Luci and Wifi on different VLANs

psherman · October 9, 2024, 11:24pm

Ok... I'd suggest that you first setup the VLANs on your main router. But, the process on OpenWrt is fairly simple so I'll show that.

You'll also need to make sure the switch is properly configured.

As far as tagged/untagged -- the 802.1q standard allows zero or one untagged and zero one or many tagged networks to exist on a port/cable. You need to decide if you'll be untagged + tagged, or all tagged.

Either way is fine... but right now you've got a config issue (I'll get to that in a moment). Also, I'm assuming you meant 192.168 (not 178).

Ok.

I'd recommend that you consider running a stable release instead of snapshot, unless there is a reason you want/need to be on the bleeding edge.
https://firmware-selector.openwrt.org/?version=23.05.5&target=ipq40xx%2Fgeneric&id=extreme-networks_ws-ap3915i

Regarding tagging... There are two possible approaches here -- bridge vlans or dotted notation. With single port devices, we can usually use direct dotted notation, but sometimes that doesn't work. We'll start there and adapt if needed.

If VLAN 10 is going to be tagged, edit br-lan to use port lan.10:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan.10'

If you wish to use DHCP client for the AP to get its address, remove the lines below option proto 'dhcp'.

blackfield:

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

If you want to use static, change proto to static and set the address as desired:

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.7'
        option netmask '255.255.255.0'

In the DHCP file, you must disable your DHCP server on the lan interface. Edit the lan DHCP server like this:

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

Add a new bridge for the wifi network:

config device
        option name 'br-wifi'
        option type 'bridge'
        list ports 'lan.20'

and then create an unmanaged network for the wifi network:

config interface 'wifi'
        option device 'br-wifi'
        option proto 'none'

The AP won't actually serve as a firewall for your network -- that's all on the pfsense device. This is just a Ethernet-wifi bridge.

That said, I do recommend leaving the firewall service enabled and the config file as it is. There is no reason to change anything here, and it makes it less likely that you'll encounter any issues.