Good evening everyone. I have been watching OneMarcFifty videos about home network configuration using OpenWRT and I want to implement this in my home. However I have a lot of problems. As my router after the ISP's device I have Mikrotik RB750gr3. As AP's on two floors I have TP-Link TL-WA1201. All devices with OpenWRT 22.03. I need to connect (and power up) the APs using a single ethernet cable.
I need 4 wireless networks: personal, IoT, Guest and one maybe one for devices like printer, NAS, Smart TV. Personal can access everything + internet. IoT can be accessed only by personal + no internet access. Guest can access only the internet and the last one can be accessed from personal but no internet access. Of course this needs to be done using VLANs. I would like to use FastRoaming for personal with 1st floor AP as a main one, and the rest (ground and 2nd) as dummy AP.
Because of the port limitation I need to use trunk ports. The future switch would need to be managed probably.
I tried different configuration but unfortunatelly with no luck till now. I am starting from scratch at the moment, but perhaps somebody can help me? I would be very grateful.
The videos I have used:
I tried different approaches and setups, not only from the above videos (for example this one: https://www.youtube.com/watch?v=2R40KE9aUz4). Unfortunately with no luck.
I don't know where to start. Should the br-lan bridge bridge also VLANs? Or should I create VLAN bridge separately?
When I think the configuration should work I try to connect to wireless and see what IP address I have been given and it's completely outside the pool I should be in. The ping gives 100% loss, I lose the wired connection to the router or/and AP even though the LAN port I am connected to is marked as untagged.
I beg for help, right know I don't know even where to start.
Below the setup I am trying to accomplish:
I have set up something quite similar to yours, but with two Archer C7s and only three VLANs (LAN, Guest, and IOT). I use a single cable trunk to connect the main router to the second which is a dumb AP. On the Archer C7s (which don't support DSA) I had to create a bridge for each VLAN, and of course set up VLAN tagging so that all VLANs are tagged on the trunk ports on both routers. I would recommend starting with your main router and one AP only, and setting up and testing wired connectivity before adding the wifi. Then the other two APs will be near-clones of the first one. I'm happy to share screenshots of my configuration if that will help.
Do you have a configuration that just isn't working, or did you reset it?
Let's start with the router... please define what networks should be present on each physical port, and then let's see the config:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
I have tried many different configurations and resets.
At that stage I don't even know how many bridges should I have, what devices should be part of which bridge, what IP addresses should be set. Nothing works for me at the moment.
I think that for physical port 3 on the router there should be VLANs for IoT, Guest and personal. The same for port 4 and 5 (the numbering starts from 2 which is used for connection to the router and in the future I plan to connect the managed switch here.
I tried to start small with the main vlan for personal which could be untagged (I guest) and one for IoT which should be tagged. All of this for one AP connected to port 3 of the router.When achieving that I would then try to extend for second AP and with more VLANs along with Firewall rules.
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
Thanks for posting your configs. We'll start with one additional network on the router, then once that is configured, we'll move on to the AP. From there you can repeat the process for the other VLANs.
So let's do this methodically and map out the specific VLAN membership per port, as well as the tagged/untagged status. Let's list the final goal here, even though we'll work on one at a time. You may have zero or one untagged network on a port, and you may have zero, one, or many tagged networks. The tagging status is important to be matched by the downstream devices.
So, for example (just making this up):
VLAN 1 = lan
VLAN x = guest
VLAN y = IoT
Port 2: VLAN 1 untagged
Port 3: VLAN1 untagged, VLAN x and VLAN y tagged
Port 4: VLAN 1 untagged, VLAN x and VLAN y tagged
Port 5: VLAN x untagged
Can you create a map like the one above but with your actual goal per port.
I think I can assume, that adding a tag for the LAN gives additional level of protection, but let's be optimistic - somebody then needs to connect by wire to the network devices to gain control. Right?
So with that in mind VLAN 1 could be untagged and it should look something like this:
VLAN 1 = lan
VLAN 20 = guest
VLAN 30 = IoT
VLAN 40 = NAS
Ports on the router:
Port 2: VLAN 1 untagged, VLAN 20 30 and 40 tagged (I assume that in the future this would be a port to connect a switch to extend to wired devices through the whole house). This is also the port that the configuration of the router takes place.
Port 3: VLAN 1 untagged, VLAN 20 30 and 40 tagged
Port 4: VLAN 1 untagged, VLAN 20 30 and 40 tagged
Port 5: VLAN 1 untagged, VLAN 20 30 and 40 tagged
Is there a reason to have the VLAN 1 tagged for any port in this configuration?
Sort of, but that's not really what the tag is for. Non-VLAN aware devices won't know how to work with tagged ethernet frames, but beyond that, it's really just a form of 'security by obscurity' and not a real security measure.
The purpose of the tag is simply to keep things organized. The tag informs the router/switch/AP which VLAN a given frame belongs to. You cannot have more than one untagged network on a port because otherwise it would cause ambiguity.
Maybe. While the 802.1q standard allows you to have zero or one untagged + zero, one, or many tagged networks, sometimes you should not use any untagged networks. Two reasons for this:
Some people have a personal/professional opinion that you should never mix untagged + tagged frames. All tagged if you're running a trunk. It can reduce mistakes and ambiguity and makes the trunk very intentional and well described.
Some hardware just doesn't work well with a trunk that has an untagged network included. Ideally, it would work (since the standard allows this), but sometimes stuff just doesn't work for some reason or another.
I've personally never had an issue with untagged + tagged mixed, though.
So let's start here:
Add this:
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
list ports 'lan5:u*'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan2:t'
list ports 'lan3:t'
list ports 'lan4:t'
list ports 'lan5:t'
config interface 'guest'
option device 'br-lan.20'
option proto 'static'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
and edit the lan so that it looks like this (br-lan becomes br-lan.1)
This sets up the network interface for vlan20 (guest) tagged on all ports. You'll probably want a DHCP server on that network. And you'll also need to assign the network to a firewall zone -- set it to the lan zone for now and this can be changed later.
Once that's done, let's review the config. From there, we'll setup your AP for this VLAN.
As in the above linked example, your RB750gr3 has been converted to DSA and your TP-Link TL-WA1201 AP's are still using swconfig. You will not be setting up wireless on your RB750gr3 of course - doesn't have it. And you may want to name your vlan's differently, add more, etc., but it is very close to what you want to accomplish.
Looks good on the router network config. We should check the firewall and DHCP files if the following doesn't 'just work'
on the first AP, add the following:
config device
option name 'br-guest'
option type 'bridge'
list ports 'eth0.20'
config interface 'guest'
option device 'br-guest'
option proto 'none'
Then, go to the wireless configuration. There you will create a new SSID and connect it with the guest network. Finally, connect a computer to the new SSID and see if it gets an IP address and connectivity.
