For the AP, you'll want the following:
PERSONAL) will have an address on the same subnet either by DHCP or static IP.
If you need specific help, post the /etc/config/network file from the AP.
Using this guide: https://saudiqbal.github.io/Linux/openwrt-vlan-setup-guide-using-luci-for-iot-and-wireless-with-dsa.html
First you must need to create a vlan port don't edit the existing vlan and then follow the guide.
Suffice to say that the guide you followed is not from the official OpenWrt project.
The device you're using appears to be swconfig based, not DSA. Thus the method of configuring VLANs is different and does not apply to the OP's situation.
Further, I'm not entirely certain that you're using official OpenWrt on your device. But that's less relevant here.
We have guides here on OpenWrt. These are preferred against those that are hosted on other sites because the OpenWrt community has vetted them for accuracy.
Moreover, the guide you've just linked does't really address VLANs properly. It only shows how to remove a port from br-lan and use that elsewhere. As such, it's not a true VLAN example.
This is my understanding (i'm not a super hacker):
Wireless can only work if the network (interface) you assign it to is assigned directly to a bridge. (as far as I know)
From what I can see, you aren't doing any tagging on any port, so there's zero reason to use vlans.
If you want to stick with using vlans, basically, you can put a bridge ontop of a bridge. E.g..
I'm not sure if you should actually use the name switch0 but the idea is there.
Second way is to use all one bridge and I kinda go over it here VLANs issues on OpenWRT v24.x.x - #10 by ssosipov, essentially, you make an unmanaged interface, set it to use the bridge with everything in it including the wireless device of the network (that you add in manually) what I don't say in my post there is you can actually do this pretty easily because it lets you name the wireless device for each network, so it's actually really easy to then add them in manually as ports of the bridge and untag it onto whatever network you like in the filtering. Then you set the wireless to use that, but you set up the interfaces as you'd expect with the bridge.id.
Multiple bridges may not work with DSA. It might work for the simple case of untagged external ports. It will not work to have the same physical port (tagged with different VLANs) in multiple bridges. The switch hardware won't be set up properly. At least that was the case when DSA first appeared.
It is possible to place an IP address directly on an Ethernet port or a wifi AP interface without involving a bridge. This setup only allows one port. A dual band router with an AP on each band to the same network requires a bridge.
Ah yeah I know what you mean, that's where you create like lanx.x and bridge those as you like.
hi, these are the current config. can you verify that this is all good for now as the main router?
will do full testing on main router if this is ok. thanks for the help
for now, this is ok. im currently testing something that the guest needs access to IoT devices.
config forwarding
option src 'Guest'
option dest 'IoT'
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0a:2b13:930::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'PERSONAL'
option device 'br-lan.10'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:u*'
list ports 'lan2:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan2:t'
list ports 'lan3:u*'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'lan2:t'
config interface 'IOT'
option proto 'static'
option device 'br-lan.20'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
config interface 'GUEST'
option proto 'static'
option device 'br-lan.30'
option ipaddr '192.168.30.1'
option netmask '255.255.255.0'
cat /etc/config/wireless (Dont mind the encryption for now, will change it once everything is finalized together with the wifi password)
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel '1'
option band '2g'
option htmode 'HE20'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'Private'
option encryption 'sae-mixed'
option key 'test'
option ocv '0'
option network 'PERSONAL'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
option band '5g'
option htmode 'HE80'
option cell_density '0'
option channel 'auto'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid 'Private'
option encryption 'sae-mixed'
option key 'test'
option ocv '0'
option network 'PERSONAL'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'wifi_dev1'
option encryption 'none'
option key 'test'
option network 'IOT'
option disabled '1'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'wifi_dev'
option encryption 'sae-mixed'
option key 'test'
option disabled '1'
option ocv '0'
option network 'IOT'
config wifi-iface 'wifinet4'
option device 'radio0'
option mode 'ap'
option ssid 'Test Wifi1'
option encryption 'none'
option key 'test'
option isolate '1'
option network 'GUEST'
option disabled '1'
config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'Test Wifi'
option encryption 'sae-mixed'
option key 'test'
option isolate '1'
option disabled '1'
option ocv '0'
option network 'GUEST'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'IOT'
option interface 'IOT'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'GUEST'
option interface 'GUEST'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'PERSONAL'
option interface 'PERSONAL'
option start '100'
option limit '150'
option leasetime '12h'
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'Personal'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'PERSONAL'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'Personal'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'Personal'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'Personal'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'Guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'GUEST'
config forwarding
option src 'Guest'
option dest 'wan'
config zone
option name 'IoT'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IOT'
config forwarding
option src 'IoT'
option dest 'wan'
config forwarding
option src 'Personal'
option dest 'IoT'
config forwarding
option src 'Guest'
option dest 'IoT'
config rule
option name 'Allow Guest DHCP'
list proto 'udp'
option src 'Guest'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Allow Guest DNS'
list proto 'udp'
option src 'Guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow IoT DHCP'
list proto 'udp'
option src 'IoT'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Allow IoT DNS'
list proto 'udp'
option src 'IoT'
option dest_port '53'
option target 'ACCEPT'
also, is this still the updated document to setup the ap for openwrt v24?
Remove the proto line from the DNS rules (removing it will cause it to be default TCP + UDP):
Do the same for the respective rule for the IoT network.
Otherwise, everything looks good.
thanks for the confirmation.
how about this documentation? is this still updated and can I use this?
but Im not sure how the vlans from main router would work though. any idea?
You're welcome.
Yes. I actually did a major overhaul of that article a few months ago. It should be good.
Yes, it can work with VLANs. Get it setup with the primary network (the one used to manage the device) first. Then the others will be added as unmanaged. If you've got an AP that uses DSA, the config will largely be the same except for the additional networks using proto 'none'.
Keep in mind that the wifi client isolation only works on a per-AP basis. That is to say that your guest wifi clients will not be able to see other clients that are connected to the same AP, but they would be able to see clients connected to the other AP.
Hi,
I need your help as I'm kinda lost with the config on the AP. I followed the steps here https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedap and used method 2.
I connected via lan2 port from the main router and WAN port on the AP router. then I connected my pc via lan1 port of the AP and now it does not have an internet connection. also, how to setup the VLANs I previously created from the main router to be used in the AP as well?
Thank you
Let’s see the complete configs from both devices.
Hi, please see the details below
---------------------------------------------------------------------------------------------------------------------------
MAIN ROUTER
---------------------------------------------------------------------------------------------------------------------------
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0a:2b13:930::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'PERSONAL'
option device 'br-lan.10'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:u*'
list ports 'lan2:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan2:t'
list ports 'lan3:u*'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'lan2:t'
config interface 'IOT'
option proto 'static'
option device 'br-lan.20'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
config interface 'GUEST'
option proto 'static'
option device 'br-lan.30'
option ipaddr '192.168.30.1'
option netmask '255.255.255.0'
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel '1'
option band '2g'
option htmode 'HE20'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'Private'
option encryption 'sae-mixed'
option key 'test'
option ocv '0'
option network 'PERSONAL'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
option band '5g'
option htmode 'HE80'
option cell_density '0'
option channel 'auto'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid 'Private'
option encryption 'sae-mixed'
option key 'test'
option ocv '0'
option network 'PERSONAL'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'wifi_dev1'
option encryption 'none'
option key 'test'
option network 'IOT'
option disabled '1'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'wifi_dev'
option encryption 'sae-mixed'
option key 'test'
option disabled '1'
option ocv '0'
option network 'IOT'
config wifi-iface 'wifinet4'
option device 'radio0'
option mode 'ap'
option ssid 'Test Wifi1'
option encryption 'none'
option key 'test'
option isolate '1'
option network 'GUEST'
option disabled '1'
config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'Test Wifi'
option encryption 'sae-mixed'
option key 'test'
option isolate '1'
option disabled '1'
option ocv '0'
option network 'GUEST'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'IOT'
option interface 'IOT'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'GUEST'
option interface 'GUEST'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'PERSONAL'
option interface 'PERSONAL'
option start '100'
option limit '150'
option leasetime '12h'
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'Personal'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'PERSONAL'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'Personal'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'Personal'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'Personal'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'Guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'GUEST'
config forwarding
option src 'Guest'
option dest 'wan'
config zone
option name 'IoT'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IOT'
config forwarding
option src 'IoT'
option dest 'wan'
config forwarding
option src 'Personal'
option dest 'IoT'
config rule
option name 'Allow Guest DHCP'
list proto 'udp'
option src 'Guest'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Allow Guest DNS'
option src 'Guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow IoT DHCP'
list proto 'udp'
option src 'IoT'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Allow IoT DNS'
option src 'IoT'
option dest_port '53'
option target 'ACCEPT'
config forwarding
option src 'Guest'
option dest 'IoT'
---------------------------------------------------------------------------------------------------------------------------
AP ROUTER
---------------------------------------------------------------------------------------------------------------------------
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5e:96bf:e5a6::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.10.2'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.10.1'
list dns '192.168.10.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option band '2g'
option channel '1'
option htmode 'HE20'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
option band '5g'
option channel '36'
option htmode 'HE80'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
cat /etc/config/firewall
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
thank you!
Yup. This is actually expected because your ap’s wan port is currently routed. It should simply be part of the bridge.
A few things to do on the ap.
First, delete the wan and wan6 interfaces:
Add the wan port to br-lan like this:
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'wan'
Create 3 bridge VLANs. Here, I’ll use the other Ethernet ports such that you can test with an Ethernet device to guarantee the VLANs are working. This can be modified if desired.
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'wan:t'
list ports 'lan3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'wan:t'
list ports 'lan4:u*'
Edit the lan interface to use br-lan.10:
config interface 'lan'
option device 'br-lan.10'
option proto 'static'
option ipaddr '192.168.10.2'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.10.1'
list dns '192.168.10.1'
And now create 2 unmanaged networks like this:
config interface 'iot'
option device 'br-lan.20'
option proto 'none'
config interface 'guest'
option device 'br-lan.30'
option proto 'none'
From here, you can create ssids for your networks (they should be the same ssid + encryption type + passphrase as the main router). Reboot the AP device and test again.
looking good so far.
thanks for the help.
Lastly, how can I block the access of the AP to 192.168.10.1 (Luci) of the main router?
That isn’t necessary because the ap itself really isn’t a security threat. But if you want to do that, you’d add a rule.
config rule
option name 'block-ap-to-router'
option src 'lan'
option proto 'all'
option src_ip '192.168.10.2'
option target 'REJECT'
Meanwhile:
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 
I am the author of that blog post because I wanted to create a separate VLAN for my NVR system and had a hard time making it work using LUCI. I might have to create a separate blog for easy to setup DSA VLAN tagging because that blog is quite popular in search results.
If by chance you can send me step by step screenshots for creating VLANs using DSA I can make a new blog post.
thanks again.
Lastly, what would you suggest if i want to send an email to myself if there is a new device connected and if the router is on heavy load?
or what would be a great way to notify myself if this happens?