Multi-SSID WiFi on different VLANs

Hi,

I configured a switch so that port 1 is untagged VLAN 1, port 2 is untagged VLAN 2 and port 3 is tagged VLAN 1 + tagged VLAN 2 (trunk). Port 1 connects to another switch on SUBNET1, port 2 connects to another switch on SUBNET 2, port 3 connects to an OpenWRT/LuCI access point.

My goal is to have 2 WiFi SSIDs (SSID1, SSID2): wireless clients connected to SSID1 will have exclusive access to SUBNET1, clients connected to SSID2 will have exclusive access to SUBNET2. Both SUBNET1 and SUBNET2 have different DHCP, DNS servers, etc. So I'm guessing (first time trying to configure this...) that I should physically connect Switch Port 3 to one of the ethernet ports of the Access Point (port 1). I should then configure Access Point Port 1 as tagged VLAN 1 + tagged VLAN 2, as well as SSID1 as untagged VLAN 1 and SSID2 as untagged VLAN2, right?

If the theory is correct, I don't know how to configure it with LuCI.

I read the following manuals:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-webinterface


However, none of these actually describe what I need.

For instance, I don't care for firewall rules/restrictions or enabling DHCP or DNS services. I want clients on SSID1 to have full access to VLAN 1, and clients on SSID2 should have full access to VLAN 2.
I think I know how to set Tagged VLAN 1 + Tagged VLAN 2 to Access Point Port 1. However, it's not clear to me how to set Untagged VLAN 1 to SSID 1 and Untagged VLAN 2 to SSID 2.
Finally, I'd like to be able to access the Access Point's firmware web pages and ssh console via Switch Port 3 or Switch Port 2.

So in the end, how many interfaces should have a static IP address defined? For instance, SUBNET 1 should be 192.168.210.0/23, SUBNET 2 should be 10.215.0.0/16. Does that imply that I should configure a virtual interface bound to SSID1 with, say , IP addr. 192.168.210.3 (gateway, dns, etc in that range too), and then another virtual interface bound to SSID2 with, say, IP addr. 10.215.1.3 (etc.)? What about the LAN interface whose Port 1 is connected to the "trunk" switch port? What IP settings should it have?

I don't mind doing it via SSH instead of LuCI, but I'm yet to find clear, updated instructions for OpenWrt 18.06.0, r7188-b0b5c64c22.

Thanks

Would be easier to follow if you share screenshots of your switch , interface and wireless setting in openwrt. What are the wired devices connected to openwrt?

Given that, what is the advantage to VLANs for you? One typically uses VLANs to isolate networks at some level.

The one thing that I can think of is that putting the two groups of clients on distinct networks is that only point-to-point Layer 3 traffic is routed between them, preventing broadcast protocols at Layer 3, as well as Layer 2 protocols, such as ARP and IPv6 neighbor discovery.

I'm not sure about your network structure.
Do you want to set up two instances of a bridged access point on a single OpenWrt device, without routing between the two VLANs?
Is there a WAN connection somewhere, or is this an isolated network?
Are routing, firewall, DNS and DHCP provided by other devices?

Sounds to me like the OP wants a "guest network" and a "home network" (or something similar) so that one can be throttled separately from the "home network" (or just not allowed to access it).
I have some APs setup this way at work on some TPLink 1043ND APs,
To reply to @vieri's questions:

  1. You do not need any rules on the client AP to allow DNS, or anything else through.
  2. You do not need an interface IP on more than one network, so you just need to have a static address for your client AP on SUBNET1 and a rule on your main firewall to allow devices on SUBNET2 to access ports 80 and 22 on your client AP.
  3. You will need to setup a rule on the main firewall to allow devices on SUBNET2 to access ports 80 and 22 (or whatever you use for web and SSH) on the client AP. Then any traffic from SUBNET2 to SUBNET1 goes through SUBNET2 to your main firewall, then back out to SUBNET1.

Do this while connected to LAN port 4, "Save and Apply" after each step:

  1. Setup your VLANS
    • See: https://openwrt.org/docs/guide-user/network/vlan/switch_untaggedvlan_howto for a basic what needs to be done, or https://openwrt.org/docs/guide-user/network/vlan/switch_configuration for how to do it by editing the config files
      *For this, we will use 2 new interfaces, VLAN1 (eth1.1, SUBNET1) and VLAN2 (eth1.2 SUBNET2)
    • Assuming that your device uses ports 0-5 with port 0 being the CPU, 1-4 being LAN ports 1-4 and port 5 being the WAN port, add 2 new interfaces as follows:
      • VLAN1 0-tagged 1-untagged 3-tagged
      • VLAN2 0-tagged 2-untagged 3-tagged
      • You will need to switch ports 1 and 2 to "off" for the existing VLAN
      • Note that the port on your main router that connects to port 3 needs to have that port setup with the same VLAN ids, you might need to use higher numbers such as 3 and 4 instead of 1 and 2 if the existing VLANs use VLAN IDs 1 and 2
  2. Setup your interfaces to match your VLANS
    • Add a new interface that "Covers" the new "Switch VLAN: eth1.1" and call it INTERFACE1
      • Set the protocol to "Static address"
    • Add a new interface that "Covers" the new "Switch VLAN: eth1.2" and call it INTERFACE2
      • Set the protocol to "Unmanaged"
  3. Setup your firewall zones and rules to match your interfaces
    • Add a zone called ZONE1, set defaults to be: Input: Accept. Output: Accept. Forward: Reject
    • Add a zone called ZONE2, set defaults to be: Input: Accept. Output: Accept. Forward: Reject
  4. Setup your SSIDs to connect to the interfaces from step 2
    • Add a SSID called SSID1, mode AP, network: INTERFACE1
    • Add a SSID called SSID2, mode AP, network: INTERFACE2
  5. Setup your interface address:
  • Network>Interfaces>INTERFACE1>General Setup>
    * Protocol: Static
    * IPV4 Address: 192.168.1.10
    * IPV4 Netmask: 255.255.255.0
    * IPV4 Gateway:192.168.1.254
    * DHCP server: Ignore interface
  1. Tie your firewall rules to the interface
    • Network>Interfaces>INTERFACE1>Firewall Settings>Assign to ZONE1
    • Network>Interfaces>INTERFACE2>Firewall Settings>Assign to ZONE2

I think that is it, I usually just paste in my config files via SSH/SCP and change the IP addresses and AP names. If you want to test, in step 2, choose DHCP instead of Static or Unmanaged for your protocol, then you can that that you have access by seeing if it picks up an IP address.

Aaron Z

Sorry I didn't explain my network properly. Here's a quick overview (I'm not much of an ASCII artist):

SSID1, SSID2
|
OpenWRT AP (Cisco/Linksys E3000)
Port 1 (shown as "LAN 1" on the LuCI UI)
|
Port 3
Switch (D-Link DES-1252)
Port 1  Port 2 - SUBNET 2
|                  |
SUBNET 1           |
|                  |
Port 1             |
Firewall/router    |
Port 2 ------------|
Port 3
|
Internet

This is a simplified version of the network, just to get things working properly.

SUBNET 1 is a set of switches and client hosts that usually just access Internet or a subset of services on SUBNET 2 through a Firewall/Router.
Firewall/router is a Linux OS with DHCPD and BIND. It serves these types of requests on SUBNET 1.
SUBNET 2 is a set of switches, computers and servers (in other words, the "main LAN"). Among these servers, there's another DHCPD and BIND/DNS.
Hosts on SUBNET 2 may access hosts on SUBNET 1 and Internet but always through the Firewall/Router.
Wireless clients that can authenticate with SSID1 will only be able to access SUBNET 1 (they might access some services on SUBNET 2, Firewall withstanding),
Wireless clients connected to SSID2 (different authentication scheme) will only have access to SUBNET 2 and whatever the Firewall/Router allows.

To sum it all up, it's as if I were to connect an AP directly to SUBNET 1 and another AP directly to SUBNET 2. However, I can't physically do that, so I'm trying to use VLANs and multiple SSIDs for the same purpose.
I can't even use 2 ethernet cables to connect 1 AP with 2 SSIDs and VLANs to 2 different switches on SUBNETS 1 and 2 because I only have one eth cable available to connect each AP (that's why I'm trying to use just AP port 1 with 2 tagged VIDs as a "trunk").

Here's how the D-Link DES-1252 switch is configured:

VID "VLAN Name" "Untagged VLAN Ports" "Tagged VLAN Ports"
01   default           01                          03
02   LAN               02,04-52                    03

So, SUBNET 1 is connected to Switch Port 1, SUBNET 2 is connected to Switch Port 2 (and for now also to ports 4-52), the OpenWRT AP Port 1 is connected to Switch Port 3.

Finally, here's my OpenWRT Linksys E3000 AP config.

LuCI -> Network -> Switch:

"VLAN ID"     "CPU (eth0)"     "LAN 1"        "LAN 2"   "LAN 3"     "LAN 4"      "WAN"
"Port status" "1000f-duplex"  "1000f-duplex" "no link"  "no link"   "no link"     "no link"
1                   tagged        tagged       off        untagged    off            off 
2                   tagged        tagged       off        off        untagged      off

LuCI -> Network -> Wireless:
radio0 Generic MAC80211 802.11bg
SSID1 Mode: Master
SSID2 Mode: Master
If I edit both SSIDs then under "Interface Configuration" both SSID1 and SSID2 have "Network = lan" at this point.

@aczlan, thanks for your detailed instructions. There are a few things I don't understand though.
Step 1: you mention eth1.1 for VLAN1 and eth1.2 for VLAN2. Is that because your hardware shows up as eth1 instead of eth0 as in my case?

Step 1b: if I try to translate what you say in terms of LuCI configuration then I guess you're saying that I should do the following:
LuCI -> Network -> Switch:

"VLAN ID"     "CPU (eth0)"    "LAN 1"   "LAN 2"       "LAN 3"    "LAN 4"            "WAN"
"Port status" "1000f-duplex" "no link"  "no link"     "no link" "1000f-duplex"    "no link"
1                   tagged     untagged    off         tagged    off              off 
2                   tagged     off         untagged    tagged    off              off

That's confusing to me, or I got it all wrong...
In my first post (and here), I mentioned that my "trunk" link from the AP to the SWITCH is from AP Port 1 to Switch Port 3.
If I translated your instructions right then you are using AP Port 3 as the "trunk" link that should be connected to Switch Port 3, right?
You also mention to switch ports 1 and 2 to "off" for the existing VLAN, but there is none. VLANs 1 and 2 are the defaults, and I'd rather use them instead of creating VLANs 3 and 4 for instance.
I'm a VLAN newbie so I'm probably going to ask a dumb question now. If "LAN 4" (ie. AP port 4) is not a member of VLAN ID 1 and VLAN ID 2 then will a host connected to it still access the OpenWRT web UI or ssh console (listening on eth0 I suppose)?
I thought it wouldn't. That's why in my OpenWRT "switch" setup example earlier above I defined "LAN 4" as untagged VLAN 2, "LAN 3" as untagged VLAN 1, so I could connect a host to either one of these in order to access the OpenWRT/LuCI services via HTTP or SSH on eth0.

Step 2: here's where I went:
LuCI -> Network -> Interfaces:
WAN LAN WAN6
Add new Interface (I clicked this button)
Create Interface:
Name of the new interface: VLAN1_IF (instead of INTERFACE1 in your example)
Protocol of the new interface: Static address
Create a bridge over multiple interfaces (unchecked)
Cover the following interfaces: ** this is where I don't know what to select **
In your example you mention "Switch VLAN: eth1.1". My drop-down menu shows these options:

  Ethernet Switch: "eth0"
  Switch VLAN: "eth0.1" (wan, wan6)
  Switch VLAN: "eth0.2" (lan)
  Wireless Network: Master "SSID1" (lan)
  Wireless Network: Master "SSID2" (lan)

Should I select 'Switch VLAN: "eth0.1" (wan, wan6)'?

I decided to wait for your reply/replies before screwing things up because the AP is in production and I wouldn't want to disrupt the users too much (let alone brick the device which happened when I tried to add a 5GHz WiFi SSID, but that's another story).

Also, on step 5 you mention that I should set up an IP address for INTERFACE1 (VLAN1_IF).
I currently have a static IP address in:
LuCI -> Network -> Interfaces -> LAN
Its settings are:
192.168.210.10/23
gw: 192.168.210.1
DNS: 192.168.210.1
I require this IP address to be the AP's management IP address in SUBNET1 that I can access on ports 80,22 from either SUBNET1 or SUBNET2 via Firewall/Router.
I wouldn't want to use up a second IP address, so can I set the same for INTERFACE1 (VLAN1_IF) and/or remove/move the IP settings from "LAN" to INTERFACE1 (VLAN1_IF)?

Thanks!

You've got a pretty straight-forward config there. From what I understand, I'd do the following

  • Put your two trunking VLANs on the "WAN" port, tagged, associated with eth0.NNNN and eth0.PPPP, respectively (your choice of eth0 or eth1) (no IP address needed). PVID a "dead-end" VLAN, as all traffic should be tagged
  • Create a management VLAN on the "LAN1" port, tagged (as you management hosts should handle VLAN tagging), associated with eth1.MMMM and assign an appropriate static IP. PVID a "dead-end" VLAN, as all traffic should be tagged.
  • Set up your device-access services (ssh, maybe HTTPS) to only listen on the address of eth1.MMMM (and localhost)
  • Set up firewall rules to block traffic between all VLANs -- let your "upstream" router manage that at a single poing
  • Set up SSID-NNNN bridged over eth0.NNNN (no IP address needed)
  • Set up SSID-PPPP bridged over eth0.PPPP (ho IP address needed)

You could also put it the management VLAN the "WAN" port and the same Ethernet device, but I separate them. That "ensures" I have access to the device if client traffic swamps one interface.

You could optionally extend the switch to provide wired access to one VLAN or the other on "LAN2" through "LAN4", but I didn't state that as a requirement.

The option vlan X statements assign a "table entry" in the switch. It happens to default the VLAN tag to the same number. option vid NNNN can override that default.

Personally, I stay away from VLAN 1-5 or so, as so many consumer and SOHO-grade devices give special meaning to those VLANs. It does need to be consistent with your upstream switch and router though.

This is my understanding of your requirements.

background

  1. linksys e3000 with openwrt installed (trunk port lan1)
  2. dlink des-1252 L2 switch (trunk port 3)
  3. vid 1 subnet 192.168.210.0/23
  4. vid 2 subnet 10.215.0.0/16
  5. wifi access configured and operational on e3000 for 192.168.210.0/23

requirements

  1. install wifi access point to 10.215.0.0/16 via e3000 trunk port lan1
  2. disable wan on openwrt (not needed)
  3. disable odhcpd on openwrt (not needed)
  4. disable dnsmasq on openwrt (not needed)
  5. disable firewall on openwrt (not needed)

problem

  1. need luci settings for Network --> Switch
  2. need luci settings for Network --> Interfaces
  3. need luci settings for Network --> Wireless

proposed solution version 1

  1. verify wifi access point to 192.168.210.0/23 via e3000 trunk port lan1 is working
  2. add ssid2 Network--> Wireless
  3. mark vid 2 as tagged on lan1 Network --> Switch
  4. create wlan interface with static address 10.215.0.3 on Network -->Interfaces--> General Setup
  5. bridge wlan interface with ssid2 Network-->Interfaces-->Physical Settings
  6. test ping 10.215.0.3 from 10.215.0.1
  7. test wifi connect to ssid2

Hi again.

I'm really grateful for all the replies and advices, but I'm sorry to report that I'm still struggling to understand this setup. Apparently, it should be very easy to make this work, but I keep getting mixed results.

I'll try to summarize what I did.

The first step was to remove the WAN and WAN6 "interfaces" as I understand that I really don't need them as such, right? I did that mostly to avoid any issues with the default WAN firewall rules.

I then created my VLAN1 and VLAN2 interfaces, and associated WLAN SSID1 to VLAN1_IF and WLAN SSID2 to VLAN2_IF.

Here are some LuCI screenshots:

firewall_new
interfaces_new
interfaces_new1
interfaces_new2
interfaces_new3
switch_new (ignore for now which ports are "connected")
wireless_new
wireless_new2

As soon as I connected OpenWRT Access Point WAN Port or AP Port 1 (either one, as both are t1,2) to Switch Port 3 (no other eth port connected), I had the following issues:

  • If a WiFi client connects to SSID1, there is no DHCP address assigned to this client even though there IS a DHCP server in SUBNET1.
  • If a WiFi client connects to SSID2, it properly gets a DHCP IP address from a DHCP server in SUBNET2. However, the WiFi client CANNOT ping or access ANY host on SUBNET2 (and there's no firewall in the path). Why?
  • The Firewall/Router (as shown in my previous post) cannot ping or access the Access Point from SUBNET1. The only way I can access the AP is if I connect a host to the AP's "LAN 3" port.

VLANs 1,2 and eth cabling all seem to be fine on the Switch.

What can I try?
Do you see an obvous mistake in the screenshots I'm posting?

It looks weird to me that your one switch port with a cable is tagged for vlan 1 and not part of vlan 2. Make it tagged for both on both ends of the wire.

Edit, reading further i see you were juggling ports...

Do you have bridge entrusted calling iptables on your bridges? See sysctl settings. Linux can firewall bridges.

EDIT: "bridge entrusted?" stupid autocorrect, that was supposed to be "bridge netfilter"

Propose Changes

  1. mark vid 2 as tagged on lan3 Network --> Switch
  2. delete VLAN1_IF interface Network -->Interfaces
  3. modify VLAN2_IF interface with static address 10.215.0.3 on Network -->Interfaces--> General Setup
  4. bridge LAN interface with SSID1 Network-->Interfaces-->Physical Settings
  5. bridge VLAN2_IF interface with SSID2 Network-->Interfaces-->Physical Settings
  6. test ping 10.215.0.3 from 10.215.0.1
  7. test wifi connect to ssid2

Hi,

I finally got it working, but I'd really appreciate it if someone could please take a look at the following LuCI screenshots:

D-Link-Switch
firewall
interfaces
interfaces_vid1_a
interfaces_vid1_b
interfaces_vid1_c
interfaces_vid1_d
interfaces_vid2_a
interfaces_vid2_b
interfaces_vid2_c
interfaces_vid3_a
interfaces_vid3_b
interfaces_vid3_c
switch
wireless
wireless_SSID1
wireless_SSID2
wireless_SSID3

You might notice I changed the D-Link switch for another model because it seems that the one I was using was faulty.

Anyway, the idea is that wireless clients connecting to SSID1 can only access VLAN with VID 1, SSID2 clients can only access VLAN VID 2, likewise for VID 3.
Note that I did not define a "firewall ruleset" for VLAN3_IF.

Do you see any security implications/flaws I might have overseen?
Any suggestions would be greatly appreciated.

Thanks again