Question about set up AP with awareness of VLAN from the main router


My network setup is like this:

  • Main router: Ubiquiti EdgeRouter X (provide DHCP, VLan, etc...)
  • Use it as AP: TP-Link Archer C2600
    (flashed to LuCI openwrt-19.07 branch (git-20.136.49537-fb2f363) / OpenWrt 19.07.3 r11063-85e04e9f46)

My goal is to:

  1. Main Secure Network for all my PC and laptops on VLAN1(default) on 192.168.111.x
  2. IOT Network for all smart devices on VLAN115 on 192.168.115.x
  3. Guest Network on VLAN116 on 192.168.116.x
  4. have some some traffic forward to allow Main Secure Network to recognize Chromecast and Smart Switches on the IOT Network, like mDNS

What I have done so far:

  1. I created VLAN115 on EdgeRouter
    I followed this post:

IOT switch0.115 vlan on 192.168.115.x

DNS Forwarding: Interface

mDNS repeater configuration

I haven't set up VLAN116 for Guest yet. I can use VLAN115 for testing both IOT and Guest Network for now.

  1. I unchecked this on OpenWRT

This is the only DHCP in the local network

  1. I deleted WAN and WAN6 interfaces which came default

  2. I created Interface WIFI_IOT

Protocol DHCP client
but with no its own DHCP capability

  1. I created two SSIDs under 11bgn radio for testing.
  • IOT (Network: lan, wifi_iot)
  • Guest (lan)
    I did these two differently so that I can test which one works.

Both SSIDs work now and can connect to the internet, but get 192.168.111.x IPs.

The problem that I have

  1. I don't know how to make devices connected to SSID-IOT automatically get VLAN115 and being assigned 192.168.115.x by the DHCP on my main EdgeRouter.
  2. After getting VLAN working, what firewall rule should I create? on EdgeRouter or on OpenWRT?

Attached some config files that I found under /etc/config

DHCP config

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/'
	option localservice '1'
	option enable_tftp '1'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Network Config

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr ''
	option netmask ''

config globals 'globals'
	option ula_prefix 'XXX::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option netmask ''
	option ip6assign '60'
	option gateway ''
	option ipaddr ''
	list dns ''

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'wifi_iot'
	option type 'bridge'
	option proto 'dhcp'

Wireless Config

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'XXX'
	option htmode 'VHT80'
	option channel '149'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option key 'password'
	option ssid 'Home-5G'
	option hidden '1'
	option encryption 'psk2'
	option ifname 'wlan5g_0'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'XXX'
	option htmode 'HT20'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option key 'password'
	option ssid 'Home'
	option hidden '1'
	option encryption 'psk2'
	option ifname 'wlan2g_0'

config wifi-iface 'wifinet2'
	option encryption 'psk2'
	option device 'radio1'
	option mode 'ap'
	option key 'password'
	option ssid 'IOT'
	option ifname 'wlan2g_1'
	option network 'wifi_iot lan'

config wifi-iface 'wifinet3'
	option ssid 'Guest'
	option encryption 'psk2'
	option device 'radio1'
	option mode 'ap'
	option key 'password'
	option network 'lan'

VLANs on the cable will "trunk" each network separately to the main router. The AP is merely a wifi to wired converter. So a device connected to the IoT AP SSID will go to a network bridge then out through eth1.115, which will apply a tag to all of its packets.

In the AP set up a bridge for each network. Create new networks of type bridge and proto none. Name them something like vlan115 etc or you could also name it iot depending on how you want to remember it. The network has an interface of eth1.115. Then on the wifi AP connect it to vlan115.

Since these networks have proto none they cannot interact with the OpenWrt OS. They only link wired to wifi. All your routing, DHCP server, and firewall is on the main router.

Also you'll need to add each VLAN to the switch, so a packet sent to eth1.115 leaves on the trunk cable still tagged 115. Do not set tagged and untagged on the same cable. If you want to have access to the OpenWrt LAN through the trunk cable (and you probably do), give it a VLAN number, usually 1.

I assume you're using a non-DSA build on the Edgerouter X. Last I had heard tagging VLANs on the cable don't yet work with the MT7621 DSA.

1 Like

Thanks for the quick reply.
EdgeRouterX uses MediaTek MT7621AT.
Runing latest EdgeOSv1.10.11 firmware directly from Ubiquiti

I found this post talking about truck vlan for EdgeRouter

I guess "tagging VLANs on the cable" is equivalent words for "trunk VLAN"?


I tried to connect a Macbook directly to my EdgeRouter with Ethernet cable.
As soon as I set up VLAN tag 115 on Macbook. It will get IP from EdgeRouter 192.168.115.x
My understanding is that since my Macbook tagged all outbound traffic with VLAN115, the EdgeRouter sees the tag and issued IP address.

However, when I directly plug Macbook to OpenWRT on LAN1.
LAN1 set to tag VLAN 115 on Switch page.
Macbook still couldn't get a VLAN115 IP address. It was still getting 192.168.111.x IP.

Interface VLAN115 was created.

associate SSID-IOT to VLAN115, without Ethernet cable plugged in, Macbook couldn't get IP adress.

My connection to EdgeRouter is on LAN4 physical port

The port that is connected to the main router (called a trunk cable, since it will carry multiple VLAN networks) needs to be tagged in the VLANs that you want to connect and off in the others.

Generally an end-user device like your Macbook would have only one network sent to it untagged. This is the default configuration on OpenWrt. Cisco calls a port that sends untagged packets to an end user "access" mode. The ability of OSX to accept tagged packets is useful for testing though.

Untagged and tagged packets on the same cable technically should work, but the OpenWrt swconfig and typical consumer SoC switches do not support that operation. So the two configurations considered valid are:

  • trunk port -> tagged in all relevant VLANs
  • access port -> untagged in exactly one VLAN.

The internal connection from the switch to the CPU is almost always run as a trunk, even if as is the case here the default configuration needs only one VLAN per CPU port. This makes it easier to add more VLANs later.

1 Like

Thank you for the clarification.
I had success with VLAN by changing VLAN115 CPU(eth1) to tagged and enabling VLAN aware on EdgeRouter on VLAN1,115 on its eth2 port (where truck cable goes).

Now the problem is:
Chromecast on VLAN115 still not discoverable by devices on 192.168.111.x.

With EdgeRouter mDNS set to eth2 and eth2.115 with no other firewall rules. And also OpenWRT's firewall is turned off at Startup menu and then rebooted, presumably, it should work.

Some post at Ubiquiti forum mentioned uncheck "Block Lan to WLAN Broadcast Data" setting on Unifi AP.

  • Since I am using OpenWRT as AP, is there similar setting that might prevented mDNS to work?
  • I think in my case, my EdgeRouter should take care of mDNS instead of OpenWRT (if OpenWRT doesn't block multicast), right?