Multiple VLANs on One SSID (TP-Link Archer C7 Router)

Hello all,

I am working on a VLAN project at home. I want to implement microsegmentation in my network using VLANs.

I have a TP-Link Archer C7 (v5) running OpenWRT, connected to my modem, and I have converted it into a dumb AP (using the OpenWRT guide). I want to make multiple VLANs on my home network and assign my IoT devices to the separate VLANs. I want my IoT devices to automatically be put into VLANs when they join the network, so they are in isolated segments.

I have tried to follow a few VLAN guides, but they often implement VLANs by essentially making a bunch of SSIDs with one VLAN associated with each. For my configuration, I want to have multiple VLANs associated with the SSID of my home wifi network.

My current settings are just the ones at the end of this guide: https://openwrt.org/docs/guide-user/network/wifi/dumbap.

Please let me know if you have any ideas on how to do this. Thank you in advance.

There are three ways that I am aware of to use a single SSID and have that automatically map to the desired VLAN. These end up being somewhat advanced and are far more complicated than using a unique SSID for each network.

That said, they are:

  1. 802.1x authentication -- this requires a RADIUS server and is usually serious overkill for most networks.
  2. Unique passphrases per-VLAN where the passphrase determines the network that is joined. See this thread.
  3. MAC VLAN -- uses a defined list of MAC addresses to map against a given VLAN upon connection. This is very easy to tamper/circumvent, so not a good option, really. That said, it is theoretically (at a very high level) possible but I haven't seen it implemented here (see this thread). I don't know what prerequisites would be required for this to work or if it has even been done on OpenWrt.
1 Like

Thank you so much for your prompt reply!

I have tried to do your third suggestion, but I was unsuccessful. I had also looked into the RADIUS server solution but I also thought that it would be overkill for my network. However, if that is the only way to accomplish my desired configuration for microsegmentation, I will go for it. Do you have any suggestions for how to get started with that?

I recently ran across the ebtables package and I thought it might be helpful for my project. I was wondering if you had ever heard of it or used it?