I am trying to set up a management vlan, guest vlan and IOT vlan on the Access point. I am not sure how to set up that up. I was able to setup up vlan for IOT on a the switch but not sure how to set it up on the AP and make the SSID use that vlan
Port 8 is tagged for vlan 108 on the switch
Port 21 is the AP port on the switch
Vlan 108 - IOT SSID
Vlan 110 - Guest SSID
#SWITCH
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless
{
"kernel": "5.15.162",
"hostname": "OpenWrt",
"system": "RTL8382",
"model": "ZyXEL GS1900-24E",
"board_name": "zyxel,gs1900-24e",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "realtek/rtl838x",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'REDACTED:/48'
config device 'switch'
option name 'switch'
option type 'bridge'
option macaddr 'REDACTED'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
list ports 'lan6'
list ports 'lan7'
list ports 'lan8'
list ports 'lan9'
list ports 'lan10'
list ports 'lan11'
list ports 'lan12'
list ports 'lan13'
list ports 'lan14'
list ports 'lan15'
list ports 'lan16'
list ports 'lan17'
list ports 'lan18'
list ports 'lan19'
list ports 'lan20'
list ports 'lan21'
list ports 'lan22'
list ports 'lan23'
list ports 'lan24'
config bridge-vlan 'lan_vlan'
option device 'switch'
option vlan '1'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
list ports 'lan6'
list ports 'lan7'
list ports 'lan9'
list ports 'lan11'
list ports 'lan12'
list ports 'lan13'
list ports 'lan14'
list ports 'lan15'
list ports 'lan16'
list ports 'lan17'
list ports 'lan18'
list ports 'lan19'
list ports 'lan20'
list ports 'lan21'
list ports 'lan22'
list ports 'lan23'
list ports 'lan24'
config device
option name 'switch.1'
option macaddr 'REDACTED'
config interface 'lan'
option device 'switch.1'
option proto 'static'
option ipaddr '192.168.1.5'
option netmask '255.255.255.0'
list dns '192.168.1.1'
list dns '9.9.9.9'
option delegate '0'
option gateway '192.168.1.1'
config bridge-vlan
option device 'switch'
option vlan '108'
list ports 'lan1:t'
list ports 'lan8'
config bridge-vlan
option device 'switch'
option vlan '110'
list ports 'lan1:t'
list ports 'lan10'
uci: Entry not found
root@OpenWrt:~#
I can help you with edits to the text file, but I don't (offhand) know the path to do so with the LuCI web interface. Are you comfortable editing the config file directly?
In the GUI drop down Network at the top and click Interfaces. Click the Devices tab. Find the name of the overall bridge (switch in this case) and click its Configure button. Then click the Bridge VLAN Filtering tab. This is a table with a column for each port and a row for each VLAN number. You can choose tagged, untagged, or Not Member in each cell. The "Is Primary Member" check box means that any unexpected untagged packets that arrive will go to this VLAN. Generally you don't have to check it.
On the "trunk" ports make all of the VLANs that you want to go to the AP tagged. Don't mix tagged and untagged on the same port.
Ok... so I see only a single VLAN (VLAN 1) currently on switch port 21... you'll need to add the additional VLANs to the port if you want them to go to the AP.
Let's do that on the switch -- add port 21 tagged for both VLAN 108 and 110:
config bridge-vlan
option device 'switch'
option vlan '108'
list ports 'lan1:t'
list ports 'lan8'
list ports 'lan21:t'
config bridge-vlan
option device 'switch'
option vlan '110'
list ports 'lan1:t'
list ports 'lan10'
list ports 'lan21:t'
Now, on the AP, we'll create two new bridges and then corresponding unmanaged interfaces:
config device
option name 'br-iot'
option type 'bridge'
list ports 'eth0.108'
config device
option name 'br-guest'
option type 'bridge'
list ports 'eth0.110'
config interface 'iot'
option device 'br-iot'
option proto 'none'
config interface 'guest'
option device 'br-guest'
option proto 'none'
Finally, create 2 new SSIDs for the iot and guest networks and associate them with the respective network.
Reboot both your switch and your AP and your VLANs should work (assuming the upstream router is configured properly -- that can be tested with ports 8 and 10, respectively).
do you happen to know how to disable clients on the same SSID from talking to eachother? I tried blocking it on the firewall but I was still able to ping other clients on the same SSID.
I then enabled isolate on the SSID which blocks communication but when I allow it on the firewall itself I can't ping the other client. I checked the logs and I didn't see anything being denied, so I think it's something related to the switch config.
setup is like this
opnsense > switch > AP
clients on the IOT SSID which is vlan108:
192.168.108.5
192.168.108.6
Switch
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless
{
"kernel": "5.15.162",
"hostname": "OpenWrt",
"system": "RTL8382",
"model": "ZyXEL GS1900-24E",
"board_name": "zyxel,gs1900-24e",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "realtek/rtl838x",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'REDACTED::/48'
config device 'switch'
option name 'switch'
option type 'bridge'
option macaddr 'REDACTED'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
list ports 'lan6'
list ports 'lan7'
list ports 'lan8'
list ports 'lan9'
list ports 'lan10'
list ports 'lan11'
list ports 'lan12'
list ports 'lan13'
list ports 'lan14'
list ports 'lan15'
list ports 'lan16'
list ports 'lan17'
list ports 'lan18'
list ports 'lan19'
list ports 'lan20'
list ports 'lan21'
list ports 'lan22'
list ports 'lan23'
list ports 'lan24'
option acceptlocal '0'
config bridge-vlan 'lan_vlan'
option device 'switch'
option vlan '1'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
list ports 'lan6'
list ports 'lan7'
list ports 'lan9'
list ports 'lan11'
list ports 'lan12'
list ports 'lan13'
list ports 'lan14'
list ports 'lan15'
list ports 'lan16'
list ports 'lan17'
list ports 'lan18'
list ports 'lan19'
list ports 'lan20'
list ports 'lan21'
list ports 'lan22'
list ports 'lan23'
list ports 'lan24'
config device
option name 'switch.1'
option macaddr 'REDACTED'
option acceptlocal '0'
config interface 'lan'
option device 'switch.1'
option proto 'static'
option ipaddr '192.168.1.5'
option netmask '255.255.255.0'
list dns '192.168.1.1'
list dns '9.9.9.9'
option delegate '0'
option gateway '192.168.1.1'
config bridge-vlan
option device 'switch'
option vlan '108'
list ports 'lan1:t'
list ports 'lan8'
list ports 'lan21:t'
config bridge-vlan
option device 'switch'
option vlan '110'
list ports 'lan1:t'
list ports 'lan10'
list ports 'lan21:t'
uci: Entry not found
Isolation is a wifi specific thing -- it prevents wifi clients on the same SSID from communicating with each other. It does not prevent wifi clients from reaching wired devices and vice versa (and also, it should be noted that if you have multiple APs, the clients on one AP are effectively like wired clients when viewed from the other). Wifi client isolation happens at L2, whereas the normal firewall operates at L3 (in other words, only when routing betqween different subnets).
How would I go about achieving this then? I want clients from the same AP and SSID to hit the firewall to determine whether they can talk to another client on the same SSID and AP
Generally speaking, you cannot filter/firewall devices on the same subnet.
You can try a bridge-firewall, but this may or may not work as expected (it's a bit of an unusual configuration (and offhand I don't know if it works with firewall4). I have never used bridge firewalls, though.