I'm trying to set up a VLAN-tagged SSID on OpenWrt (GL-MT6000, 24.10.1). The goal is for OpenWrt to act like a dumb AP: no routing, no DHCP, no firewall — just bridge the tagged traffic from Wi-Fi to the WAN port (eth1), where it’s sent to an OPNsense box for processing.
The OPNsense trunk port is confirmed working (tested with another VLAN-capable device). However, VLAN-tagged traffic from OpenWrt doesn't seem to reach it properly.
I do still have services running on eth1 (like LuCI and DHCP client), but I’m not sure if that would interfere with tagged VLANs on the same physical interface.
I’m relatively new to OpenWrt and probably just missing a config detail .
Hey, thank you so much for your time and help – I really appreciate it!
But I think there may have been a bit of a misunderstanding (either from me or the way I explained it ), so I just wanted to clarify my actual goal:
What I want is this:
A dedicated SSID → tagged VLAN (e.g., VLAN 20) → sent out over eth1 (WAN port), without OpenWrt doing any routing, NAT, firewalling, or DHCP just like a normal dumb acces point.
Right now my setup is like this
Openwrt(eth1/wan port) ----> opnsense trunk port
You mentioned "please post your complete network config file" – I wasn’t 100% sure which files you meant, so for now I’ve just included my full /etc/config/network and /etc/config/wireless below.
Also just to clarify:
I do want to keep the br-lan bridge as it is – I don’t use those LAN ports right now, but I want to keep them as a backup access method, just in case I mess something up with the WAN port (eth1) while testing VLAN settings
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdXX:XXXX:XXXX::/48' # masked
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config device
option type '8021q'
option ifname 'eth1'
option vid '20'
option name 'eth1.20'
config interface 'vlan20'
option proto 'none'
option device 'eth1.20'
Nope... I understood exactly what you are trying to do.
Sure. You only need one port to use as a backup, but we can leave it untouched if you want. Alternatively, you can use them to prove that the VLANs are working through the device.
Typically, AP will have an address on (one of) the upstream network(s) so that you can reach it on a trusted or management network without requiring a special connection such as your lan port backup.
The only VLAN I see thus far is VLAN 20.
What are the other VLAN IDs you are planning on using?
Is there an untagged network on the trunk or are they all tagged?
What is the VLAN ID for the network that will be used to manage the device?
What is the address you want the device to use on the above network (or do you want it to use DHCP to obtain an IP)?
Meanwhile, in terms of the recommended changes...
Delete all of this:
Add eth1 to br-lan:
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
list ports 'eth1'
Create bridge VLANs:
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
list ports 'lan5:u*'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'eth1:t'
1. I’m planning to use two static VLANs (20 and 30), plus one dynamic VLAN SSID (for clients that get VLAN tags via RADIUS
2. There is an untagged network on the trunk – I’m currently using it for management. I’ve set up a firewall rule that allows access to SSH / luci on the WAN interface.
3. I’d like to keep that untagged network as the management network.
4. And I want the device to keep using DHCP to get its IP from that management network.
big thank you for your help! The settings you provided are working perfectly in one way. My device successfully connected to the SSID, and VLAN 20 tagging is working correctly – traffic is reaching my OPNSense firewall, as expected. I really appreciate your support!
However, I still have a couple of things I'd like to ask for some assistance with:
Dynamic VLAN: Would it be possible to help me set up dynamic VLANs? I’m looking to get that working in my network as well, and I would really appreciate any guidance you can provide.
Reachability from the Trunk: Currently, I can only reach my OpenWrt device by connecting a device to the LAN ports. However, I would like to be able to access OpenWrt directly from the management network (trunk network), like I was able to do when the WAN was set up with DHCP. Could you guide me on how to achieve that?
You’ve really saved me a lot of time and headaches with your guidance, and I truly appreciate the effort you’ve put in. You’ve been a huge help! i spent days trying to get it working
This is an area that I can't advise, but this will require the RADIUS server and WPA(2 or 3)-Enterprise.
That is expected based on the current config.
Yup...
let's add the other 2 networks by adding in the following:
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'eth1:u*'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'eth1:t'
config interface 'management'
option device 'br-lan.2'
option proto 'dhcp'
config interface 'vlan30'
option proto 'none'
option device 'br-lan.30'
You'll want to add the management network to the lan firewall zone (or add it to a new zone with option input 'ACCEPT') so that it can be used to reach the router itself.
And you can add wifi SSIDs for the new network(s) if desired.
.
), so I just wanted to clarify my actual goal:
but still thanks i already have radius etc and the ssid but im just having problems with the tagging. i will try to finde a way