Hi, I'm not new to networking but pretty new to OpenWrt, that's basically why I'm here.
Having said that, let's get to the problem:
I'd like to configure my TL-WR841N with OpenWrt installed (obviously) as a "managed switch" and set it to use the WAN port as trunk to/from the main router (which is a Pfsense custom build). Here I have the diagram of the network I'd like to build
So, as said before, the VLANs are "created" in the "main" router which is the PfSense.
Everything is managed from there, I'd just like to set the OpenWrt to use WAN as trunk (for all the VLAN in/out traffic), set each LAN port to a different VLAN and set an IP to get access from outside the WAN interface.
If you think I wasn't exhaustive enough please ask for more info! Thanks a lot.
Awesome, practically speaking what I’m supposed to do, as I said I’m pretty new to OpenWrt. Is there any guide that shows how to bridge the interfaces one by one and assign them to different VLANs keeping in mind that the logical distinction won’t be made inside the openwrt but in the main router?
It works better to use one of the yellow "LAN" ports for the trunk so you can take advantage of hardware switching. This can be configured directly on the Network-Switch page.
For VLANs that have to go through the router CPU, either to go to wireless or to the blue "WAN" port, create an interface of type bridge for each VLAN.
Also the switch hardware in that chip prefers VLAN numbers less than 16. If you use higher numbers, a CLI configuration may be needed.
So basically what i need to do is assign an IP within the range of ones of my main router non dhcp leases (static IP) and then modify the network->switch section as I need. One thing that i didn't get btw is how can I assign one port to be the trunk one.
Here's some picture for a better understanding (at least for me and future users I guess).
This is the default configuration the OpenWrt comes with.
When I want to tag some interfaces (I'm supposing one of the LAN ports for the trunk, let's say port no. 1) I just type the VLAN ID in the port status section and then set the specific port (let's say no. 2) as tagged. Doing this for the rest of the ports (using VLAN tags 20, 30, 40) and I should get something like this.
Now assuming that what I did is correct, I should in some way set the trunk port and assign an IP within the LAN subnet of the main router to the device (this because I'd like to keep it as a "managed switch"). How can I do those two last steps?
EDIT: I forgot to mention the fact that the main router also provides DHCP for all the VLANs.
First you set up a "dumb AP" which means the LAN interface has a static IP and turn off the DHCP server on the LAN (both IPv4 and IPv6).
Whichever VLAN you attach to the LAN will be your management. This is done with eth0.X, X is the VLAN number, in the physical settings tab. Note that it is already VLAN 1 which is typically used for management.
A trunk port is tagged in all the VLANs. An access port is untagged in one VLAN and off in the others. Typically the CPU is also run as a trunk tagged in all the VLANs. This means you can attach it to networks with eth0.X, or you can leave it out of networks entirely.
If you have to create software bridges to use built in wifi or the blue WAN port (eth1), they should not have an IP address. Use protocol Unmanaged. Bridges operate at layer 2 driven by MAC addresses, they will pass any IP address through.
No. The port connected to the main router should be tagged in all VLANs, check them off in a vertical row. The ports connected to regular devices should be off in all the VLANs except the one you want the device to access.
Also what I said earlier I'm not certain if it's going to work with VLAN numbers higher than 15, due to the hardware.
Thanks @mk24 , I've lowered the VLAN ID according to your suggestion, and set the trunk port (LAN 1) as tagged for all the VLANs.
Then I've set everything off except the port which i want as VLAN X (2,3,4) which is instead "untagged"
This is the result:
By the way this setup doesn't look to work (at least for me). The connected devices fail to get a DHCP lease and even if I put them in static mode and assign them an IP in the VLAN network they don't have a valid connection even to the main router (the PfSense, which is also the VLANs provider).
Also when I use this setup i completely loose connection to the OpenWrt externally.
Any idea of what could be the problem?
VLAN 1 should be connected to the CPU (tagged) so there is a path to log into OpenWrt. It is also a good idea to set up a wifi AP to log into the router via wifi while configuring the Ethernet.
Make sure you're using the proper ports since the numbers from TP-Link may not be the same as the logical numbers on the switch page. Plug and unplug the cables and watch the status icons change. In your last picture you see that there is actually no connection to the trunk port.
@mk24 thanks again. I noticed the fact that the port was unplugged but that was just at the moment the screenshot was taken, so my bad. I tried as you said to set up a wifi AP, and leave the CPU as tagged and i managed to connect to the OpenWrt (one small victory I'd say) but still couldn't get a DHCP lease from the main router to the VLANs. I can't figure out why this is not working, I've read about VLANs in the maintime but it seems like we have done a textbook configuration, I don't see why it would not work tbh.
also
System/Startup/Firewall (disable)
Network/Interfaces/LAN (disable DHCP and all DHCPv6 services)
(assign IP address i.e. 192.168.1.253)
(assign gateway i.e. 192.168.1.1)
(assign DNS i.e. 192.168.1.1)
P.S. your TL-WR841N is old, substitute WAN for LAN1 in the pic, max vlan IDs up to 15, your wan port on eth0 or eth1 so may not be usable for a managed switch, my example show the WAN port on vlan2 or eth0.2
@94121-usr your solution works, the only problem is that if I leave an interface on the standard LAN (I mean I don’t want it to have VLAN traffic, just extend as a normal switch the main AP ports) it doesn’t work anymore. Neither from the VLAN port either the other ones can I access the internet or the OpenWrt webconfig (also the main router, the pfsense is unreachable)
