R7800 and WRT1900acs v2 vlans

I’ve been trying to configure vlans on an R7800 and WRT1900acs v2 running openwrt-24.10.1 with no joy. But based on some of the reading I’ve done it may be that I don’t need vlans anyway. All I’ve wanted to do is have an isolated physical lan port with internet and without gui access, plus an isolated wifi network without gui access.

I followed this guide: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface
to configure the guest wifi, then went back and dropped lan4 from br-lan and added it to br-lan.1. (I used physical port lan4 and called he new interface VLAN4, and the new bridge device br-lan.1.) All wifi networks are isolated.

Is that as secure as having vlan filtering too would be? If not, what are the additional steps necessary to configure vlan filtering? (When I go back and enable vlan filtering in br-lan.1 I’m been presented with yet another vlan device.)

Thanks in advance for any comments/suggestions.

A bit of clarification is needed here. is this one network that has one physical lan port + wifi, or are these two independent networks, one that has only a single physical lan port, and the other that has only wifi?

Security is a largely a function of the firewall. VLAN/bridge-vlan filtering is really a layer 2 concept for the Ethernet connections where you have different networks on the Ethernet ports. Depending on your actual goals, bridge-vlans may or may not be necessary, but can be used safely even if not strictly required to achieve the goal.

Also, you mention two devices... how are these related to each other? Do they both need to participate in the additional networks?

Hi and thanks for replying. Lan port 4 and the guest wifi are on the same network.

Re 2 devices...do you mean the second device I mentioned at the end? That one only showed up after I finished the lan port/wifi config and then tried to add vlan filtering to the mix.

If what I've done is secure, great. But if you could advise how to achieve it with vlan filtering too, I'd appreciate it. I have an Openwrt One arriving next month and am looking forward to setting it up.

In that case, you need to use bridge-VLANs. There is a tutorial here.

In your title and first sentence:

... are both of these in use on the same network? Is the desire to have both of them configured with VLANs? Which one is the main router? Is the other operating as a bridged AP?

The good part, in 24.10.x both wrt1900acs and r7800 use DSA based switch configurations, means you only need to learn/ use a single approach (syntax and and semantics). psherman has already hinted you at the guide for DSA.

True. I've been playing with the config, but still no joy. Once I add it and reboot I'm unable to get back into the GUI. Should it be as simple as adding the following and then configuring the firewall and wifi?

config bridge-vlan
option device 'br-lan'
option vlan '123'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'

config bridge-vlan
option device 'br-lan'
option vlan '4'
list ports 'lan4'

config interface 'VLAN123'
option device 'br-lan.123'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'

config interface 'VLAN4'
option device 'br-lan.4'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'

My Openwrt One is out for delivery. Christmas in June!

What you've got there is largely correct, but there is a bit more nuance...

• The default lan interface will have device br-lan which will no longer be valid once you establish bridge-VLANs.
• That default lan also uses an interface address of 192.168.1.1 which I see you are using for VLAN123. That will conflict if you haven't deleted or renamed the default lan.
• And, if you have deleted/renamed the default lan, make sure tour new VLAN123 network is associated with the lan firewall zone so that you don't lose access.

[quote="Ontarier, post:8, topic:233432, full:true"]
Thanks for that. You know, even with my level of knowledge I thought it odd, but since nothing worked as expected I reverted to the example config. But we're closer! I assigned VLAN123 a new IP. But that's the IP address I get on all 4 lan ports, despite lan4 being configured with it's own IP. And Luci won't let me save a wifi config using VLAN4, so I must have done something else wrong.

let's see the complete config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

 -----------------------------------------------------
 OpenWrt 24.10.1, r28597-0425664679
 -----------------------------------------------------
root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.86",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT1900ACS",
        "board_name": "linksys,wrt1900acs",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.1",
                "revision": "r28597-0425664679",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 24.10.1 r28597-0425664679",
                "builddate": "1744562312"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf1:45a6:2268::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.10.3.7'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr REDACTED

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '123'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'lan4'

config interface 'VLAN123'
        option device 'br-lan.123'
        option proto 'static'
        option ipaddr '10.10.5.7'
        option netmask '255.255.255.0'

config interface 'VLAN4'
        option device 'br-lan.4'
        option proto 'static'
        option ipaddr '10.10.4.7'
        option netmask '255.255.255.0'
root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
        option band '5g'
        option channel '36'
        option htmode 'VHT80'
        option disabled '1'
        option country 'CA'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option macaddr 'REDACTED'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
        option band '2g'
        option channel '1'
        option htmode 'VHT20'
        option disabled '1'
        option country 'CA'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option macaddr 'REDACTED'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'VLAN123'
        option interface 'VLAN123'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'VLAN4'
        option interface 'VLAN4'
        option start '100'
        option limit '150'
        option leasetime '12h'

[quote="Ontarier, post:10, topic:233432"]

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.86",

[/quote]Thanks again. I hope I got that right and didn't include anything I shouldn't have.

your lan interface is still using br-lan, but this shouldn't be in use anymore due to the bridge-vlans.

Let's add VLAN 3 but not assign it to any ports:

onfig bridge-vlan
        option device 'br-lan'
        option vlan '3'

And now you can edit the lan interface to use br-lan.3.

I also recommend explicitly specifying that VLAN 123 should be untagged + PVID on its ports by adding :u* to each port like this:

config bridge-vlan
        option device 'br-lan'
        option vlan '123'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

Do the same on VLAN 4.

You didn't post your firewall config file -- make sure that network VLAN123 and/or VLAN4 is either in the lan firewall zone or is otherwise explicitly allowed input to the router such that you won't get locked out.

I put it in separtely this time...

root@OpenWrt:~# cat /etc/config/firewall

config defaults
       option input 'REJECT'
       option output 'ACCEPT'
       option forward 'REJECT'
       option synflood_protect '1'

config zone
       option name 'lan'
       option input 'ACCEPT'
       option output 'ACCEPT'
       option forward 'ACCEPT'
       list network 'lan'
       list network 'VLAN123'

config zone
       option name 'wan'
       list network 'wan'
       list network 'wan6'
       option input 'REJECT'
       option output 'ACCEPT'
       option forward 'REJECT'
       option masq '1'
       option mtu_fix '1'

config forwarding
       option src 'lan'
       option dest 'wan'

config rule
       option name 'Allow-DHCP-Renew'
       option src 'wan'
       option proto 'udp'
       option dest_port '68'
       option target 'ACCEPT'
       option family 'ipv4'

config rule
       option name 'Allow-Ping'
       option src 'wan'
       option proto 'icmp'
       option icmp_type 'echo-request'
       option family 'ipv4'
       option target 'ACCEPT'

config rule
       option name 'Allow-IGMP'
       option src 'wan'
       option proto 'igmp'
       option family 'ipv4'
       option target 'ACCEPT'

config rule
       option name 'Allow-DHCPv6'
       option src 'wan'
       option proto 'udp'
       option dest_port '546'
       option family 'ipv6'
       option target 'ACCEPT'

config rule
       option name 'Allow-MLD'
       option src 'wan'
       option proto 'icmp'
       option src_ip 'fe80::/10'
       list icmp_type '130/0'
       list icmp_type '131/0'
       list icmp_type '132/0'
       list icmp_type '143/0'
       option family 'ipv6'
       option target 'ACCEPT'

config rule
       option name 'Allow-ICMPv6-Input'
       option src 'wan'
       option proto 'icmp'
       list icmp_type 'echo-request'
       list icmp_type 'echo-reply'
       list icmp_type 'destination-unreachable'
       list icmp_type 'packet-too-big'
       list icmp_type 'time-exceeded'
       list icmp_type 'bad-header'
       list icmp_type 'unknown-header-type'
       list icmp_type 'router-solicitation'
       list icmp_type 'neighbour-solicitation'
       list icmp_type 'router-advertisement'
       list icmp_type 'neighbour-advertisement'
       option limit '1000/sec'
       option family 'ipv6'
       option target 'ACCEPT'

config rule
       option name 'Allow-ICMPv6-Forward'
       option src 'wan'
       option dest '*'
       option proto 'icmp'
       list icmp_type 'echo-request'
       list icmp_type 'echo-reply'
       list icmp_type 'destination-unreachable'
       list icmp_type 'packet-too-big'
       list icmp_type 'time-exceeded'
       list icmp_type 'bad-header'
       list icmp_type 'unknown-header-type'
       option limit '1000/sec'
       option family 'ipv6'
       option target 'ACCEPT'

config rule
       option name 'Allow-IPSec-ESP'
       option src 'wan'
       option dest 'lan'
       option proto 'esp'
       option target 'ACCEPT'

config rule
       option name 'Allow-ISAKMP'
       option src 'wan'
       option dest 'lan'
       option dest_port '500'
       option proto 'udp'
       option target 'ACCEPT'

config zone
       option name 'VLAN4'
       option input 'REJECT'
       option output 'ACCEPT'
       option forward 'REJECT'
       list network 'VLAN4'

config forwarding
       option src 'VLAN4'
       option dest 'wan'

root@OpenWrt:~# ubus call system board

Looks good. However, VLAN 4 won't be able to get a DHCP lease because it has input = reject, and no rule to allow DHCP (udp port 67) and there's also no DNS rule (not required, but frequently used; udp+tcp port 53)

And with those recommendations I get the right IP address on lan4. Thanks so much for all this. My OpenWrt One just arrived. I'll try to configure it with just the one vlan. Much appreciated!

Glad it worked! Enjoy the new toy!!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.