Home network with multiple wireless SSIDs, wired connections and VLANs

Hi All,

I'm a newbie at this and hope someone can help me out with my home network design. I would like to create multiple network segments (Internal, IoT and Guests) spanning both wired and wireless interfaces. I created a simple network diagram which hopefully does provide sufficient information:

image770×605 18.8 KB

I am struggling with the interface and VLAN configurations. I checked several guides, but they did not help me out. I assume the main difference between my setup and the ones that I found in the guides is that my OpenWRT router will not be operating as a modem (no ISP connection). It will only act as a router, provide WiFi and separate network flows.
Any help is much appreciated!

Roy

In the last part of the OpenWrt it is quite clear. You'll have 3 interfaces for lan, iot, and guest, bridged with the wifi ssid.
But how is the uplink to the isp modem? Is there a wan interface or are you going to extend the lan?
Is there going to be any host on the managed switch too? If yes on which vlan?

Thanks for your reply Trendy! To answer your questions:

The uplink to the ISP is handled by the ISP modem, which is a separate DSL modem. The OpenWRT router will be added to my current network.

The managed switch will have some devices connected as well. One of these devices is an IoT device, all the other ones are internal devices. I have not decided on the exact VLAN configuration yet. I assume I need three: one for my internal network, one for the IoT devices and one for the Guest network?

Just to add some more detail:

• All the network components in the picture are in house.
• The picture depicts the network as I would like it to be.
• The current network situation is without the Netgear R7800 router.
• In the new situation the ISP modem will not be a DHCP server and also will not provide WiFi. This will be done by the Netgear R7800 router.

Sure all the guides are slightly different. The key to success with vlans is understanding them.

All you have to do is start small...;

• one trunked connection to the switch ( all tagged )
• a couple of ports on the switch as access ( untagged single different vlans each )

Once you have mastered and understand the basics... you can then extend this to other things. No guide is going to "exactly" match your situation.

Thanks Wulfy23, your feedback is much appreciated!
I will check the VLAN configurations as suggested. My concerns for now are on how to create the interfaces, how to get DHCP for the different subnets working etc. I'm not very familiar with the LuCi GUI yet.

Anyone else that can help me out? I'm stuck here and have no idea where to look further.
I've created the interfaces, wireless SSID's and VLANs. Here's what I experience:

• connecting to the wireless SSID Home works fine, I can surf the internet.
• connecting to the wireless SSID IoT is possible, however I can't reach the internet.
• connecting to the wireless SSID Guest does not give me an IP address at all.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

/etc/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	list server '8.8.8.8'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'guests'
	option interface 'guests'
	option start '50'
	option limit '10
	option leasetime 1h

config odhcpd odhcpd
	option maindhcp 0
	option leasefile /tmp/hosts/odhcpd
	option leasetrigger /usr/sbin/odhcpd-update
	option loglevel 4
'

config dhcp 'guests'
	option start '100'
	option interface 'guests'
	option limit '10'
	option leasetime '2h'

config dhcp 'IoT'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'IoT'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option network 'Home'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option name 'HOME'
	option output 'ACCEPT'

config zone
	option network 'Guests'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option name 'Guests'
	option output 'ACCEPT'

config zone
	option network 'IoT'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option name 'IoT'
	option output 'ACCEPT'

/etc/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd0c:7615:2d06::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr 'x.x.1.x'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway 'isp modem'
	option ifname 'eth0.1'
	option delegate '0'
	list dns 'isp modem'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 4 3 2'

config interface 'Guests'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr 'x.x.3.x'
	option ifname 'eth1.3 wlan0 wlan1'
	option gateway 'isp modem'
	option force_link '0'

config interface 'IoT'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr 'x.x.2.x'
	option ifname 'eth1.2'
	option gateway 'isp modem'
	option force_link '0'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '6t 1'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '6t 5'
	option vid '3'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option country 'US'
	option channel '124'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option isolate '1'
	option key '********'
	option encryption 'psk2'
	option ssid 'Guests'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
	option htmode 'HT20'
	option country 'US'
	option channel '9'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option isolate '1'
	option key '********'
	option encryption 'psk2'
	option ssid 'Guests'

config wifi-iface 'wifinet2'
	option ssid 'IoT'
	option encryption 'psk2'
	option device 'radio0'
	option mode 'ap'
	option key '********'
	option network 'IoT'

config wifi-iface 'wifinet3'
	option ssid 'IoT'
	option encryption 'psk2'
	option device 'radio1'
	option mode 'ap'
	option network 'IoT'
	option key '********'

config wifi-iface 'wifinet4'
	option ifname 'WLAN'
	option ssid 'Home'
	option encryption 'psk2'
	option device 'radio0'
	option mode 'ap'
	option network 'lan'
	option key '********'

config wifi-iface 'wifinet5'
	option ssid 'Home'
	option encryption 'psk2'
	option device 'radio1'
	option mode 'ap'
	option network 'lan'
	option key '********'

There are 2 dhcp instances for guests.
In firewall there is a HOME zone which includes a home interface, but there is no home interface in networks.

Don't use such names for the wireless interfaces, they might change. Instead use option network Guests in wireless configuration.

You are also mixing upper/lower case names. Keep in mind that linux is case sensitive OS, therefore HOME and home are different names, not the same.

Hi Trendy, thanks for the feedback!
I did the following modifications:

• removed the 2nd dhcp instcance for guests
• changed the fw zone
• changed the wireless interface name
• got rid of the uppercases

DHCP on the Guest WiFi network now works fine.. so that's great. But I still do not have internet acces on both IoT and Guest WiFi networks. I did connect with my laptop and noticed that I can ping all the IP's on the OpenWrt but no IP's outside of the OpenWrt.
Could this be a routing issue?

Add static routes in the ISP modem for the iot and guest networks via the R7800.
Or enable masquerade on home zone (I presume this is the uplink to the ISP modem).

I'd encourage you to put the openwrt device immediately after the isp modem and do all your routing in the openwrt device. You can put the managed switch downstream of the openwrt device to get more wired ports... This is both more secure and easier to manage

I assume you got the managed switch for WAN tagging, right? I have the same setup with the same router and here is the switch config you can use. It tags WAN with VLAN 35 and creates three VLAN's (11, 22, 33) on three LAN ports while keeping one LAN port for LAN.

The next step is to create Interfaces on eth1.11, eth1.22, and eth1.33. Then you switch your WAN interface to use eth0.35 (or some other tag you need to use).

The switch between the modem and router is not needed.

config switch                                     
        option name 'switch0'                     
        option reset '1'                          
        option enable_vlan '1'                    
                                                  
config switch_vlan                                
        option device 'switch0'                   
        option vlan '1'                           
        option vid '1'                            
        option ports '1 6t'                       
                                                  
config switch_vlan                                
        option device 'switch0'                   
        option vlan '2'                           
        option ports '5t 0t'                      
        option vid '35'                           
                                                  
config switch_vlan             
        option device 'switch0'
        option vlan '5'        
        option ports '2 6t'    
        option vid '33'        

config switch_vlan                
        option device 'switch0'   
        option vlan '3'           
        option ports '3 6t'       
        option vid '22'           
                                  
config switch_vlan             
        option device 'switch0'
        option vlan '4'        
        option ports '4 6t'    
        option vid '11'        
                               

Thanks a lot all, I'll be able to test out stuff in the weekend I hope.
To be continued..

Thanks for the advice, I put the OpenWrt in the middle. Unfortunately it did not result in getting an internet connection on the WiFi networks

I got the managed switch as I needed more physical ports and also wanted to be able to separate networks by means of VLANs.
The ISP modem is a simple ADSL modem, which just delivers the internet connection. It has not many possibilities, therefore I added the OpenWrt router. This router will need to provide multiple wireless networks and separate networks. So far I managed to configure the interfaces, wireless networks, DHCP and VLANs. But somehow I only have internet access on the home (wired and wireless) connection. I do get correct IP addresses in the IoT and Guests networks, but am not able to reach to internet.

Did you configure the guest firewall zone? https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-webinterface

I disabled the firewall as I do not need it (the firewall on my ISP modem is already enabled) and therefore have not configured firewall rules.
Apart from that, it's pretty straightforward