pFsense, switches, vlans, openwrt and wifi, oh my!

hanetzer · April 1, 2022, 1:10pm

Think this is my first post here, but I've been an irc lurker and semi dev for quite some time.

My physical network layout is like so:
isp-device<->pfsense-7100<->aruba-s2500p[3]<->meraki-mr24[15 or so].
the meraki mr24's are configured as dumb aps without vlan stuff (yet; I've been
tinkering so some do but its not a finished project yet)

pfsense currently has three manually configured vlans:
66: 'guest', meant for wireless devices on a 'GuestWiFi' ssid
77: 'management', speaks for itself.
88: 'security', dvrs and ip cameras and such.
99: 'office', office machines and such.
more may come, but this is enough to get across what I want.

The connection between pfsense and switch is 'trunked'. switch to switch is also trunked,
but we'll only deal with one for now. switch to meraki is also trunked but not sure if it should
be.

What I'd like:
separate SSIDs on the merakis per vlan (the meraki only has one ethernet port, btw).
only the mgmt vlan has an ip address for the meraki, and the web interface for it
is on mgmt vlan.
each ssid goes to each vlan and can get 'internet'

the major crux of the issue is I can't figure out how to 'trunk' the eth port
on the merakis, or how to have vlans attached to wifi without giving them
an ip address/interface.

jow · April 1, 2022, 1:21pm

# /e/c/network fragment

config device
  option type bridge
  option name br-lan

config bridge-vlan
  option device br-lan
  option vlan 66
  list ports eth0:t

config bridge-vlan
  option device br-lan
  option vlan 77
  list ports eth0:t

config bridge-vlan
  option device br-lan
  option vlan 88
  list ports eth0:t  

config bridge-vlan
  option device br-lan
  option vlan 99
  list ports eth0:t  

config interface mgmt
  option proto static    # alternatively consider proto dhcp
  option ipaddr 192.168.1.200/24
  option gateway 192.168.1.1
  option dns 192.168.1.1
  option device br-lan.77

config interface guest
  option proto none
  option device br-lan.66

config interface security
  option proto none
  option device br-lan.88

config interface office
  option proto none
  option device br-lan.99


# /e/c/wireless fragment

config wifi-iface 
  option device radio0
  option network guest
  option mode ap
  option ssid guest-wifi
  ...

config wifi-iface 
  option device radio0
  option network security
  option mode ap
  option ssid security-wifi
  ...

config wifi-iface 
  option device radio0
  option network office
  option mode ap
  option ssid office-wifi
  ...

hanetzer · April 3, 2022, 2:12am

the above works, for any future googlers who may show up

hanetzer · April 4, 2022, 7:20pm

Is there a 'modern way' to do this? the config fragments they gave
were, well, fragmentary, and attempting to replicate it for modern
openwrt with dsa is not working out.

system · April 14, 2022, 7:20pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.