Implement vLANs coming from upstream firewall

Marc_r · May 12, 2026, 10:41am

Hi forum

I am running pfSense upstream of an OpenWrt AP. pfSense creates two vLANS and is connected to a managed switch to which the AP is connected (by one cable only).

At the AP I want to broadcast two SSIDs, one for each vLAN.

I would appreciate if someone could guide on on how I would have to configure the AP, ideally through LuCI , so that I can use both vLANS. I only want to use one port on my switch and I think I can configure the switch one properly.

psherman · May 12, 2026, 3:54pm

There isn't a guide for handling VLANs on a bridged AP, but I'd recommend that you start here:

From there, we can help you add the VLAN part of it... we need to know which port connects to the managed switch (assuming a multi-port AP), and we need to know the configuration of the switch port as well (what VLAN IDs are being used and what is the tagging configuration on them). Plus, of course, we'll need the basic configuration information:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network

Pro Tip: Be sure to setup access ports (i.e. just one network, untagged + PVID) on your managed switch for each of the networks. You'll use these to verify that the router and switch are working as expected -- if there are issues, you want to troubleshoot those separately relative to the OpenWrt AP.

Marc_r · May 12, 2026, 4:55pm

Thank you very much for picking this up @psherman , here is the output

root@OpenWrt:~# ubus call system board
{
	"kernel": "6.12.85",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7628AN ver:1 eco:2",
	"model": "TP-Link TL-MR6400 v5",
	"board_name": "tplink,tl-mr6400-v5",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "25.12.3",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r32912-6639b15f62",
		"target": "ramips/mt76x8",
		"description": "OpenWrt 25.12.3 r32912-6639b15f62",
		"builddate": "1777933845"
	}
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_duid '00044012d2e57fe246f99e1ab355e6a92e51'
	option ula_prefix 'fddd:41ed:6b22::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '10.33.33.76/24'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '3 6t'

config interface 'wwan'
	option proto 'dhcp'

I can connect any port of the router to the switch, let's use e.g. port 1 on the router.

psherman · May 12, 2026, 4:59pm

Can you provide this:

This will inform the suggestions that I provide -- I'll try to do it all in one shot.

Marc_r · May 12, 2026, 5:04pm

Sorry, I have vLAN ID 1 untagged and vLAN ID 10 tagged

psherman · May 12, 2026, 5:09pm

Great.

I'm not exactly sure which logical port (0-2) maps to physical port lan 1, but I'm going to take a guess (I have a 33% chance of getting this right!). I'll assume logical port 0. Also, I don't know what purpose VLAN 10 serves on your network, so I'll just label it guest (you can change this -- the name is arbitrary).

All we need to do is add a new VLAN to the switch, a new bridge, and an unmanaged network interface:

config switch_vlan
	option device 'switch0'
	option vlan '10'
	option ports '0t 6t'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.10'

config interface 'guest'
	option device 'br-guest'
	option proto 'none'

Now, you can create a new SSID in the wifi configuration and associate it with network guest. That should be it. Be sure to restart the router to make sure all the changes are loaded.

Marc_r · May 12, 2026, 5:38pm

Thank you very much for your time @psherman , works like a charm