Need advice configuring RPi4 as primary router/firewall and R7800 as dumb AP

Needs:

  • 3 zones: LAN, GUEST, and IOT
  • Wireguard should only connect to GUEST zone

Hardware:

  • Primary router = RPi4 to run SQM and Wireguard
  • AP = R7800 for dumb AP WiFi to allow wireless connections
  • Unmanaged Switch to allow connections of hard wired devices

I read some wiki articles but found this video to be helpful is getting the primary router setup. There is a part 2 video where he shows how to add the dumb AP but I cannot understand with the RPi4/I am confused over how to use VLANs in because the RPi4 does not have a switch in it

I setup the zones of LAN, GUEST, and IOT on the RPi4. Do I need these to be bridged or VLAN? How can I make this VLAN tagged he talks about with the switch on the RPi4?

My interfaces on primary router:

My devices on primary router:

Your AP also needs to have vlan setup on one ethernet port to carry vlan tagged from your Pi.
If your AP is running OpenWrt, it could be done.

Which OpenWrt version are you running on Pi (and AP)?

Both the Pi and AP run the latest snapshot.

See my post here as a starting point for vlan setup with this built. You will have to do it on both devices.

Thank you for your posting. I read it a few times but I am still confused. My AP has a switch0 but my RPi4 does not.

On the RPi4 I have eth0 (onboard NIC) and eth1 (USB dongle). Then I have br-lan (bridged to eth0). I will use eth1 to connect to the modem for WAN. Is the recipe to make VLANq devices for eth0.1 and eth0.2?

Do I also need to make br-guest? If that is right, which devices are used with the interfaces, bridges or eth0.x?

Should LAN interface use eth0.1 or br-lan? Should GUEST interface use eth0.2 or br-guest?

Since I do not have SSIDs on the RPi4 I do not know how to proceed or maybe that do not matter. I also do not understand what to do "Bridge VLAN Filtering" tab. Thank you for helping me learn this and implement this.

Use "bridge vlan filtering" to define your vlan for br-lan: by adding vlan1 untagged (for main), vlan3 tagged (for guest) at port 1 (you only have 1 Lan port anyway). Use my sample script from my earlier post as a guideline. The result from this setup are two additional devices created, ie., br-lan.1 (your main), br-lan.3 (you guest)

Yes, you have to create(add) an interface for guest and select br-lan.3 as device for this interface. It means when your Pi4 router receives traffic from Guest wifi (from your AP) which carries vlan id 3, it will use this interface to obtain IP subnet for your guest device.

br-lan.1

br.lan.3

That's all you need to do on your Pi4.
Next step is to create vlan1, and 3 (say, under port 1 of your AP because you want to connect your AP from port 1 to Pi4 LAN port), and virtual guest ssid (associated with vlan3 or device br-lan.3 of your AP) on your AP. You can follow the instruction on my earlier post.

(post deleted by author)

Thanks for the help. I don't think it's working right. The problem is I can connect to the first SSID "temp-1" but I cannot to "temp-3". My phone says "no Internet Connection" and it's doesn't get an IP. Did I screw up the VLANs or something?

I did this on my which is the primary router RPi4:

Interfaces>devices>configure (for br-lan)>bridge vlan filtering
add two new ones (1 and 3)

VLAN ID  Local  eth0
1          x     u
3          x     t

save
interfaces>LAN>edit
device = br-lan.1

interfaces>GUEST>edit
device = br-lan.3
save & apply

This is my /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1a:184b:b879::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option proto 'static'
	option ipaddr '10.1.10.2'
	option netmask '255.255.255.0'
	option device 'br-lan.1'

config interface 'wan'
	option proto 'dhcp'
	option peerdns '0'
	option delegate '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option device 'br-wan'

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option device 'br-lan.3'
	option ipaddr '192.168.2.2'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth0:t'

config device
	option name 'br-lan.1'
	option type '8021q'
	option ifname 'br-lan'
	option vid '1'
	option ipv6 '0'

config device
	option name 'br-lan.3'
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-wan'
	list ports 'eth1'
	option bridge_empty '1'

That device seems to work as expected. Next, I setup the dumb access point which has a switch built it.

On the AP:

I used Port 1 to physically connect the two with ethernet, I disabled firewall and dnsmasq like the Wiki suggested.

My /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fda9:af14:96f9::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.1.10.3'
	option gateway '10.1.10.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 3 4 5'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 2t 1t'
	option vid '3'

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option type 'bridge'
	option device 'br-guest'
	option ipaddr '192.168.2.3'
	option gateway '192.168.2.2'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'eth0.3'
	option ipv6 '0'

And my /etc/config/wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'temp-1'
	option key 'pass@word1'
	option ieee80211w '2'
	option encryption 'sae'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'temp-3'
	option key 'pass@word1'
	option ieee80211w '2'
	option network 'guest'
	option encryption 'sae'

The vlan config of your AP looks strange to me. Could you show the VLAN setup gui on Luci for me?
What lan port of your AP connects to your Pi?

I thought you would use your Pi4 router to work as dhcp and dns; and thus your AP is just a "dump" AP; therefore need to define vlan.
If you choose to have dhcp on your AP, you may not need to set additional vlans on it.

Thanks.

That is correct. The RPi4 router will work as the primary and the Archer device will be a "dumb" AP. I disabled 'firewall' and 'dnsmasq' on it. Did I make a misconfig?

It is port 1.

Here is luci of the switch on the AP.

Interfaces>Devices:

On your AP:
port 0 1 2 3 4 5
vlan1 t u u u u - <---from Luci
vlan1 t - u u u u <---from config file, why different from Luci gui?
vlan3 t t - - t t <---from Luci
vlan3 t t t - - - - <---from config file, why different from Luci gui?

Your AP should be:
Port 0 1 2 3 4 5
vlan1 t u u u u u
vlan3 t t u u u u

Your Pi4 seems fine.

luci will not let me make vlan1 and vlan3 untagged. Maybe I misunderstand.

for vlan3, you must turn off port 2, 3, 4, and 5. Sorry my mistake.

I made the swtich on the AP this:

      C L L L L W
      P A A A A A
      U N N N N N
      0 1 2 3 4

vlan1 t u u u u u
vlan2 - - - - - -
vlan3 t t - - - -
  • I have the RPi4 connected to the AP on port 1.
  • From the RPi4 local keyboard, I have WAN connection and I have DNS (I can ping www.google.com) but I cannot ping the access point.
  • None of my clients can connect to the AP wirelessly with DHCP.
  • I can connect with a ethernet cable directly but no DHCP either, has to be manually defined. Once there, I cannot get name resolution working so I think I have something wrong.

If I move the ethernet cable from Port 1 to Port 2:

  • I can ssh from the RPi4 console to the AP
  • No DNS resolution works on the AP from ssh

I am getting closer. One problem on the RPi4 (primary router/firewall) I found was that I did not add the br-lan.1 to Covered Devices under:
Network>Firewall>Zones "lan->wan">advanced settings>covered devices

I did the same for the "guest->wan" which is br-lan.3

Now I can ping and browse when I connect to my SSID associated with the "lan" zone. The only problem I have left is that I cannot get the SSID associated with the "guest" zone to work at all. Does not even give me an IP address when I connect.

Even though I have eth0.1 eth0.2 and eth0.3 defined, I only see eth0.1@eth0 and eth0.2@eth0 in ip a output. There is no even one listed for eth0.3. This is the same in luci. What could cause this?

ss

On RPi4, you added vlan 3 on Luci gui or by changing /config/network file manually? Could you try both?