Question about isolating a wireless client

I have physically setup my home network using two openwrt routers: The first one is configured as the "main" router, sitting between my home network and my cable modem. It's wifi is disabled since it is located in the basement near the network panel. I have a wired connection going up the house to a second router which has been configured as an access point. This one is serving wifi. It's a TP-Link Archer C7 (https://openwrt.org/toh/tp-link/archer_c7)

Before today the Archer was using the stock firmware where I setup a "Guest" wifi network. I used this network to isolate my work computer from my home network. Now that I flashed openwrt on it, all wireless clients are now on (what I believe) a single vlan and so can all see themselves.

I would like to setup vlans to isolate devices. What complicates things is the two router configurations: one is a wireless access point and the other is wired only.

I'm seeing guides to configure wired connections for vlans, but I'm wondering if it's possible to do so with the wireless connections?

So my questions are:

  1. Can I create multiple vlans on the wireless network so that I can isolate my work computer, my personal ones, the playstation and some IoT devices?
  2. Do I need a special support from the wireless access point (f.e. radios)?
  3. If there is any limits, what are they for the Archer C7?
  4. And more importantly, how can I achieve this using openwrt and my physical setup?

Thanks!

I just did it myself [Solved] How can I get guest Wifi Vlan ID to work on a dumb AP?

Yes.

Yes, but it's already there (under the hood)... just needs configuration.

no practical limits for a normal home network with <=4 SSIDs.

Setup the additional networks on the main router, then use VLANs to transport them to your AP where they can be assigned against your SSIDs. It's pretty straightforward.

Start with the main router... skip the wifi part of this guide to get a start...
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

Or, post your configs and we can help you through the process.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

Thanks for your answers!! I'm glad to hear that what I want is possible :smiley:

Here is the info (of the flat, working but not isolated, network):

TP-Link TL-WDR3600:

# ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "openwrt-tplink",
	"system": "Atheros AR9344 rev 2",
	"model": "TP-Link TL-WDR3600 v1",
	"board_name": "tplink,tl-wdr3600-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ath79/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}
# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd26:b26e:3dbd::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '192.168.1.191'

config device
	option name 'eth0.2'
	option macaddr '64:70:02:aa:aa:aa'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option channel '36'
	option band '5g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '192.168.1.191'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,192.168.1.191'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

# cat /etc/config/firewall
config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

TP-Link Archer C7:

{
	"kernel": "5.15.137",
	"hostname": "openwrt-archer",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link Archer C7 v5",
	"board_name": "tplink,archer-c7-v5",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ath79/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc6:c973:7088::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config device
	option name 'eth0.2'
	option macaddr '3c:84:6a:aa:aa:aa'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'


# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'XXXXXXXX'
	option encryption 'psk2'
	option key 'XXXXXXX'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel 'auto'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'XXXXXXXX'
	option encryption 'psk2'
	option key 'XXXXXXXX'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'XXXXXXXX'
	option encryption 'psk2'
	option network 'lan'
	option key 'XXXXXXX'


# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '1'
	option cachesize '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'


# cat /etc/config/firewall
config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

I will read more on this tonight.

I've read more on the topic and still a bit confused on how to achieve what I want (dumb access point, main router separating the network using vlans).

I found this youtube video which describe the same thing I'd like:

The hardware is a bit different in the video: the main router is an x86_64 server where the four ethernet ports need to be bridged together. My TP-Link TL-WDR3600 has a single adapter so all ports seems to be already bridged. For example I only have eth0.1 for the lan ports and eth0.2 which is the wan port.

When using the GUI the video is assigning one vlan per port (see https://youtu.be/4zmo8RafBFg?t=1199) but when I visit the "Bridged VLAN filtering" page I only see one "port" (eth0.1). See the screenshot:

As you can see there's only a single column eth0.1. I have four things connected to that router: a voip modem, a raspberry pi, a server and the wifi access point. The raspberry pi needs to be seen by all and the wifi access point will serve devices that need to be separated (f.e. work computer (vlan id 40), personnal ones (vlan id 10), guest (vlan id 20)).

How should I configured that panel to achieve this (and not lock myself out)?

Thanks!!

You'll be creating a trunk using VLANs. The trunk is a single port/cable that carries multiple networks.

Post your main router's config and I'll help you start that process.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Thanks for the help! I have posted my config in my previous reply.

So all (four lan) ports on the router should be configured as "trunk"... How should I do that? Since I haven't seen "trunk" in the UI I'm not sure where to begin...

Thanks again!

Ah, indeed. Sorry for asking again.

Actually, only one needs to be configured as trunk. It will be the one that goes from the main router to the AP. I'm going to choose a port to demonstrate how it works. Keep in mind that the logical port numbers in the swconfig stanzas may or may not directly correspond to the port numbers printed on the device. In fact, I'll also take one port away from the lan and dedicate it to the new VLAN so that you can use it to test (we can revert that later, if you want)

We'll edit VLAN 1 (which corresponds with the lan) to remove logical port 2. Then we'll add a new VLAN on the switch and associate it with logical port 2 as untagged and logical port 5 as tagged -- this makes logical port 5 our trunk.

The following will all be in the /etc/config/network file

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '2 5t 0t'

Now we'll create a new bridge for VLAN 3 and then a new network interface that uses that new bridge:

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth0.3'

config interface 'guest'
	option device 'br-guest'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

Next, we'll add a DHCP server for the new subnet -- this is in the /etc/config/dhcp file

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

And finally, add this network to the lan firewall zone (we'll isolate later, but this reduces variables that might need troubleshooting while we get this running initially) -- this is in /etc/config/firewall:

config zone
	option name		lan
	list   network		'lan'
	list   network		'guest'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

Now, restart your router. Connect a computer via ethernet to each of the ports in succession to figure out what physical port corresponds to logical port 2. You'll know it when you see the computer get an IP address in the 192.168.3.0/24 network. It should have normal internet connectivity. Once that is working, we can move onto the next device. (we'll still need to figure out what logical port 5 is, but we can make an educated guess once we know logical port 2).

Hi psherman! Thanks for the helping hand. It's greatly appreciated!

I unfortunately cannot do this step-wise since I am not alone using the network and cannot experiment with it easily. I did found a solution though; I have another router that I configured exactly the same (same ip range, same static ips, etc.) and swapped the two routers. Because of the swap I can experiment with the TP-Link router while I keep the internet connectivity in the household. The drawback is that I don't have access to the internet when using the TP-Link router. But I guess this is fine.

So I've made the modifications you suggested. If I connect to physical port 2, 3 or 4 I get an IP 192.168.1.169 but if I connect to physical port 1 I get nothing. My macOS machine assigns an IP itself (169.254.208.59). So guess that logical port 2 is actually physical port 1. This seems to be in line with the table found on the wiki for the device:

Port Switch port
CPU 0
Internet (WAN) 1
LAN 1 2
LAN 2 3
LAN 3 4
LAN 4 5
unknown 6

I guess I should still receive an ip from logical port 2. I'll double check the files.

Post the complete configs (same as you did previously), and we'll take a look to figure out what is going on.

Ok I double checked and it was a copy-paste error :man_facepalming:

When I connect to logical port 2 (physical port 1) I now get the IP 192.168.3.169 :+1:

1 Like

If I want to have my access point serve multiple vlans (f.e. to isolate guest, work and personnal networks) I need the physical port to be a "trunk port". For this I need multiple (logical?) tagged interfaces on that port. Is that right?

The physical port that is used to link to the downstream (when we're talking about the main router) or the uplink (when talking about the APs/switches) will be a trunk, yes.

Each network interface will be associated with a VLAN, and the VLANs are what you are assigning on the ports

On any port, you may have:

  • zero or one untagged VLAN
  • zero, one, or many tagged VLAN

A trunk is a port/cable that carries multiple networks, so by definition it has at least 2 VLANs per the above forumla. The upstream and downstream connections must be configured the to expect the same VLANs (and the same tagging status for each VLAN) on the respective ports.

Ok thanks for the clarification. What confuses me is the "multiple interfaces on a single physical port". My physical ports/cables that connect the main router with the access point will each have one virtual interface per vlan that I want the cable to transport. Because there's many vlans on that connection, it's called a trunk. :+1:

Before the changes you suggested above I had the following in the UI:

I don't understand what's the distinction between them. I mean "Network device" makes sense for eth0 since it's the physical network card on. But why is eth0.1 a vlan while eth0.2 is also a "Network device"... and what is the difference between a "Device" and an "Interface"?

I'm so confused... :frowning:

The terminology is a bit confusing, and it's not helped by the fact that different vendors and/or firmware refers to things a bit differently, despite the fact that 802.1q VLANs are interoperable between pretty much all network hardware (i.e. anything that is standards based, which is almost almost everything). Even some aspects of OpenWrt's own terminology is confusing.

First, we'll talk about network interfaces. These are the L3 (routed) interfaces that have an address and a subnet, and they have no inherent connection against physical hardware (that comes next, of course). They can be connected purely as virtual interfaces, or they can be tied to physical ones.

A physical interface is an L1 (phy/link layer) and L2 (switching) construct. This includes the ethernet (switch)/ports and wifi radios. It's fairly obvious what these are, of course. They are treated largely as devices, but there is nuance. In swconfig syntax (such as what you're using), the ethernet ports are actually referenced as a function of the SoC/CPU interface. So eth0 is the internal ethernet connection between the CPU and the switch chip. The base device here is eth0. Then, we can use dotted notation (in conjunction with the right switch config stanzas) to create VLANs that ride on the base device. For example, eth0.4 would represent VLAN 4 (tagged) on base device eth0. The switch can then assign VLAN 4 to the individual ports -- depending on the desired use of the port, it can be assigned as untagged or tagged. In the case of swconfig, you can actually have multiple physical ethernet ports assigned to a VLAN (and that VLAN associated with a network interface), and it counts as a single device.

Then we have bridge devices. A bridge is the software equivalent of an unmanaged switch. Bridges are required anytime you are connecting multiple physical interfaces. That means wifi + ethernet, or 2 or more wifi radios. (In DSA, each physical ethernet port is actually treated as a separate device, but that's another discussion). A bridge is then considered a device (and it may contain multiple devices). If it helps, you can think of each network interface as having just one port -- the bridge has one "port" that connects to the network interface and then additional "ports" for all the physical devices.

Bringing it all together, the switch has multiple VLANs defined, and those can be assigned to each port as needed. They are connected to the CPU by its internal eth0 port and designated as eth0.x where x is the VLAN ID. Those are in turn associated with the L3 network interfaces as devices.

If we want to put multiple VLANs on a single port/cable, it is the tags that make sure the switch (and the downstream device) knows what VLAN a given ethernet frame belongs. This makes it possible to differentiate (and keep separate at this layer) the traffic for each VLAN and assign it to the ports of interest.

Does that help explain the concept?