How to set up WIFI VLAN

I am trying to set up a management vlan, guest vlan and IOT vlan on the Access point. I am not sure how to set up that up. I was able to setup up vlan for IOT on a the switch but not sure how to set it up on the AP and make the SSID use that vlan

Port 8 is tagged for vlan 108 on the switch
Port 21 is the AP port on the switch

Vlan 108 - IOT SSID
Vlan 110 - Guest SSID


#SWITCH
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless
{
	"kernel": "5.15.162",
	"hostname": "OpenWrt",
	"system": "RTL8382",
	"model": "ZyXEL GS1900-24E",
	"board_name": "zyxel,gs1900-24e",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.4",
		"revision": "r24012-d8dd03c46f",
		"target": "realtek/rtl838x",
		"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'REDACTED:/48'

config device 'switch'
	option name 'switch'
	option type 'bridge'
	option macaddr 'REDACTED'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	list ports 'lan6'
	list ports 'lan7'
	list ports 'lan8'
	list ports 'lan9'
	list ports 'lan10'
	list ports 'lan11'
	list ports 'lan12'
	list ports 'lan13'
	list ports 'lan14'
	list ports 'lan15'
	list ports 'lan16'
	list ports 'lan17'
	list ports 'lan18'
	list ports 'lan19'
	list ports 'lan20'
	list ports 'lan21'
	list ports 'lan22'
	list ports 'lan23'
	list ports 'lan24'

config bridge-vlan 'lan_vlan'
	option device 'switch'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	list ports 'lan6'
	list ports 'lan7'
	list ports 'lan9'
	list ports 'lan11'
	list ports 'lan12'
	list ports 'lan13'
	list ports 'lan14'
	list ports 'lan15'
	list ports 'lan16'
	list ports 'lan17'
	list ports 'lan18'
	list ports 'lan19'
	list ports 'lan20'
	list ports 'lan21'
	list ports 'lan22'
	list ports 'lan23'
	list ports 'lan24'

config device
	option name 'switch.1'
	option macaddr 'REDACTED'

config interface 'lan'
	option device 'switch.1'
	option proto 'static'
	option ipaddr '192.168.1.5'
	option netmask '255.255.255.0'
	list dns '192.168.1.1'
	list dns '9.9.9.9'
	option delegate '0'
	option gateway '192.168.1.1'

config bridge-vlan
	option device 'switch'
	option vlan '108'
	list ports 'lan1:t'
	list ports 'lan8'

config bridge-vlan
	option device 'switch'
	option vlan '110'
	list ports 'lan1:t'
	list ports 'lan10'

uci: Entry not found
root@OpenWrt:~# 


#ACESS POINT
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless
{
	"kernel": "5.15.162",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link EAP225 v3",
	"board_name": "tplink,eap225-v3",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.4",
		"revision": "r24012-d8dd03c46f",
		"target": "ath79/generic",
		"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'REDACTED:/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.1.10'
	option gateway '192.168.1.1'
	option delegate '0'
	list dns '192.168.1.1'
	list dns '9.9.9.9'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'US'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'REDACTED'
	option encryption 'psk2+ccmp'
	option key 'REDACTED'
	option ieee80211w '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option band '2g'
	option cell_density '0'
	option channel 'auto'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option key 'REDACTED'
	option ssid 'REDACTED_24'
	option encryption 'psk2'
	option disabled '1'

root@OpenWrt:~# 

how do you do that from the GUI?

anyone else have any other ideas on how to do it?

I can help you with edits to the text file, but I don't (offhand) know the path to do so with the LuCI web interface. Are you comfortable editing the config file directly?

In the GUI drop down Network at the top and click Interfaces. Click the Devices tab. Find the name of the overall bridge (switch in this case) and click its Configure button. Then click the Bridge VLAN Filtering tab. This is a table with a column for each port and a row for each VLAN number. You can choose tagged, untagged, or Not Member in each cell. The "Is Primary Member" check box means that any unexpected untagged packets that arrive will go to this VLAN. Generally you don't have to check it.

On the "trunk" ports make all of the VLANs that you want to go to the AP tagged. Don't mix tagged and untagged on the same port.

yea that's fine

Ok... so I see only a single VLAN (VLAN 1) currently on switch port 21... you'll need to add the additional VLANs to the port if you want them to go to the AP.

Let's do that on the switch -- add port 21 tagged for both VLAN 108 and 110:

config bridge-vlan
	option device 'switch'
	option vlan '108'
	list ports 'lan1:t'
	list ports 'lan8'
	list ports 'lan21:t'

config bridge-vlan
	option device 'switch'
	option vlan '110'
	list ports 'lan1:t'
	list ports 'lan10'
	list ports 'lan21:t'

Now, on the AP, we'll create two new bridges and then corresponding unmanaged interfaces:

config device
	option name 'br-iot'
	option type 'bridge'
	list ports 'eth0.108'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.110'

config interface 'iot'
	option device 'br-iot'
	option proto 'none'

config interface 'guest'
	option device 'br-guest'
	option proto 'none'

Finally, create 2 new SSIDs for the iot and guest networks and associate them with the respective network.

Reboot both your switch and your AP and your VLANs should work (assuming the upstream router is configured properly -- that can be tested with ports 8 and 10, respectively).

so that worked for me. Thanks

do you happen to know how to disable clients on the same SSID from talking to eachother? I tried blocking it on the firewall but I was still able to ping other clients on the same SSID.

I then enabled isolate on the SSID which blocks communication but when I allow it on the firewall itself I can't ping the other client. I checked the logs and I didn't see anything being denied, so I think it's something related to the switch config.

setup is like this
opnsense > switch > AP

clients on the IOT SSID which is vlan108:
192.168.108.5
192.168.108.6

Switch

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless
{
	"kernel": "5.15.162",
	"hostname": "OpenWrt",
	"system": "RTL8382",
	"model": "ZyXEL GS1900-24E",
	"board_name": "zyxel,gs1900-24e",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.4",
		"revision": "r24012-d8dd03c46f",
		"target": "realtek/rtl838x",
		"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'REDACTED::/48'

config device 'switch'
	option name 'switch'
	option type 'bridge'
	option macaddr 'REDACTED'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	list ports 'lan6'
	list ports 'lan7'
	list ports 'lan8'
	list ports 'lan9'
	list ports 'lan10'
	list ports 'lan11'
	list ports 'lan12'
	list ports 'lan13'
	list ports 'lan14'
	list ports 'lan15'
	list ports 'lan16'
	list ports 'lan17'
	list ports 'lan18'
	list ports 'lan19'
	list ports 'lan20'
	list ports 'lan21'
	list ports 'lan22'
	list ports 'lan23'
	list ports 'lan24'
	option acceptlocal '0'

config bridge-vlan 'lan_vlan'
	option device 'switch'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	list ports 'lan6'
	list ports 'lan7'
	list ports 'lan9'
	list ports 'lan11'
	list ports 'lan12'
	list ports 'lan13'
	list ports 'lan14'
	list ports 'lan15'
	list ports 'lan16'
	list ports 'lan17'
	list ports 'lan18'
	list ports 'lan19'
	list ports 'lan20'
	list ports 'lan21'
	list ports 'lan22'
	list ports 'lan23'
	list ports 'lan24'

config device
	option name 'switch.1'
	option macaddr 'REDACTED'
	option acceptlocal '0'

config interface 'lan'
	option device 'switch.1'
	option proto 'static'
	option ipaddr '192.168.1.5'
	option netmask '255.255.255.0'
	list dns '192.168.1.1'
	list dns '9.9.9.9'
	option delegate '0'
	option gateway '192.168.1.1'

config bridge-vlan
	option device 'switch'
	option vlan '108'
	list ports 'lan1:t'
	list ports 'lan8'
	list ports 'lan21:t'

config bridge-vlan
	option device 'switch'
	option vlan '110'
	list ports 'lan1:t'
	list ports 'lan10'
	list ports 'lan21:t'

uci: Entry not found

AP

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless
{
	"kernel": "5.15.162",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link EAP225 v3",
	"board_name": "tplink,eap225-v3",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.4",
		"revision": "r24012-d8dd03c46f",
		"target": "ath79/generic",
		"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7c:cb05:b059::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option acceptlocal '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.1.10'
	option gateway '192.168.1.1'
	option delegate '0'
	list dns '192.168.1.1'
	list dns '9.9.9.9'

config interface 'iot'
	option proto 'none'
	option device 'br-iot'

config interface 'guest'
	option proto 'none'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'eth0.108'

config device
	option type 'bridge'
	option name 'br-guest'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'US'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'Failure'
	option encryption 'psk2+ccmp'
	option key 'REDACTED'
	option ieee80211w '1'
	option disassoc_low_ack '0'
	option multicast_to_unicast_all '1'
	option isolate '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option band '2g'
	option cell_density '0'
	option channel 'auto'
	option htmode 'HT20'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option key 'REDACTED'
	option ssid 'IOT'
	option encryption 'sae'
	option network 'iot'
	option disassoc_low_ack '0'
	option wpa_disable_eapol_key_retries '1'
	option multicast_to_unicast_all '1'
	option isolate '1'

Isolation is a wifi specific thing -- it prevents wifi clients on the same SSID from communicating with each other. It does not prevent wifi clients from reaching wired devices and vice versa (and also, it should be noted that if you have multiple APs, the clients on one AP are effectively like wired clients when viewed from the other). Wifi client isolation happens at L2, whereas the normal firewall operates at L3 (in other words, only when routing betqween different subnets).

How would I go about achieving this then? I want clients from the same AP and SSID to hit the firewall to determine whether they can talk to another client on the same SSID and AP

Client isolation is all-or-nothing.

Generally speaking, you cannot filter/firewall devices on the same subnet.
You can try a bridge-firewall, but this may or may not work as expected (it's a bit of an unusual configuration (and offhand I don't know if it works with firewall4). I have never used bridge firewalls, though.

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge

Appreciate the help, I will look into this

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.