Management, Guest, Internal VLAN on Meraki MR18

Deezer · March 2, 2020, 11:39am

Without any deeper knowledge of OpenWRT I try to create three separate VLANs on the MR18. But I fail misserably. Mostly because I cut myself from the management connection

I would like to create this:

Management -> VLAN 101
Guest SSID -> VLAN 102
Internal SSID -> VLAN 103

But the only thing I really manage to create is a bridge containing the Eth-port and the Internal SSID where the Management is also accessible.

Would you please be so kind to point me to parts of the documentation where I can create multiple SSIDs each tagged with defined VLAN tag?

Can you also describe how to put management on a specific VLAN?

The MR18 will be connected to a VLAN-capable switch, connected to a router.

Thank you very much for your support!

trendy · March 2, 2020, 12:10pm

I believe the MR18 doesn't have an internal switch, please correct me if I am wrong.
Then you need to create the 3 interfaces and for ifname use subinterface, e.g eth0.101 for Management
Then create the wireless SSIDs and assign each one of them to the appropriate interface.
Finally configure the firewall accordingly.
I suggest you assign an IP/Mask/GW/DNS only on the Management interface, and leave the other two with unmanaged protocol.

Deezer · March 2, 2020, 12:21pm

MR18 has support in its Meraki firmware. But you mean that the support could be lost when installing OpenWRT?

I was thinking all three would request dhcp from the router. Bad idea?

lleachii · March 2, 2020, 4:25pm

No one said that support for something would be lost...What are you even referring to?

OpenWrt supports VLANs if that's what you mean; but @trendy noted that the MR18 doesn't have a switch, it has a single Ethernet port. It may help to note that VLAN tags don't require a switch, maybe this is different from your understanding of Meraki documentation. You will have to properly setup your interfaces for VLANs.

All three what would get DHCP from the router?
Did you setup the networks yet?
If you're asking if you can use the OpenWrt for DHCP on all your VLANs, that answer is yes

This is a quite simple config to create new networks...the VLAN tagging on the Ethernet port will be the challenge not to lock yourself out; but you seem to be familiar with using a managed switch.

@trendy, @eduperez, @mk24, could you point @Deezer to some threads/documentation on how to setup VLAN tagging on an Ethernet interface?

trendy · March 2, 2020, 6:45pm

I think you misunderstood me.

No, it depends on your expectations. Bridging is faster and less stressful for the CPU, hence I suggested it.

At the bottom of the page about VLANs.

Deezer · March 3, 2020, 7:27pm

I would love to bridge Guest SSID with VLAN 102 and bridge Internal SSID with VLAN 103. Is that possible?

Where do I set VLAN ID for management interface?

Thank you very much for your support!

trendy · March 4, 2020, 12:16am

Yes, sure. There is documentation about guest network, which can be expanded for the internal. Just remember to bridge the wireless interface with the vlan subinterface.

Use subinterface ethX.101 as the physical interface.

Deezer · March 23, 2020, 11:07am

I'm sorry, I can't follow the guide since it's not really the same use case and since I just can't get my head around how OpenWRT's structured.

So... Let's make it even easier...

I have an OpenWRT WiFi Access Point, running one SSID bridged with ethernet port.

Now I would like to (in LuCI) create another SSID, tagged with VLAN 101. VLAN 101 will get DHCP from upstream router.

How can I create a new SSID putting clients on VLAN 101?

What needs to be set on:

Network/Wireless/Interface Configuration/Network?
Network/Wireless/Interface Configuration/Interface name?
Network/Interfaces/Add new interface... ?
Network/Interfaces/[New interface]/Physical settings/Interface ?
Network/Interfaces/[New interface]/Firewall settings/Create Assign firewall-zone?
Network/Firewall/Zones ?

Thank you very much for your reply. I would be very grateful for a tiny explanation on why a specific configuration is set.

trendy · March 23, 2020, 1:26pm

Add a new interface in Network/Interfaces and give a name of your liking. For Interface click on the drop down list, enter eth0.101 or eth1.101, that depends on the name that ethernet interface has. For protocol choose static or dhcp client. For firewall settings you may want to add it in a new or existing zone, it's up to you. DHCP settings you will leave then as ignored.
Then create a new Wireless SSID and assign it to the interface you just created.

Deezer · March 23, 2020, 3:14pm

Hi, thank you!

How can I make LuCI web interface not accessible on the newly created SSID?
Firewall zones. What difference does it make? I managed to put SSID1 on 192.168.1.1/24 (untagged) and SSID2 on 192.168.2.1/24 (tagged 101). Upstream firewall deny traffic between interfaces, so I can't see Firewall zones making a difference...

trendy · March 23, 2020, 6:50pm

Either block it on firewall or from the luci config.

That one can bypass the upstream firewall since you have IPs on all interfaces. If you don't want to have the firewall enabled, leave only one management interface with IP and for the rest assign protocol "none".

Deezer · April 1, 2020, 5:13am

Thank you very much for clearing this out for me. Now I have a working solution in place, based on your feedback.

trendy · April 1, 2020, 7:59am

You're welcome!

system · April 11, 2020, 7:59am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.