One network interface but 4 physical ports

My dumb ap running OpenWRT 23.05.0 has 4 physical ports but there's only a network device (eth0).
The br-lan bridge uses the eth0.99 vlan to connect to the internet.

I'm would like to do some VLANs stuff so I tought that I might need access to all the 4 ports individually.
How can I do that?

image

(p.s. i don't know what eth1 is)

Create new VLAN entries and then set the ports accordingly...

  • Access port: one VLAN assigned, untagged
  • Trunk port: 2 or more VLANs assigned, 0 or 1 VLAN untagged, 1 or many tagged VLAN.
    • A trunk's VLAN configuration must match the other side of the connection (i.e. the next connected device up/down stream).

A VLAN is only useful if it is connected to at least 2 ports (physical and/or CPU). If the VLAN is going to be routed and/or bridged to wireless, you'll need to include the CPU. Any VLANs that are connected to the CPU need to be tagged on the CPU port (eth0).

If you can describe your specific use case, we can guide you through how to set it up.

1 Like

What's the CPU?

I need to setup trusted and guest network (to be bridged to wireless) from my main OpenWrt router that handles DHCP.

The cpu is eth0 on the switch menu. This allows your setup to bridge Ethernet to WiFi.

Is your primary router already configured with a vlan for your guest network?

No, it isn't.

The primary router has 2 dhcp servers for 2 interfaces: lan and guest (that are bridged to wireless).
So I need to extend that networks to my dumb ap.

If you can't make your primary router present both vlans on a single a trunk/tagged RJ45 port there's two options to pass them to your OpenWRT:

Option 1: Just use two cables.

Make on RJ45 port of your OpenWRT device for the first vlan and another one for the second.
Make one RJ45 port in your OpenWRT device "vlan 1 (LAN) untagged" and the other RJ45 port "vlan 99 (GUEST) untagged".
Make sure every RJ45 port has only one untagged vlan setting and every RJ45 port has all other vlans set to ("not member")

Option 2: Add a managed switch

Get yourself a managed switch.
Configured the switch just like I described the first option.
Make a third RJ45 port of your managed switch to "tagged vlan 1 and vlan 99".

Wire your managed switch to your OpenWRT device

Make the port on your OpenWRT device that connects to the managed switch as "tagged vlan 1 and vlan 99".

Better: Expose both vlans directly from your first router

If your primary router is e.g. OpenWRT as well, or any other router that is capable:

Configure a rj45 port on your primary router to "vlan 1 tagged, vlan 99 tagged"
Configure a rj45 port on your OpenWRT AP to "vlan 1 tagged, vlan 99 tagged"

And what now?

Now you have a "physical interface" called "br-lan.1" device and a "br-lan.99" device on your dumb AP.
Create two different "logical interface" (in the "interfaces" section of LuCI) and set up individual wifi SSIDs.

The "Better" option that you explained will work with my network topology?

Primary router --> Managed Switch --> Dumb AP

And, I don't understand where I need to create the VLANs, in the "interfaces" section or "switch"?

Sorry if I didn't make myself clear.

The network setup "router -> managed switch -> dumb AP" with the managed switch in close proximity to the main router (put them on the same shelf) is what I meant by option 2. If your primary router cannot directly output tagged vlans to a single rj45 port, that's how you can merge two different networks that come as untagged and make them tagged on one line.

Here's some pictures:

Option 1:

option 1

PlantUML

Option 2:

PlantUML

Better:

better

PlantUML

That depends on your device. If there's a "switch" menu then you have legacy configuration "without DSA" (Distrubted Switch Architecture). If you have no "switch" menu then go to the "bridges" part within "interfaces".

That's what I see in your second picture.

Ok so, the primary router is also OpenWrt.

I was asking if the "Better setup" would work also if there's a managed switch in between the primary router and the dumb ap (that's my setup, the primary router is connected to a managed switch that on port eg. 8 is connected to my dumb ap, so the primary router isn't directly connected to my dumb ap).

As the "switch" menu is present, I need to use the legacy configuration through that menu? (yeah, I have no "bridges" section in the interfaces menu)
image

You'll need to add the appropriate VLAN tags to the relevant ports on the switch.

It would be easier to connect the dumb ap directly to my primary router?

It saves configuring the managed switch, but otherwise no.

Sure. Then you will get something like this:

PlantUML

If you have three devices where two are OpenWRT and one is a managed switch, it all depends on how you like it, honestly.

The only thing you need to make sure is that the ports you connect through a single wire are always "vlan 1 tagged, vlan 99 tagged" on both ends of that cable.

You can go router-switch-ap, router-ap-switch and switch-router-ap. All those lines will work when all 4 RJ45 ports involved here are set to "vlan 1 tagged, vlan 99 tagged". So maybe it boils down to what's the easiest way for you to run cables, and maybe how clean your cable management looks in which situation.

You said you needed all ports on your dumb AP for devices, you maybe don't go router-ap-switch, but that's purely considering the amount of rj45 ports you need on each location, not a "what's easier to set up" thing.

You've got the right spot in the second picture of your initial post. It has to be sete to "vlan filtering" (there might or might not be a checkbox that you cut from that picture). If there's checkbox: Tick it to on. If there's no checkbox, you're good without configuration. I already see a vlan 99 which is untagged on all ports except CPU. Make it "tagged" on the WAN port (like WAN because it indicates that's the one special port, but honestly it doesn't matter which port you use). Add a vlan 1, have port CPU tagged, ports 1 through 3 not a member and WAN tagged. Save and apply.
Your AP will become unavailable unless you reconfigure the corresponding port on the other device but that's not a problem.
Now configure the device on the other end of the wire accordingly.

So VLAN 99 will be my "trusted" network and VLAN 1 will be my "guests" network, right?

Well, from a general point of view, those numbers don't matter. You could pick any number between 1 and 4094.

But to be compliant to what's established in the OpenWRT world:

  • VLAN ID 1 is lan. That's what you find OpenWRT to be configured by default.
  • VLAN ID 2 is wan. That's what you find OpenWRT to be configured by default as well.
  • VLAN ID 3 and upwards are whatever you want them to be.

So I'd go 1 for lan and 3 for guest.

On a personal note: Once you crank up the number of VLANs (smart light bulbs get to be captured with no WAN uplink, printers get one that is Accassible form both, LAN and guest, office gets to be separated from personal just because I can, ...), I try to match my VLAN IDs somehow to the IP range they serve. 192.168.1.1/24 gets VLAN 1, 192.168.100.1/24 gets VLAN 100. Again, this is not a technical thing but it helps me to easily recognize when numbers are somehow off.