LAN-bridge configuration like AVM in OpenWrt

Hello all,
I am new in OpenWrt and I am still having a hard time with some things to understand. I hope I can get some help here

I am about to replace my existing infrastructure (AVM) with OpenWrt.
What I have had so far.

• 1x Router AVM with the functions DHCP, LAN incl. WLAN and second WLAN Guest.
• On 2 floors I have one AVM repeater each configured as "LAN bridge". The repeaters are connected by cable to the "router" and provide the two WLANs (WLAN & WLAN Guest) on the floor.

I would like to have the same now with OpenWrt.
My current status is as follows.

• OpenWrt "Router" (Netgear WAX202) which provide the internet access and with the services DHCP, Firewall, LAN incl. WLAN and second separate WLAN as "WLAN Guest".

Now I would like also replace the two AVM Repeaters on the floors with two OpenWrt (Netgear WAX206) which I have available now.
It's very difficult for me to found out what I have to configure in OpenWrt on these two devices now.
My goal is that the two OpenWrt (WAX206) on the floors will provide the LAN incl. WLAN from the "router" (WAX202) and also the second WLAN Guest as an separate WLAN with only internet access.
Thus, the same LAN and WLANs are available on all floors, whereby the OpenWrts are all connected by cable.

I don't understand how to implement this in the easiest way. Hopefully someone can give me a jump start

Thanky for any answers

If you can connect your OpenWrt devices with an ethernet cable, the "dumb-AP" recipe in the wiki applies (very easy setup).

I would bring up the main WiFi as suggested by @slh first. Then you can add the guest WiFi, but you need to set up a VLAN trunk between your devices first so that the guest WiFi is also separated on the cable. There are a lot of threads here in the forum covering this Guest-WiFi-with-VLAN thing.

@slh Perfect, do you mean this one LINK

@andyboeh Cool that it's nothing out of the ordinary that I want. Do you have an exact search term for what I need to look for? But I seen now the videos in the link above could help.
I have already thought in the direction of VLAN, but was not sure. I also thought that it might be possible to separate the guest WLAN via firewall. But the firewall is even deactivated with such a dummy AP I think

Yes it’s also a way, I’m doing it in this way for guest and iot, just to save one LAN port or not use tagged VLAN.

But I’m starting realize that it’s a more complicated setup

Are your WAX206 working fine btw?

Once you've understood how VLANs/the VLAN trunk works, it's a relatively simple setup.

My OpenWrt router is in the basement (no WiFi, it's a Ubiquiti ER-X) where I have two interfaces defined, IoT and LAN. One switch port is configured as VLAN trunk and can carry packets from both interfaces. I then have a managed switch as some of my IoT devices are connected via Ethernet and additional APs (all running OpenWrt in Dumb-AP mode). Each AP has the upstream port also set up as VLAN trunk and the WiFi interfaces assigned accordingly.

@giuliomagnifico
I just got the two WAX206 today and will install them as soon as possible, latest this weekend Then I can start with the configuration Thanks for your informations.

@andyboeh
Thank you very much. I am curious how long it will take me to get this done. Never had to do with VLAN before and I'm afraid I have to read a lot first
First it is enough for me to get the WLAN guest via VLAN Another exercise will then actually be IoT... I also have a little of it in the house. That would be the next VLAN
I am curious when I start how often I might have to contact you again. I will report in any case, even if I had success

@giuliomagnifico The Image works very fine Thanks again for that

@all
The setup as dumb-AP is working, great..... next step VLAN - Guest WLAN

Ok,as I feared. I have problems.
I have gone through the video: VLANs in OpenWrt 21
Bei 19:03 when I save, I have no internet or any connection inside my LAN or with WLAN anymore.

My initial situation is that my interface "br-lan" contains my 3 LAN ports and my two "WLANs" 2GHz and 5GHz. The port 1 of OpenWrt is connected to a switch, from this switch the cable goes e.g. to my laptop. But this is not a problem actually or?

So if I change the interface to VLAN as shown in the video and save, I have no longer connections inside the LAN via cable or to the WLAN. I cannot connect to WLAN and when I switch my laptop cable from Port 2 to the switch, which is connectecd with Port 1 in OpenWrt, I have also no internet or connections inside my LAN.
I did exactly as described in the video, step by step. With my laptop I was connected to port 2 so that I could still administrate in OpenWrt after I have saved everything.
What am I doing wrong?

EDIT: Ok I watched the video again now and at the end he says that you should not use VLAN 0,1,2..... But in fact I did not take VLAN3, 4 and 99 as in the video but VLAN1,2,3 Maybe this is indeed a problem. I'll test the whole thing again

Sorry to taking your time. maybe I have a massive thinking error because of my wiring. I would like to show it, maybe someone can check. Maybe because of that already it can't work.

1. Router OpenWrt port 1 to switch
2. One cable from switch to lower floor to port 1 from OpenWrt AP 1
3. Port 2 OpenWrt AP 1 to switch
4. From switch one cable to second floor port 1 OpenWrt AP 2
5. Port 2 OpenWrt AP2 to switch.....

Can this work with VLAN between the OpenWrts and the end devices are then connected to the switches? Otherwise how should I wire it correctly?

Is your switch managed or unmanaged?

If it's a managed switch, you can use VLAN trunks. That's one physical cable carrying several logical VLANs. IMHO the easiest configuration is to configure all VLANs as tagged on this port. The advantage is that you only need a single cable to carry all VLANs. On your switch you can then configure the remaining ports as "untagged" as you require for your Ethernet devices.

If it's an unmanaged switch, matters are a bit more complex. You can still use tagged VLANs, but the switch won't be aware of this and will not be able to isolate the ports. Hence, you have a risk of mixing up guest network and private network if you add additional wired devices to the switch. If only the APs and routers are involved, an unmanaged switch should work fine.

In both cases you will only need one cable per device.

As an alternative, you can use two cables with untagged VLANs, but then you cannot mix them at an unmanaged switch since you have to isolate the different networks. Thus, you need either a managed switch to perform the isolation (but then you can use VLANs anyway) or two switches (but given the cost and power consumption of a switch, that's not a very economical solution).

An example (my setup):

The router - Ubiquiti ER-X, only lan1 is used as VLAN trunk port, so this port is configured as "tagged" on all VLANs. Please be aware that this is a DSA device. 4 defined VLANs:

• 1: Management interface
• 100: Modem, only the router and the modem are in this VLAN; I have a PPPoE connection over VLAN 100
• 200: Private VLAN for the majority of devices
• 300: IoT VLAN for all "insecure" devices

The main router provides three different DHCP servers in different subnets.

/etc/config/network:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan.300'
	option ipaddr '192.168.17.1'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:t'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '200'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '300'
	list ports 'eth0:t'

config interface 'Management'
	option proto 'static'
	option device 'br-lan.1'
	option netmask '255.255.255.0'
	option ipaddr '192.168.20.1'

config interface 'Haustechnik'
	option proto 'static'
	option device 'br-lan.200'
	option ipaddr '192.168.18.1'
	option netmask '255.255.255.0'

config interface 'modem'
	option proto 'static'
	option device 'br-lan.100'
	option ipaddr '10.0.0.1'
	option netmask '255.255.255.0'

And the configuration of one AP (only has one Ethernet port anyway; the bridges are required for attaching the WiFi interfaces). Each AP has a static IP on VLAN1 and DHCP clients on VLAN1, VLAN200 and VLAN300 (so they all receive multiple IPs from different subnets). One WiFi interface is then attached to br-Private and the othter to br-Haustechnik.

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.20.60'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'Client'
	option proto 'dhcp'
	option device 'br-lan'
	option hostname 'eap225-Mgmt'

config interface 'Private'
	option proto 'dhcp'
	option hostname 'eap225Private'
	option device 'br-Private'

config interface 'Haustechnik'
	option proto 'dhcp'
	option hostname 'eap225Technik'
	option device 'br-Haustechnik'

config device 
	option name 'br-Haustechnik'
	option type 'bridge'
	list ports 'eth0.200'
	option macaddr 'xx:xx:xx:xx:xx:xx'
	
config device 
	option name 'br-Private'
	option type 'bridge'
	list ports 'eth0.300'
	option macaddr 'xx:xx:xx:xx:xx:xx'

On the router, the remaining Ethernet ports can be used by regular devices and are configured as "Management". The AP cannot be used by non-VLAN-aware devices as it's tagged only.

Thank you for your time and the detailed informations It was all very complicated for me at the moment and I think I don't understand all at the moment. I'm think I have to read a lot more to understand.

My switches are not managed. I have 3 Netgear GS116 but if it is much easier then I like to exchange them in managed switch maybe something like Netgear GS305E?

If I understood correctly the following is not possible.

Router port 1 (VLAN tagged LAN/GUES/IOT) to switch and from there to AP1 to port 1 is not possible? Because the switch is not managed right?
So I have to look somehow that port 1 of router and AP are directly connected. This way I can provide the WLANs on the respective floor. The switches would have to be connected to port 2 of router or AP because port 2 is untagged and the clients fall into the normal LAN, which is ok in my case.

Alternatively I buy managed switches because it is much easier and you have all options.

Should it better I buy managed switched?

You should be able to get it working with your unmanaged switch, but you will need a different configuration than mine (I never tried that as I have completely switched to managed switches):

Configure the one VLAN, that you require on the Ethernet ports, as "untagged" and set its PVID in the VLAN configuration. The other VLAN, that is only required to communicate with the APs, is "tagged" on both ends. Now all Ethernet packets from your wired ports do not have a VLAN tag and are interpreted correctly by the router. However, the Guest WiFi is bridged to a tagged VLAN and all packets from this VLAN do have the tag. The router can therefore distinguish the separate networks. This still requires just one cable for each AP.

I would try this approach first and not replace the switches. If you trust your wired clients and don't need other managed stuff, there is IMHO no real reason to exchange them.

Do not go for the really cheap managed switches. I had the TP-Link equivalent (GS108E) which is real crap. If you want to go down this route, invest in the next better device - on some of them you can even run OpenWrt (e.g. the Netgear GS308T or the Zyxel GS1900 series).

Because of your valuable tips I have decided to make it a little easier for myself and I got now a managed switch GS308T.
My new planned setup will be....

1. Router port 1 (tagged) to port 1 of AP(1).
2. Router port 2 (untagged with PVID) to unmanaged switch for "normal" LAN.
3. AP(1) port 2 (tagged) to port 1 of AP(2)
4. AP(1) port 3 (untagged with PVID) to unmanaged switch for "normal" LAN.
5. AP(2) port 2 (tagged) to managed switch for management from other VLANs via wire.

So I should have different WLANs as VLAN at each AP and at AP(2) even the VLAN by cable.

This should work and possible way right? Or would it be better to wire to a managed switch immediately at point 1 and then manage all other components from that managed switch?

This should work. Just for the sake of completeness: You don't need (4) if it's the same unmanaged switch as (2). If you're talking about a different one (you mentioned several GS116), then yes, that's right. Same is true for 5.

You can stick with the stock firmware on GS308T or install OpenWrt. If you do the latter, you'll end up with the same configuration interface than on the router which is what I prefer.

The exact network layout depends on your requirements, especially regarding throughput: Cascading multiple switches means that all traffic from a downstream switch needs to pass through a single wire to an upstream switch. In larger environments, this could create a bottleneck - that's why 10G is often used as interconnect.

In my home, I have several switches cascaded because I can't run more cables in certain areas - and I don't want to invest in 10G switches (I have a GS1900-24E, a GS1900-24HPv2, a GS308T, a GS108Tv3 and a GS1900-8HP in different cascaded configurations).

Yes they are different switches, cool, then that will be my weekend task to implement this I will report again Thanks for your confirmations.

EDIT: Yet another question. Does it make a difference if I connect on point 1 direct to the managed switch and then to the APs? Would it be the same in the end? Because the different VLANs could I manage should be possible on the existing ports of the APs or?

That's what I meant with throughput - both solutions will work, but you might limit throughput for some clients if you have a lot of traffic:

GS116 - AP - GS308T means that all traffic from GS116 has to pass through the single wire from the AP to the GS308T, together with the AP's traffic
GS116 - GS308T - AP means that you separate the traffic and have more bandwidth to the GS308T.

It doesn't make a different for Internet access (unless you have a 1G connection) since that is the bottleneck, but it might make a difference if you have a NAS or other network server (then again the single NAS connection could be the bottleneck).

All right I understand, will be the following then not the best solution in my case?

1. Router port 1 (tagged) to port 1 of AP(1).
2. Router port 2 (untagged with PVID) to unmanaged switch(1) for "normal" LAN.
3. AP(1) port 2 (tagged) to managed switch for VLAN configuration possibility from each port there
4. AP(1) port 3 (untagged with PVID) to unmanaged switch(2) for "normal" LAN.
5. Managed Switch any Port (tagged) to port 1 of AP(2)
6. AP(2) port 2 (tagged) for VLAN configuration.
7. AP(2) port 3/4 (untagged) can use for "normal" LAN

That would be a good concept? Or do you have another improvement?
With this way I mean I have the possibility to provide the VLANs on each floor via WLAN or via cable without bottleneck? Otherwise I have probably not understood everything.

I suggest you just try it. Be sure not to create loops or redundant connections!

Ok I will try, at least on paper I do not see any redundant connections.