Multiple Radios for VLANs

Hey everyone,

I'm hoping someone may be able to confirm or help with a specific configuration I am trying to do on my Netgear WAX220 AP.

Network layout:
VLAN1 - management VLAN, servers/NAS/APs/firewall/switches
VLAN20 - LAN/WLAN, computers/phones/printers/etc
VLAN21 - Guest network

As mentioned, I have a WAX220 AP using DynamicPSK. It has (3) VLANs, and its IP is on VLAN1 so I can manage it. Currently I have (2) SSIDs....one for 2.4Ghz and one for 5Ghz. The 2.4G radio is for phone/laptops and the like, whereas the 5G radio is for streaming devices like Apple TV/etc. Depending on which VLAN you want to connect, the passwords can be used to connect to either radio. I have the aforementioned devices on VLAN20. Below is the configuration for the AP.

Network config

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc6:77f6:e728::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '21'
	list ports 'eth0:t'

config interface 'vlan1'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.11'
	option netmask '255.255.255.192'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config interface 'vlan20'
	option device 'br-lan.20'
	option proto 'none'
	option type 'bridge'

config interface 'vlan21'
	option device 'br-lan.21'
	option proto 'none'
	option type 'bridge'

config device
	option name 'br-lan.1'
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'
	option ipv6 '0'

config device
	option name 'br-lan.20'
	option type '8021q'
	option ifname 'br-lan'
	option vid '20'
	option ipv6 '0'

config device
	option name 'br-lan.21'
	option type '8021q'
	option ifname 'br-lan'
	option vid '21'
	option ipv6 '0'

Wireless config

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option channel '4'
	option htmode 'HE40'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'SSID1'
	option encryption 'psk2'
	option key 'Password1'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'vlan20'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option band '5g'
	option channel '40'
	option htmode 'HE160'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'SSID2'
	option encryption 'psk2'
	option key 'Password2'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option ieee80211k '1'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option network 'vlan20'

config wifi-vlan
	option name 'vl1'
	option network 'vlan1'
	option vid '1'

config wifi-vlan
	option name 'vl21'
	option network 'vlan21'
	option vid '21'

config wifi-station
	option key 'Password3'
	option vid '1'

config wifi-station
	option key 'GuestPassword'
	option vid '21'

For management, I currently have my pfSense firewall set to allow only my laptop (connected to VLAN20) to access VLAN1 (via MAC address in the firewall rules). What I would like to do is create another SSID and have it attached to VLAN1. I can then have all VLANs completely segregated and any time I need to get to any devices on VLAN1, I connect to that SSID. I tried to do this via LuCI (hoping it would be relatively quick and easy) by creating a new radio and attaching VLAN1 to it but it wouldn't let me save it.

Screenshot 2025-05-07 at 21.32.211920×206 26.7 KB

Screenshot 2025-05-07 at 21.32.431136×512 41.1 KB

I'm sure I'll probably have to use CLI, but hoping maybe someone can help me out with the proper configuration. Or if there is a better way to accomplish what I am trying to do, I am all ears. Any help would be greatly appreciated

Remove the bridge lines from each of these:

Delete the 802.1q stanzas:

/I'd also recommend not using 802.11k unless you have demonstrated need for it.

Hi @psherman, thanks for the reply.

Just to make sure....by removing what you suggested, I would still be able to use DynamicPSK for both VLAN20 and VLAN21 in the above wireless configuration, but have a separate radio for VLAN1 so I can connect to it and manage my VLAN1 devices? I don't want all 3
VLANs to have their own radios, I still want VLAN20 and VLAN21 to use default_radio0 (2.4G) and default_radio1 (5G), while VLAN1 has default_radio2 (2.4G) or similar.

Again, just want to make sure I can keep most of the current configuration with the DynamicPSK for VLANs 20 and 21.

Just as a visual representation, I'd like to have the radios like pictured below. One radio is for VLAN1, and the other are for VLANs 20 and 21 and can be connected via the DynamicPSK configuration I have currently set.

Screenshot 2025-05-08 at 07.57.451474×688 86 KB

@psherman so I just tried what you suggested but wasn't able to add VLAN1 to the newly created radio, same issue where is wouldn't let me save it when trying thru the GUI.

Let’s review the current complete config.

Ok no prob. let m know if you need any info or if I need to give a better description of what I am trying to accomplish.

I'd like to see all the config files -- updated per my recommendations:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

@psherman the info you requested is below. I restored the configuration from a backup file so you can see the configuration prior to me modifying it with your previous suggestion.

Please note that I flashed the device with firmware made with image-builder. I removed certain items like dnsmasq odhcp6c odhcpd-ipv6only and wpad-basic-mbedtls (I replaced the last one with wpad-mbedtls since DynamicPSK required the full package and not the basic one). There is no dhcp file in /etc/config.

ubus call system board

{
	"kernel": "6.6.73",
	"hostname": "WAX220_Hall",
	"system": "ARMv8 Processor rev 4",
	"model": "Netgear WAX220",
	"board_name": "netgear,wax220",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.0",
		"revision": "r28427-6df0e3d02a",
		"target": "mediatek/filogic",
		"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
		"builddate": "1738624177"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc6:77f6:e728::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '21'
	list ports 'eth0:t'

config interface 'vlan1'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.11'
	option netmask '255.255.255.192'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config interface 'vlan20'
	option device 'br-lan.20'
	option proto 'none'
	option type 'bridge'

config interface 'vlan21'
	option device 'br-lan.21'
	option proto 'none'
	option type 'bridge'

config device
	option name 'br-lan.1'
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'
	option ipv6 '0'

config device
	option name 'br-lan.20'
	option type '8021q'
	option ifname 'br-lan'
	option vid '20'
	option ipv6 '0'

config device
	option name 'br-lan.21'
	option type '8021q'
	option ifname 'br-lan'
	option vid '21'
	option ipv6 '0'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option channel '4'
	option htmode 'HE40'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'SSID1'
	option encryption 'psk2'
	option key 'Password1'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'vlan20'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option band '5g'
	option channel '40'
	option htmode 'HE160'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'SSID2'
	option encryption 'psk2'
	option key 'Password2'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option time_advertisement '2'
	option time_zone 'PST8PDT,M3.2.0,M11.1.0'
	option network 'vlan20'

config wifi-vlan
	option name 'vl1'
	option network 'vlan1'
	option vid '1'

config wifi-vlan
	option name 'vl21'
	option network 'vlan21'
	option vid '21'

config wifi-station
	option key 'Password3'
	option vid '1'

config wifi-station
	option key 'GuestPassword'
	option vid '21'

cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Just to reiterate, I would like to have an SSID on radio0 (2.4G) that connects to VLAN1 that uses its own password. I would like another SSID on radio0 that connects to VLAN20 with a separate password. Radio1 (5G) would have the same SSIDs for VLAN20. This is due using DynamicPSK. The reason being that while my laptop is connected to VLAN20 for normal usage (internet browsing/etc), I can connect to VLAN1 wirelessly to manage my network devices (servers/NAS/switches/etc).

Seems like you've just put yourself back into the broken configuration you had before, no??

Please try the changes I recommended. If they don't work, post the resulting files so that we can see exactly what you did during those changes (to rule out typos or other mistakes or config errors).

I wouldn't say it's broken, the AP works just fine and I can connect to VLAN20 without issues. However in the case of reverting back to the original config, I guess you could say it's "broken".

Below is the output of /etc/config/network after making your. changes.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc6:77f6:e728::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '21'
	list ports 'eth0:t'

config interface 'vlan1'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.11'
	option netmask '255.255.255.192'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config interface 'vlan20'
	option device 'br-lan.20'
	option proto 'none'

config interface 'vlan21'
	option device 'br-lan.21'
	option proto 'none'

config device
	option name 'br-lan.1'
	option ifname 'br-lan'
	option vid '1'
	option ipv6 '0'

config device
	option name 'br-lan.20'
	option ifname 'br-lan'
	option vid '20'
	option ipv6 '0'

config device
	option name 'br-lan.21'
	option ifname 'br-lan'
	option vid '21'
	option ipv6 '0'

@psherman just more info, all VLANs are there for the AP. The IP you see in the network config is VLAN1. It's just getting a separate radio for VLAN1 that I can't figure out. I'm sure it's something easy and probably staring me in the face.

Delete these:

You should be able to create a new SSID, just like you've done here, but with network vlan1 instead:

(I would also recommend removing all the 802.11r related stuff, including the time lines)

Isn't the 802.11r for roaming? I have another AP and devices would need to connect to the other APs when going thru the house.

Yes and no.

It is not required, and I always recommend avoiding 802.11r (as well as the k and v standards) unless there is an actual demonstrated need for them. That is because some client devices do not work well with these standards enabled. With these standards disabled (I typically call it "classic or classical" roaming), your client devices will roam to the best AP at any given moment/location based on their own internal logic, taking into account the signal conditions of each available AP.

The prerequisite for all high performance roaming environments is proper tuning of your APs (i.e. same SSID + encryption type + passphrase, non-overlapping channels for neighboring APs, and usually reduced power levels to minimize the size of the overlap area; optimizing placement of the APs where possible is also important). 802.11k/v/r can be used on top of an already well tuned set of APs, but it is not necessary/required, and may actually decrease the reliability of smooth roaming between APs. FWIW, I do not use 802.11k/v/r, and my roaming is seamless.

Gotcha. I have had success with it enabled but I will give it a try again after reconfiguring and testing. Will let you know what happens.

@psherman sorry for the late response, had to wait for the fam to leave so I didn't disrupt internet.

Deployed your changes and tested, everything is working! Going to test a bit more and make sure there are no issues with roaming but so far so good.

Thanks again for all your help and patience, I really do appreciate it

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.