Network consolidation using VLAN over WLAN interfaces

Yes, after some fiddling I believe VLAN functionality on that DSL router is not meant to be used in normal network traffic (but rather as you said with IPTV and VoIP).

There are interface groups, however only one group can use WAN Interface (in my case ADSL/ppp1). So these groups are pretty much useless for me.

My only hope, is that VLAN functionality works, so I can make one of OpenWrt routers primary one and second one dumb AP.

In OpenWrt, VLANs work fine so you can differentiate LAN from Guest traffic.

If you can rewire your network, VLAN support in the DSL router is not needed. In fact, you could even set it to bridge mode:

  • Disconnect PC#1 from the DSL router, and connect it to OpenWrt#1 or #2 LAN.
  • Set up OpenWrt#1 as a dumb AP. Connect its LAN port to OpenWrt#2 LAN, and disconnect it from the DSL router.
  • Use OpenWrt#2 as the router and DHCP/DNS server, its WAN port remains connected to the DSL router.
  • Now the DSL router has only one client left (OpenWrt#2). Reconfigure the DSL router to bridge mode, and adjust OpenWrt#2 WAN configuration if necessary.
  • Enable VLAN tags for the LAN and Guest subnets on the link between OpenWrt#1 and OpenWrt#2.

Finally, please note the warning at the top of the TP-Link TL-WR841N/ND device page.

2 Likes

Yes, this makes lot of sense. However rewiring is not very comfy job and would require lot of new cables, drilling ... (I live in two-storey house).

Regarding TP-Link TL-WR841N/ND. Yes it's very obsolete now, but I plan to give it second wind by replacing it's FLASH - NOR Memory with 16mb one (or if I fail soldering, I would buy new router).

Second wind, but brief, if any, as flash won’t resolve RAM exhaustion.

1 Like

Currenly it has 5megs free. But RAM can be upgraded too.

With a budget for new hardware, I could think of a few more alternatives to work around possibly limited VLAN support in the DSL router:

  • Buy a switch with 802.1Q tagged VLAN support and put it next to the DSL router.
  • Buy an OpenWrt-supported router to replace the TP-Link TL-WR841N/ND v8, and use the latter as a VLAN-capable switch (100 MBit/s only) next to the DSL router.
  • Again, buy an OpenWrt-supported router, but connect it next to the DSL router, which can then be set to bridge mode. OpenWrt #1 and #2 become dumb APs. The new router will handle VLANs, SQM, DHCP/DNS and all the other OpenWrt features.
  • An OpenWrt router with integrated DSL modem works well for me on ADSL. The VRX200 Lantiq SoCs will max out around 50 MBit/s network throughput when SQM is enabled, and I have seen reports that DSL sync speed can be lower than other DSL modems, especially when connected to a Broadcom DSLAM at higher line speeds.

Thank you for your advices. I decided (upon your suggestions), to replace old DSL router with TD-W8980, which has lantiq chipset and can run openwrt. Also I bought mikrotik hex PoE router mainly for IP cameras, but can also be used for something else.

But now I have another question. Let's say I will replace TL-WR841N/ND v8 with mikrotik and make TL-WR841N/ND v8 just dumb AP connected to mikrotik router. I understand, that this is more question for mikrotik's RouterOS, but wondering if it's even possible, to have two VLANs on mikrotik (one for wired and non guest wifi and second for guest wifi)? They both will use share WAN port connected to TD-W8980. I heard about VLAN trunking, but really don't get the concept.

VLAN on Ethernet adds a "tag" to the front of the packet that says which "virtual wire" the packet belongs on. NICs on the other end of the wire only "read" packets where the tag matches what they've been configured for. Since each packet has a tag saying which "Virtual LAN" it belongs to, you can send several different ones over the same wire and it all gets sorted out at the other end.

2 Likes

You cannot directly use vlans on top of wifi but you could use something like multiple gre tap tunnels and bridge them to the corresponding ethernet vlan devices on each end.

2 Likes

As jow correctly points out, segregating traffic over a single, 802.11 link can't be done using VLANs as they aren't supported by 802.11.

If what you're trying to do is segregate traffic that is from multiple (Virtual) APs ("SSIDs") on an Ethernet link, that is a simpler task, assuming both routers can be properly configured. The general pattern is:

  • Select a VLAN number for each "different" kind of traffic. I suggest not using VLANs 1 or 2 for "custom" configurations (some switches' drivers have an upper limit of, for example, 16 or 128 VLANs, making configuration of "VLAN 1000" a bit more complex1)
  • Create a VLAN-tagged interface on the "right" physical interface of the AP (Edit: I often use the "WAN" port and Ethernet interface on devices that aren't serving as a border router.)
  • Create a bridge over that interface
  • Configure the switch so that the trunk port is tagged for that VLAN and that it is tagged for the CPU port as well
  • Configure firewall rules (on all points where the VLANs come together) to prevent forwarding between VLANs, as well as "INPUT" to the device itself
  • Configure /etc/config/wireless to associate the proper VAP (SSID) with the bridge created above

Personally, I never run untagged traffic on a VLAN trunk. Since it's a link under my control, I make it very clear what goes where by using a VLAN tag on everything (and denying untagged traffic with devices that allow me to configure them in that way)

1 Configuration of high-numbered VLANs can be done with the vid and pvid UCI parameters. See https://openwrt.org/docs/guide-user/base-system/basic-networking#switch_configuration for some details.

3 Likes

Awesome. Thanks again. But wondering what Q over Q in routeros documentation is. I guest some propietary extension, but maybe I can use it.

QinQ is primarily for huge-scale enterprises for whom 1023 VLANs aren't enough. It is sometimes needed for home users as, for example, the ISP may set it up so that the "outer" VLAN is used for "Joe's connection" and the "inner" VLAN separates Internet, phone, and video.

1 Like

Do I understand it correctly, that I actually need to create two bridges one for LAN+WLAN and second just for GUEST WLAN on the AP? So that both bridges will contain their WLAN alias (not sure if it's correct term) and VLAN (eg. eth0.3 and eth0.4) port.

Also reading @jow answer. He is suggesting tap interfaces. How are those different from interface aliases in openwrt?

PS: I might be completely (once again) off with "alias" terminology.

Yes, that sounds correct. Each “network” gets:

  • It’s own (single) DHCP server, subnet, and some way to get DNS and probably NTP
  • It’s own VLAN-tagged, Ethernet interface
  • It’s own bridge over that VLAN-tagged interface
  • It’s wlan interface set to associate with that bridge
  • It’s bridge in it’s own firewall zone

“tun” and GRE are tunnels. They are used to send one protocol inside another. Packets put into one end of the tunnel "magically" appear at the other end. VPNs are one place where these are used (internally). Put a packet into your "tun0" interface and it appears at your VPN server. It wasn't sent "bare" over the Internet, but wrapped inside of something "safe" that the other end understands.

An interface "alias" is often used to provide a multiple addresses on a single, physical interface. It typically doesn't "wrap" the packets with anything, just alerts the interface driver and hardware to be able to use more than one address.

1 Like

Thanks @jeff. In mean time, I've also found quite nice howto I can follow. https://www.middling.uk/blog/2015/03/customising-openwrt-to-my-needs/

The last thing that worry me is the old TL-WR841N/ND v8. It will be used just as an dumb AP, but I still need to configure two VLANs on it. The only problem reading it's openwrt switch configuration page is

eth0 is directly connected to the WAN port.

Not sure how can this can impact me.

If it isn't connected to the switch, it means that as soon as you configure a VLAN tag on a sub-interface of eth0, it appears on the port.

Looking on switch config for ASUS WL-500g - https://openwrt.org/docs/guide-user/network/vlan/switch

makes think, that basically it just prevents data flow from WAN port to other ports, without passing through CPU. But apart from slower routing in some specific cases, it shouldn't limit me that much. Is my assumption correct? (Sorry for asking so many question, I promise this will be the last one for a long time ;).

EDIT: Or in other words WAN port is not part of the switch

On this model (and most with an Atheros internal 10/100 switching chip like the AR92xx and 93xx) the blue WAN port is a direct path into the CPU known as eth0. Simply declare VLANs such as eth0.1 eth0.2 in the physical settings of your network bridges.

In the intended use of a router connecting a LAN to the Internet, it is potentially faster since a single CPU port with VLANs in the switch would have to be shared between LAN and WAN purposes. In that use case, the CPU has to touch every WAN packet anyway for NAT translation.

4 Likes

Finally I've managed to setup some test VLANs between TL-WR841N (now just dumb AP) and Mikrotik.
It's not final, because I'm waiting for USB to UART bridge, so I can flash OpenWrt on TD-W8980B.
Hopefully after that, I will managed to setup Mikrotik to "passthrough" VLAN2 and VLAN1 from TD-W8980B to TD-W8980B.

This is new topology.