OPNsense (Router) + OpenWRT (Dumb AP) VLANs configuration

Installing and Using OpenWrt Network and Wireless Configuration
1

I am trying setup VLANs from main firewall/router (OPNsense) with my dumb AP, TP Link Archer C20 v5 (OpenWRT). My OPNsense router connects to the ISP and provides internet to the rest of the devices, does all the DHCP and DNS. I want to setup Archer C20 as the Dumb Access point.

I have already setup few VLANs from router to managed switch, and connect device to that specific port (ports 1 and 2) (untagged), however facing issue when configuring to send 1 untagged and 1 tagged VLAN over Port 3 of managed switch (TL-SG108E). I think issue is in my OpenWRT configuration.

Current Setup:
OPNsense router -> Managed Switch -> Dumb Switch -> Access Points, Laptops

OPNsense router -> tagged (port 8 of managed switch, trunk port)
VLAN 30 (Home) -> untagged (port 3 of managed switch), 10.0.3.0/24
VLAN 40 (Guest) -> tagged (port 3 of managed swtich), 10.0.4.0/27
Access Point -> Conencted on LAN1 port to dumb switch

Issue:
In OpenWRT, under Network > Switch, when I add VLAN 40, and set eth0 (cpu) to tagged and LAN1 (where the cable is connected) to tagged, I lose access to LuCI, and then it reverts back to previous state.

Goal:
I want both "Home" and "Guest" SSID in my AP to connect to respective VLANs.
If I directly connect a device to Dumb Switch, I want device to use the Home VLAN.

I know this question is very similar to the post: Link
But in that post, OP issue was resolved using the DSA config, if I am not wrong. I also found out that my device uses the swconfig, not DSA, from this post: Link.

I can't figure out how to configure my device. Any help will be appreciated, thanks.

2

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
3

Thanks for the response.
Here are the details of my Access Point after reset (I just changed my lan interface settings from static IP to DHCP for AP to work in my setup):

ubus call system board

{
	"kernel": "5.15.162",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7628AN ver:1 eco:2",
	"model": "TP-Link Archer C20 v5",
	"board_name": "tplink,archer-c20-v5",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.4",
		"revision": "r24012-d8dd03c46f",
		"target": "ramips/mt76x8",
		"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc6:a132:ff64::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config device
	option name 'eth0.2'
	option macaddr 'd8:44:89:f5:b4:ad'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/10300000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'hybrid'
	option ra 'hybrid'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

cat /etc/config/firewall

config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option dest		wan
#	option proto	tcp
#	option target	REJECT

# block a specific mac on wan
#config rule
#	option dest		wan
#	option src_mac	00:11:22:33:44:66
#	option target	REJECT

# block incoming ICMP traffic on a zone
#config rule
#	option src		lan
#	option proto	ICMP
#	option target	DROP

# port redirect port coming in on wan to lan
#config redirect
#	option src			wan
#	option src_dport	80
#	option dest			lan
#	option dest_ip		192.168.16.235
#	option dest_port	80
#	option proto		tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#	option src		wan
#	option src_dport	22001
#	option dest		lan
#	option dest_port	22
#	option proto		tcp

### FULL CONFIG SECTIONS
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port	80
#	option dest		wan
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
#	option target	REJECT

#config redirect
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port		1024
#	option src_dport	80
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
4

So what do I need to do next?

5

Since VLAN 30 is untagged, it's not technically necessary to change what is now VLAN 1 -- it'll work even though it's got a different VLAN ID on the AP. But for consistency, you may wish to change VLAN 1 > VLAN 30.

To do that... edit VLAN 1 so that it looks like this (adding the option vid '30' line):

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '30'
	option ports '1 2 3 4 6t'

Then edit br-lan to use eth0.30.

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.30'

Now we'll create the construct for VLAN 40 by creating a VLAN, adding a bridge, and then an unmanaged network interface. I don't know which logical port translates to the physical port used on your device, but I'll guess logical port 1.

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vlan '40'
	option ports '1t 6t'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.40'

config interface 'guest'
	option device 'br-guest'
	option proto 'none'

Now you can create your SSID for the guest network, restart and test again.

6

Hello,
In the config for the VLAN 40 you provided:

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vlan '40'
	option ports '1t 6t'

I think you meant

config switch_vlan
	option vid '40' # inplace of option vlan 40

I tried to use the config you provided. After saving the /etc/config/network file, I am able to access LuCI. However, when I reboot the AP, I am no longer able to reach my AP in the IP address I was previously accessing. Here is the /etc/config/network file just before I reboot the AP:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7f:e570:685d::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.30'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '30'
	option ports '6t 1 2 3 4'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '40'
	option ports '1t 6t'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.40'

config interface 'guest'
	option device 'br-guest'
	option proto 'none'

When I save the above config and reboot the AP, I can no longer reach AP in the IP address I was previously accessing from. Kindly help.

7

Yes... thanks for catching my typo!

The config looks fine...

Is the AP getting a different IP address?

Because you're using DHCP client, you need to either set a DHCP reservation in your main router, or change this to static so that it always uses the same/known IP address.

8

Yes, I am already setting the IP 10.0.3.3 (Home VLAN) to the AP from my router.
I am able to access it, till I reboot AP.

Another thing I noticed when I was testing VLANs via LuCI: Whenever LAN1 port has untagged traffic, I can access the AP (Home VLAN 30, untagged on port 1).
But when I also add VLAN 40 (set eth0 -> tagged, LAN1 -> tagged) and save & apply config, I lose access to AP.

I think similar config is made in the /etc/config/network file. Maybe thats why I am not able to access LuCI? I don't understand why this happens, but I know that it does.

For sake of clarity, I have attached a screenshot of my managed switch VLAN settings

Screenshot From 2024-10-08 20-57-07
Screenshot From 2024-10-08 20-57-07703Ă—620 39.4 KB

PVID Settings

Screenshot From 2024-10-08 20-58-14
Screenshot From 2024-10-08 20-58-14703Ă—429 21.7 KB

9

Just to verify, the router is connected to port 8, and the AP is on port 3... is that correct?

Meanwhile, what happens if you manually set the lan interface of the AP rather than using DHCP?

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.3.3'
	option netmask '255.255.255.0'

be sure to disable the DHCP server for the lan interface by adding this to the DHCP config stanza:

        option ignore '1'
10

Yes, but between managed switch (port 3) and AP, there sits a dumb switch (which should not matter probably).

I also tried using the static IP assignment before rebooting, I am left with the same issue. I can't reach Openwrt page after reboot, not pinging to it or even SSH. Below are the files just before reboot:

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd10:9422:e705::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.3.3'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '10.0.3.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '6t 1 2 3 4'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '40'
	option ports '1t 6t'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.40'

config interface 'guest'
	option device 'br-guest'
	option proto 'none'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
11

Actually, this could be the problem. Remove the unmanaged switch.

As a rule, never pass tagged frames (VLANs/802.1q tags) though an unmanaged switch.

12

Hello, sorry for the late reply

Yes, I removed the unmanaged switch (connected AP directly with managed switch) and repeated the configs for Static IP as well as DHCP. My issue is not resolved, and I am still unable to access LuCI after reboot (please note that I get time out error when I enter Access point IP address)

13

Hello, anything else I should try?

14

Everything in the configuration looks right.

It is worth checking that the address 10.0.3.3 is not in use elsewhere. Aside from that, I see no reason why there would be an issue.

You could also reset the device to defaults, then manually recreate this configuration -- just in case there is some incorrect config element elsewhere that we haven't caught or some packages that you installed that are causing issues.

15

Thanks for the reply.

Yes, I double checked, and that IP is indeed being used by the AP. I manually set it in the DHCP static IP pool.
I reset the AP and tried the same steps, keeping everything default, still the issue remains.

16

What physical port are you using on the AP to connect to the upstream network?

17

I am connecting the upstream network with the LAN 1 port of AP

18

I don't see any reasons that this wouldn't work.

Let's try this...

  1. Reset the device to defaults
  2. Disconnect it from your main network
  3. connect your computer directly to one of the lan ports.
  4. Change the lan IP address to 10.0.3.3
  5. Commit the changes, restart.
  6. Make sure your computer picks up an address in the 10.0.3.0/24 network and that you can reach the router at 10.0.3.3.
  7. Add this to your network config file:
config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '40'
	option ports '1t 6t'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.40'

config interface 'guest'
	option device 'br-guest'
	option proto 'none'
  1. Restart the router and then repeat step 6. Assuming successful..
  2. Disable the DHCP server on the lan interface
  3. Restart the router.
  4. Set your computer's IP address manually to 10.0.3.5/24 and then repeat step 6 again. If successful...
  5. Set your computer back to DHCP
  6. Connect the AP to your main network
  7. connect your computer to the network via ethernet
  8. Repeat step 6 again. If successful...
  9. enable WiFi for the lan, and then do the same for the guest network.
  10. test again.
20

@Listen - for a new user, you certainly come in with fists swinging. Please remember to keep it civil.

Although I cannot speak for the op, nowhere in this thread was it suggested that the subnets chosen are “more secure” than any others. They all have the same characteristics of being RFC1918 address ranges and the security is no different from one subnet to another.

While I cannot confirm or refute the quality or accuracy of the opnsense videos on YouTube, I can unequivocally state that the addresses chosen do not directly indicate any issues with the opnsense configuration. There may be a correlation with these address ranges used in videos that give bad or erroneous advice, but that doesn’t mean that the op was actually using those videos for guidance.

The op, like many others on the forum, is here to get specific assistance with openwrt. Suggesting that they have no idea what they are doing is both disrespectful and unsubstantiated.

This forum is obviously focused on OpenWrt. But bashing other router operating systems is not useful or even valid here. People choose their router os’s for a variety of reasons, and security is one of them. I’m not versed in OPNsense, but I would expect that it is just as secure as OpenWrt or other well developed routers provided that it is properly configured. (And while OpenWrt is secure, it can also be made less secure by incorrect configurations, so it is no different in that regard - proper configs are necessary on all platforms).

@Listen - I suggest you reconsider your approach here. It isn’t clear what you are trying to achieve - all we see is a rant with insults scattered about.

1 Like
21

Thank you @psherman, I sincerely appreciate you for standing up for me in this post. I didn't know using a 10.0.x.x IP range could offend someone so much.

As for the detailed steps you wrote down, I followed all those steps, and I am made some progress. I followed all steps from 1 to 15, and it was a success. I could access the OpenWRT LuCI page from 10.0.3.3, once I set it to static IP, and I directly connected AP to Managed switch.

In step 16, I also enabled wifi for lan interface having SSID "Home", and I could connect my mobile phones to that SSID, and internet worked fine.

Currently, I have problem in setting up "Guest" SSID. I made the "Guest" SSID and connected it to guest interface. I tried using "unmanaged" and "static IP" for guest interface, but when I try to connect to Guest SSID over mobile phone, I get "Obtaining IP address" and then the phone doesn't connect to Guest SSID.

I truly appreciate and am grateful for all your guidance and support, thank you.