Please review my VLAN network config

Hi, I'd like a config review of my network setup. It is working, but I'd like some comments if the setup could be simplified or improved.

I'm using a Netgear WAX220 (1 network port, no integrated switch), and I was initially planning to implement VLAN assignment via 802.1x, but switched then to a type of iPSK setup due to lack of WPA support of some of my IOT devices. The network config is the same in both cases. The Netgear device is in AP mode, I am using an external device as router.

I have follwed https://openwrt.org/docs/guide-user/network/wifi/wireless.security.8021x for the network setup.

I have:

  • VLAN 10: the lan network, which is also the management network.
  • VLAN 11: the IOT network
  • VLAN 12: a guest network.

My /etc/default/network file is:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd49:60ec:fb6a::/48'
        option packet_steering '1'

config device
        option name 'eth0'
        option macaddr '94:18:65:4e:09:b1'

config device
        option name 'br-vlan10'
        option type 'bridge'
        list ports 'eth0.10'

config interface 'vlan10'
        option device 'br-vlan10'
        option proto 'dhcp'

config device
        option name 'br-vlan11'
        option type 'bridge'
        list ports 'eth0.11'

config interface 'vlan11'
        option device 'br-vlan11'
        option proto 'dhcp'

config device
        option name 'br-vlan12'
        option type 'bridge'
        list ports 'eth0.12'

config interface 'vlan12'
        option device 'br-vlan12'
        option proto 'dhcp'`

So everything works, but looking at the output of ip a I see a bridge interface br-vlanXX and a eth0.XX interface. The latter is up, but does not have any IP address assigned -- I suppose this is the network port of the bridge.

Given that I have only one network interface on the access point, do I really need setting up a bridge? What would your config look like if you had to do the same setup?

Thanks,
Thomas

Infohills, thank you very much, this is a perfect answer, I'm glad my understanding is not miles off. I'll try the simplified config tonight!

I’ve been wondering about the same thing recently. wireless config wiki mentions that network should be a bridge. I know it works if you put there even raw eth0.11 etc. Is the wiki page wrong?

Specifies one or multiple logical network interfaces declared in the network configuration, each one should be a L3 bridge to be able to attach this L2 wireless interface.

A bridge is necessary to transfer from a wifi AP to a hardware Ethernet port.

Put where? In /etc/config/wireless as the Network? If that does work, it must work by internally creating a bridge.

If the wifi AP is served internally by the kernel (e.g. a locally routed guest network), it can be attached directly to a network interface and the IP will be held on the AP. It is still recommended to make a bridge here so that more than one device can be in the network, such as a pair of APs for dual band.

1 Like

Yes, the network option value. I made a mistake earlier and I actually meant an interface based on a raw network interface, for example:

config interface 'iot'
        option proto 'dhcp'
        option device 'eth0.11'
        option hostname '*'

which can later be assigned to a wireless network:

config wifi-iface 'wifinet9'
	option device 'radio0'
	option mode 'ap'
	option isolate '1'
	option network 'iot'
	option ssid '----'
	option encryption 'psk2+ccmp'
	option key '----'

I'm guessing that in fact it does create an internal bridge, because you can specify multiple networks to be connected to a SSID.

BTW it seems like post #2 from this thread is gone.

The configuration as you have it is correct. In terms of the bridge constructs.

I would recommend that you make all interfaces unmanaged except for the one that is used to actually manage the device itself.

For example, if VLAN 11 is not used to manage the device (for example, maybe it is the guest netowrk), it would use proto none instead of dhcp like this:

config interface 'vlan11'
        option device 'br-vlan11'
        option proto 'none'

You must use a bridge if you are using 2 or more physical interfaces:

  • ethernet + wifi
  • multiple wifi radios
  • multiple ethernet interfaces (there is nuance in this specific one if you are using swconfig vs DSA vs individually routed ports; but out of scope for this discussion since we are looking at the first case anyway).
2 Likes

Yes... the author of that post turned out to be a spammer. I suspect that the content itself was AI generated. I've looked at the contents of the deleted post and (aside from the questionable generation of the post itself) it is actually incorrect on all the technical aspects, so I will not be restoring it.

1 Like

Thanks for the explanation! I'll remove the IP address on the other interfaces.