Hi. I am trying to configure OpenWRT to use as a managed switch with VLANs to separate out my networks. The basic plan is:
I have OpenWRT on the Plusnet Hub (same as BT Home Hub 5). I want the VLANs configured thusly:
VLAN1 - Trusted, can access the OpenWRT web interface and internet
VLAN2 - Untrusted, can only access the internet
VLAN3 - Untrusted, can only access the internet
LAN1 - pfSense router
LAN2 - VLAN1
LAN3 - VLAN2
WiFi - VLAN3
I followed the instructions to create a "dumb AP" here: https://openwrt.org/docs/guide-user/network/wifi/dumbap
So I have the firewall, dnsmasq and odhcpd services disabled.
I am having trouble with the VLAN configuration. I have it set up like this:
If I plug my laptop into LAN1, I can access the OpenWRT web interface (LuCI). If I plug in to LAN2, I can't access the web interface anymore. I get either an HTTP 500 error, or after refreshing a few times a 403 Forbidden error.
I'm also wondering about the connection to pfSense. I was thinking I could use the WAN port, but do I leave it as "unmanaged" or does it need an IP address? It should only ever need to route packets via layer 2 stuff, so won't need an IP address I think.
Thanks for any advice.
VLAN 3 needs to be tagged to the CPU so that it can be software bridged to the wifi driver. VLAN 2 you can leave off on the CPU if the only need is hardware switching from the trunk cable to the LAN2 port.
Create a network of proto none (Unmanaged) and type bridge for VLAN 3. Name this network something like 'guest' or 'vlan3'. eth0.3 will be its physical port. In the wifi config attach an AP to that network.
You probably want an access (untagged) port on VLAN1 for your laptop. Such ports will be untagged in exactly one VLAN and off in all the others. The other sort of port is the trunk port which is tagged in all relevant VLANs and off in those it doesn't need. Do not try to mix tagged and untagged on the same port unless you absolutely have to in order to attach to a network you don't control.
Thanks, but I'm not sure I understand. I think I have done what you suggested. My wlan0 interface is now set up like this:
I have now configured my vlans like this:
I still can't access the LuCI web interface from LAN2 or LAN3 ports though. I also tried setting VLAN 2 LAN 2 to tagged, and still couldn't access the web interface. I keep getting the 403 forbidden error.
My firewall is set up like this:
Presumably I don't need any firewall rules though, as the firewall service is disabled.
All traffic will travel from wifi to the pfsense and then will be sent to the OpenWrt uhttpd server. Make sure that traffic is allowed to reach the luci both on pfsense and the uhttpd configuration.
You don't need all these zones and forwardings in the firewall, especially since it is disabled.
That's good, it's not supposed to. Those are untrusted networks so you don't want anyone to be able to hack in. You could make LAN4 untagged on VLAN 1 and then you should be able to log in from that port.
Your original post wanted 3 VLANs: number 1 trusted, number 2 untrusted, number 3 also untrusted and with a wifi AP. So don't make a VLAN 4, simply put the wifi AP into a bridge for VLAN 3.
Another good point. The firewall works at layer 3 (IP address based) so your two LANs that don't have an IP address won't be affected by the firewall at all. The default firewall allows all incoming ports on the LAN (trusted) so it really isn't doing anything here.
If you're intending to locally route the guests instead of merely bridging them all back to the pfSense box for it to deal with them, that's a different situation entirely. Then it isn't a dumb AP any more.
Edit: I'm an idiot, I forgot that the laptop was connected to WiFi and there is a device on that network with the same IP address. Excuse me while I sort that out...
I had to do a factory reset to get back in. Somehow I managed to lock myself out while trying to set things up as you suggested. I think I have it right now, although it's late so I haven't fully tested it yet. Anyway, for anyone else with the same question...
I set up the WAN interface to be the one connected to my router. It's just a normal port on the switch, nothing special about it except for the name assigned to it (and a red connector).
WAN - to router that supports VLANs (trunk with tags)
CPU - Wifi and LuCI web interface
LAN 1 - trusted network connects to this port
LAN 2/3/4 - untrusted networks connect to these ports
VLAN 1 - trusted network
VLAN 2 - untrusted network
VLAN 3 - WiFi network
I deleted the WAN interfaces as they are not needed. Confusingly these are nothing to do with the port named WAN, they are actually set up for the DSL modem that I'm not using.
You need to create an interface for VLAN 3 here. As the wiki says, it's better to think of these as connectors rather than interfaces.
Question: Do I even need the LAN interface? I see it can be used to bridge the wifi networks to the VLANs, but I don't want to do that.
Under wireless settings for each wireless adapter (there is one for 2.4GHz and one for 5GHz):
The "Network" choice is the VLAN I want the WiFi to use, in this case 3.
Is that all looking correct? The only other thing left to consider is disabling dslcontrol in startup, but I need to check if it actually saves power.
Thanks for the assistance so far.