Luci and Wifi on different VLANs

blackfield · October 9, 2024, 3:21pm

Hey there,

I have a project with four extreme networks APs flashed with openwrt. Thy have one lan port and two wifi interfaces (2,4ghz and 5ghz). I would like to access LuCi only from a specific VLAN. The wifi should be on another one.

On the other side is an opnsense router taking care of the dhcp server, voucher system and firewall.

I found some tutorials about routing different wifis through different VLANs but not for LuCi.

Is this even possible?

I tried a few things but only managed to lock myself out.

Cthulhu88 · October 9, 2024, 3:34pm

NOTE: I am not a VLAN expert, so others are free to correct me.

LuCI running through uhttpd doesn't care about VLANs, it binds to a specific address/interface, regardless of VLAN settings.
With that in mind, what you can do is:

Set up an interface/subnet for the VLAN that can access LuCI.
In /etc/config/uhttpd -> uhttpd/main, remove all listen_http and listen_https lists, then add list listen_http '<VLAN address>:80' and optionally list listen_https '<VLAN address>:443'.
service uhttpd restart and then make sure it's listening on the correct interface: netstat -lnp | grep uhttpd

psherman · October 9, 2024, 4:14pm

Yes, absolutely possible. This is what would be referred to as a management VLAN. You can choose to have this network available on wifi or only on eithernet. The other network will be transparently bridged such that the OpenWrt device doesn't even have an address on that network. This means that the AP only has an address, and is thus only reachable by the management VLAN.

If you want us to help, what we need are the following:

What are the VLAN IDs for each of the networks
Are both networks tagged, or is one untagged (and if so, which one?)?
What is the address that your AP will use on the management network?
Do you want the management network to also be used on a broadcasting SSID?
Post config files - see below

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

blackfield · October 9, 2024, 4:47pm

Thank you for your replys!

I have no VLAN IDs set at the moment as it is still sitting on my workbench but lets asume the managment is 10 and the wifi 20. There is a switch with managment for poe power supply sitting between the APs and the opnsense router, so i think i have to use tagged VLANs.

I want to use the address 192.178.1.7 for the managment - assigned by dhcp so i can easily add additional APs. But if static IPs is the better way i have no problem with that.

The managment should only be reachable via LAN (copper).

The configs:


 OpenWrt SNAPSHOT, r27497-1a288670d9

root@OpenWrt_4:~# ubus call system board
{
        "kernel": "6.6.52",
        "hostname": "OpenWrt_4",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "Extreme Networks WS-AP3915i",
        "board_name": "extreme-networks,ws-ap3915i",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r27497-1a288670d9",
                "target": "ipq40xx/generic",
                "description": "OpenWrt SNAPSHOT r27497-1a288670d9"
        }
}
root@OpenWrt_4:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb8:24d0:247c::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '1'
        option name 'br-lan.1'

root@OpenWrt_4:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option band '2g'
        option channel '1'
        option htmode 'VHT20'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option band '5g'
        option channel '36'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

root@OpenWrt_4:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt_4:~# cat /etc/config/firewall
config defaults
        option syn_flood        1
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
root@OpenWrt_4:~#

There is no firewall set at the moment as i tread it as sandbox system. It has no connection to my local network and doesn't contain any sensitiv data. Ofcourse will the final system be with firewall. Also my intension is to let opnsense deal with the firewall - but i am missing a part for the final hardware.

psherman · October 9, 2024, 11:24pm

Ok... I'd suggest that you first setup the VLANs on your main router. But, the process on OpenWrt is fairly simple so I'll show that.

You'll also need to make sure the switch is properly configured.

As far as tagged/untagged -- the 802.1q standard allows zero or one untagged and zero one or many tagged networks to exist on a port/cable. You need to decide if you'll be untagged + tagged, or all tagged.

Either way is fine... but right now you've got a config issue (I'll get to that in a moment). Also, I'm assuming you meant 192.168 (not 178).

Ok.

I'd recommend that you consider running a stable release instead of snapshot, unless there is a reason you want/need to be on the bleeding edge.
https://firmware-selector.openwrt.org/?version=23.05.5&target=ipq40xx%2Fgeneric&id=extreme-networks_ws-ap3915i

Regarding tagging... There are two possible approaches here -- bridge vlans or dotted notation. With single port devices, we can usually use direct dotted notation, but sometimes that doesn't work. We'll start there and adapt if needed.

If VLAN 10 is going to be tagged, edit br-lan to use port lan.10:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan.10'

If you wish to use DHCP client for the AP to get its address, remove the lines below option proto 'dhcp'.

blackfield:

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

If you want to use static, change proto to static and set the address as desired:

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.7'
        option netmask '255.255.255.0'

In the DHCP file, you must disable your DHCP server on the lan interface. Edit the lan DHCP server like this:

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

Add a new bridge for the wifi network:

config device
        option name 'br-wifi'
        option type 'bridge'
        list ports 'lan.20'

and then create an unmanaged network for the wifi network:

config interface 'wifi'
        option device 'br-wifi'
        option proto 'none'

The AP won't actually serve as a firewall for your network -- that's all on the pfsense device. This is just a Ethernet-wifi bridge.

That said, I do recommend leaving the firewall service enabled and the config file as it is. There is no reason to change anything here, and it makes it less likely that you'll encounter any issues.

blackfield · October 10, 2024, 5:55am

I am a bit overwhelmed, this is some really nice explanation! Thank you.

I will go for all tagged, as i understand it i have to set the VLAN tags on the switchports connected to the APs to 10 and 20. Also the port connecting the router. On the router the VLAN 20 needs WAN access and VLAN 10 to the port holding the managment pc. Also both need an dhcp server if i decide to use dhcp for the managment.

You are right - it is 192.168.x.x

I followed a tutorial and there was a link to the snapshot version which i downloaded without thinking. So download the stable, upload it via WinSCP and do a sysupgrade?

The ignore option is disabling the dhcp server?

I am working at the moment so i have to wait till afternoon to try it.
Again thank you for your time and the good tutorial.

psherman · October 10, 2024, 6:03am

Sounds good.

Pro-tip: configure your switch for a trunk (that is a port that carries multiple networks) on the ports that connect to the router and to the AP. But, set aside two other ports -- at least temporarily -- so that you can make them access ports (just one network, untagged + PVID). Assign VLAN 10 to one port and VLAN 20 to the other. Then you can plug in a computer via ethernet and verify that you get the expected connectivity. This will ensure that you can guarantee that the router and switch are configured properly.

Yes. I recommend a DHCP server on each network unless you have a specific reason not to have one.

Yes, exactly. when you scp the file, send it to /tmp/. Then, upgrade using sysupgrade and use the -n argument to allow the device to reset to defaults during the upgrade (sysupgrade -n /tmp/<filename>. Then configure from scratch.

Yes. It is an explicit disabling by saying to the DHCP server "ignore DHCP requests on this interface."

Sounds good. I do recommend you work on the router and switch first since they are obviously prerequisites.

blackfield · October 11, 2024, 5:53am

That Sir, saved me a lot of trouble!

The DHCP is up and running, i have some trouble with the ranges but this is an opnsense thing.

The openWrt side is working. There are still some problems with the VLANs on the switch and opnsense i have to figure out.

Your help was awesome! Thank you!

psherman · October 11, 2024, 5:54am

Glad I could help!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

system · October 21, 2024, 5:55am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.