Need help with setting up separate VLANs with additional APs

Hi everyone!

I've been trying to wrap my head around this issue, for quite a while now. I have a TP-Link Archer C7 v2 set up as my "main router" and I want to add a TP-Link 1043ND as an additional access point on my first floor, which is connected over a wired to my Archer C7.

So my main setup idea was the following;

I basically want 3 different networks;

  • 1 for my main gear (on 2 different IP ranges; 10.0.0.x for wired clients and 10.0.1.x for wireless clients)
  • 1 for my WiFi IoT stuff (10.0.2.x), with the option that the clients on my main network, can connect to the clients on this network. But my IoT clients shouldn't be able to connect to each other or have a connection to the internet.
  • 1 for my guests (10.0.3.x), which should be able to connect to the internet but not to other clients on the network.

The 1034ND should only be "repeating" my main WiFi network and my IoT WiFi network and I want my Archer C7 to be responsible for giving out IP addresses. So I have been trying to follow this guide (https://openwrt.org/docs/guide-user/network/wifi/vlan-multiple-wifi-ssid-repeater) and combining the dumb AP guide (https://openwrt.org/docs/guide-user/network/wifi/dumbap), to configure my 1043ND. Firewall is disabled on my 1043ND.

But regardless of what I try, any connected clients on the networks of my 1034ND end up getting an IP address is in the 10.0.0.x range (which is meant for my wired clients) or are not getting an IP address at all.

What am I doing wrong? Or could you point me towards a guide or some other piece of documentation that explains what I am trying to accomplish.

Thanks :grinning_face_with_smiling_eyes:

Archer C7 (Main router) config

/etc/config/network
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd5c:b86f:eae9::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.0.0.1'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option igmp_snooping '1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 3 4 5'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 1'
	option vid '2'

config interface 'WIFI'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.0.1.1'
	option ifname 'eth0.1234'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option broadcast '10.0.255.255'
	option igmp_snooping '1'

config interface 'WIFI_IOT'
	option proto 'static'
	option ipaddr '10.0.2.1'
	option broadcast '10.0.2.255'
	option netmask '255.255.255.0'

config interface 'WIFI_GUEST'
	option type 'bridge'
	option proto 'static'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option ipaddr '10.0.3.1'
	option broadcast '10.0.3.255'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '6t 2t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '4'
	option ports '6t 2t'
/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option country 'NL'
        option htmode 'VHT80'
        option channel '132'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option htmode 'HT40'
        option channel '8'
        option country 'NL'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option network 'WIFI'
        option key 'some_keyphrase'
        option ssid 'ThePromisedLan-2.4Ghz'
        option encryption 'psk2'
        option ifname 'wifi_ap'

config wifi-iface 'wifinet2'
        option ssid 'ThePromisedLan-IoT'
        option device 'radio1'
        option mode 'ap'
        option network 'WIFI_IOT'
        option key 'some_keyphrase'
        option isolate '1'
        option encryption 'psk2'

config wifi-iface 'wifinet3'
        option ssid 'ThePromisedLan-Guests'
        option encryption 'none'
        option device 'radio1'
        option mode 'ap'
        option network 'WIFI_GUEST'
        option disabled '1'

config wifi-iface 'wifinet4'
        option ssid 'ThePromisedLan-5Ghz'
        option encryption 'psk2'
        option device 'radio0'
        option mode 'ap'
        option network 'WIFI'
        option key 'some_keyphrase'
/etc/config/firewall
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option network 'WIFI'
	option input 'ACCEPT'
	option name 'WIFI'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'WIFI'

config forwarding
	option dest 'lan'
	option src 'WIFI'

config zone
	option name 'LAN_WIFI'
	option input 'ACCEPT'
	option network 'lan'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option dest 'WIFI'
	option src 'LAN_WIFI'

config zone
	option network 'WIFI_IOT'
	option input 'ACCEPT'
	option name 'WIFI_IOT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option dest 'WIFI_IOT'
	option src 'LAN_WIFI'

config forwarding
	option dest 'WIFI_IOT'
	option src 'WIFI'

TP-Link 1034ND config

/etc/config/network
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb2:309e:ec27::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1 eth1'
	option proto 'dhcp'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 4 5t'
/etc/config/wireless
config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/ahb/180c0000.wmac'
	option htmode 'HT20'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
        option ifname 'eth0.1234'

Doesn't look like you are tagging the VLAN on the trunk on the DLINK side.
Maybe provide the screenshots form the "switch" page of both routers and also indicate on which port you have the trunk connected.

2 Likes

You aren't bridging the wireless interfaces to any VLAN, or trunking the networks over the wired connection... are you sure you followed the guide?

1 Like

C7

Don't use the internet nameservers in internal interfaces, they should be used on the wan only, where the are reachable.

vlan1234 isn't defined.

Interface WIFI_GUEST is missing the netmask.

1043
There are no vlans defined.

2 Likes