[R7800] - Wanting to add an IoT zone but confused about VLANs

Installing and Using OpenWrt Network and Wireless Configuration
1

I have a single R7800 as a router. I would like to add an IoT zone but am confused about the switch configuration and how to do it. Right now I have 5 interfaces:

  1. WAN
  2. WAN6
  3. LAN
  4. LXC
  5. Wireguard

I added a 6th for IoT then I went to Network>Switch and added a new line to it. What should the settings be? It will only be for wireless devices.

new
new1213×1239 89.3 KB

I think now 1 is for my WAN and 2 is for my LAN so 3 should be for IoT I think.

Next question is should I make a new bridge device called br-iot?

Right now, br-lan uses eth1.1 so should I make br-iot use eth1.3 when that is created?

2

In that case you don't need to change anything in the Switch, since that is for the wired Ethernet ports.

You would add a new iot bridge and interface and firewall rules like a guest network, since IoTs are similar to guests in that they are not trusted. See any of the wiki pages about guest networks for example this one:

In order to connect wired devices to the iot network, in the switch create a new VLAN (with any number that is unique) and make it tagged to one of the CPU ports and untagged to an external port. Set the external port to off in all other VLANs. Add eth0.N or eth1.N (depending on which CPU port you used, and N is the VLAN number) to the iot bridge.

3

Okay the switch is confusing me but you say it is not needed. Do I put the new IOT interface on device br-lan also? Won't that pollute the traffic there? I think VLANs are confusing me.

4

No, create a new br-iot and an interface named iot with br-iot as its device.

5

Okay and what do I assign to it as the device? My br-lan uses eth1.1 so do I need to make a new eth1.3 for the br-iot?

brudge
brudge705×617 63.6 KB

6

After you add VLAN 3 to eth1 on the Switch page, eth1.3 should appear in the list back on the bridge page. If it does not, you can type it in the custom box at the bottom. Be sure to press Enter after typing or it won't be entered.

7

Okay so I do need to make a new third line on the switch page as I showed in the screenshot above. Do I need to change the tagged status of eth1 for it? That is my confusion.

8

Yes on the Switch page, in the eth1 column set the new VLAN 3 to tagged. Also you will need to remove at least one of the external ports from VLAN 1 and add it untagged to VLAN 3.

1 Like
9

Oh thank you :heart_eyes: So is this right?

right
right1216×477 40 KB

10

Yes that is right. Now whatever you plug into LAN4 on the router will be switched to eth1.3, which is part of the br-iot bridge and the iot network.

11

The tagged and untagged are confusing me I think. What if I want this to be wireless only? Why do I have untagged 1 of the 4 LAN ports at all?

12

An untagged port means that ordinary Ethernet packets will be transmitted and received on it. This is what the user OS on a laptop or desktop expects. The tagged setting is only if the device on the other end of the cable is able to decode tagged packets. The internal ports are tagged because there is a very short hardware link to the CPU and the kernel, which does understand tagged packets with the notation eth1.N. Several networks can be carried on one link by using different tag numbers.

All of this has nothing to do with wireless. To set up a wireless AP on the iot network, choose iot as the Network on the wireless configuration page. This setting will cause it to be added to the br-iot bridge automatically. The reason it is done this way is that wifi APs have their names assigned at runtime such as wlan0.1

If this iot network is to be wireless only, you don't need a VLAN in the switch or an eth port in the bridge. Generally it's a good idea to still have a bridge even if it is initially empty, so you can have an AP on each band.

13

Thanks for the guidance. I have it setup now. Port 4 will be unused so I will just leave it as we set it up.