would be able to see clients connected to the other AP.
Hi,
I need your help as I'm kinda lost with the config on the AP. I followed the steps here https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedap and used method 2.
I connected via lan2 port from the main router and WAN port on the AP router. then I connected my pc via lan1 port of the AP and now it does not have an internet connection. also, how to setup the VLANs I previously created from the main router to be used in the AP as well?
Thank you
Let’s see the complete configs from both devices.