Segmenting Wireless network into three separate networks with OpenWrt and pfsense

Hi, I am rather new with Openwrt as I set it up long ago as a dumb access point and left it alone for a few years. I am now planning to segment my wireless network into three different subnets:

  • private net

  • Guest net

  • IOT net

Each will be tied to the wifi radios of the openwrt and then pfsense will take over the routing and firewalling. I am not too fussed about the Guest network, it's routing could occur in openwrt instead. What I have done so far is follow the dumb AP guide and supplemented it with the Guest AP guide .

I could apply the steps of the dumb guide aain for a third subnet to achieve the IOT subnet but I have an issue at the moment, which is that clients that connect to the non-guest network 1.0/24, are being assigned IPs from the Guest range(2.0/24). Any ideas here?

Any suggestion overall to achieve what I described above in more efficient way perhasp, any caveats of going that way? I am a bit concerned about having 3 SSIDs from the two radios regarding the performance and potential interference. So any feedback is appreciated!

/etc/config/dhcp


config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'
        option dynamicdhcp '0'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'Guest'
        option interface 'Guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd31:1724:f173::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.2'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'
        option delegate '0'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'Guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option encryption 'psk2'
        option wpa_disable_eapol_key_retries '1'
        option ssid 'TP-LINK_R2D269'
        option key 'Ch3s4NDcABIJ!@#~'
        option network 'lan'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Guest_WiFi'
        option isolate '1'
        option encryption 'psk2'
        option key 'Ch3s4NDcABIJ!@#~'
        option wpa_disable_eapol_key_retries '1'
        option network 'Guest'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option encryption 'psk2'
        option key 'Ch3s4NDcABIJ!@#~'
        option ssid 'TP-LINK_R2D269'
        option network 'lan'

Usually the better approach would be for the main router to set up multiple VLANs (with their inter-zone routing, access policies, firewalling etc.) and then keeping the APs (and switches) as 'dumb' as possible, in the sense of just bridging your AP interfaces to the VLANs provided by your router (proto=none for anything but the trusted management VLAN (lan?)). This way, all the policy decisions are made in one place, on your router - the APs just execute them by doing a 1:1 mapping of the incoming VLANs to your AP interfaces.

Start small, with one single additional VLAN, get it working and tested (first your router in isolation, only when that works and provides the expected results on each VLAN, hook up the AP to the VLANs as well). Rinse and repeat until all networks/ VLANs/ AP interfaces are set up and hooked up correctly - take a step back and re-audit your changes.

3 Likes

Hey thanks for your response. Some very good points there about keeping things to their respective place. I cannot go the vlan way as I have a stupid xiaomi router where openwrt is installed on, with the two ethernet ports already bridged and switched. Granted I could go the way you suggest and set up a vlan just for the heck of it but this would leave me without wifi while I fiddle around with it. I was looking for a more cost effective solution for splitting, if at all possible.

I do have an Intel 4port card lying around. I could add this to pfsense and could try splitting up the 3 ports the router has lan1,lan2 and wan, then pass everything directly to pfsense for routing and firewalling and be done with it.

If OpenWrt is installed, it is almost guaranteed to support VLANs.

That doesn't pose any issues.

Your downtime can be very minimal if you prepare. Setup the networks on the main router first, then setup the VLANs on your AP. it should be pretty simple, and you don't need to interrupt your current main wifi network with the exception of a few mins at a time for reboots and such.

You only need one ethernet connection from the router to the AP -- that single cable will be a trunk (i.e. carry multiple networks via VLANs). Each device will be setup with the VLANs on the respective port.

Hi Peter, thanks for the suggestions. As I mentioned I have gone down the VLAN route and didn't have much luck but it could be due to lack of knowledge on my part. If you think it would work on such a low-end hardware I could surely give it another go.

I am not sure how to implement 3 VLANs and a trunk on a 3 port device however? Also, would the WAN port behave like a port if no other interface is associated with it? Lastly, would you have a guide/video or even general steps to point me to the right direction regarding the VLANs or the architecture you have in mind? I am technically inclined but I'm no network expert by any chance!

Also, out of curiosity, do you have any insight regarding the DHCP issue I mentioned in the OP?

We can help you with the OpenWrt side -- it's not hard to learn. I haven't really played much with pfSense, so I cannot comment on the process there, but AFAIK, it's not that hard. Here's documentation.

Ultimately, it depends on your goals on a per-port basis. But all you need is one port to be the trunk (a trunk is a single port/cable carrying multiple networks)..

When working with advanced firmware like OpenWrt or pfSense and the like, a port is a port in most situations... a port can be defined/allocated for any purpose... usually one port is the wan, and the other port(s) will be allocated as lan. But if you don't need the wan port (i.e. on a dumb AP), you can usually assign it as another lan port, if you want. Again, this depends on your goals.

Because we're recommending that you do all your routing on your main router, I'd recommend the link I shared above for pfSense VLANs. I don't have any video recommendations, but search YouTube and I'm sure you'll find a bunch.

I didn't evaluate your current configuration -- I don't see anything immediately obvious, but likely it's a firewall issue (you didn't share that file). But I'd recommend going with the strategy we've been discussing instead of trying to fix your existing config.

You haven't mentioned what model your "stupid xiaomi router" is exactly, but it matters a lot for these questions.

Walking on a limb, I can only venture a guess about Xiaomi Mi Router 4A - which means mt7621a, which in turn implies a DSA (and bridge-VLAN based) switch configuration. From the OpenWrt side of things it is easily possible to define a trunk port or other VLAN settings on this hardware following https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial; the pfsense side of things would be something for you to find out. Strong advice, test each VLAN separately (so you know it's working and using the correct subnets, DHCP/ DNS settings and firewall policies) before bothering about the OpenWrt configuration. While it's a straight forward process (especially if you have gathered some experience), trying to achieve the final result (pfsense+OpenWrt) without testing pfsense individually before would involve coping with two moving parts (pfsense+OpenWrt) instead of only one (hooking up the OpenWrt AP to a tested-working VLAN configuration on your pfsense system).

1 Like

Thanks for taking the time to help with this. No worries about the pfsense side it is indeed pretty straightforward. The issue I keep stumbling upon with the VLANs in OpenWrt is that I keep getting locked out due to lack of understanding on what my changes do. I do try to leave a port as a trunk that will be used as management but it just refuses to connect after I apply the changes and sometimes the configuration does not seem to reload which is also strange.

In any case, your comments on this and other posts are a big help so far and I would like to set it up and if you can help that would be great!

So, to sum up I am thinking the below:

3 Wireless APs( 2x 2.4GHz, 1x 5GHz):
AP1>IoT > 192.168.10.0/24 > VLAN10
AP2 > Guest > 192.168.20.0/24 > VLAN20
AP3> Private Net > 192.168.30.0/24 > VLAN30

no firewalling or DHCP at all, I will do everything in pfsense.
wan port as the management port

So I ran into an issue and cannot proceed. I reset the router via its button and now I cannot access it again on 192.168.1.1 via ethernet. The light is flashing orange on reset and goes to a steady blue but I still cannot access it. Could it be bricked? Any ideas on how to proceed?

Well, I am silly. Following @slh 's advicee, I took a step back to troubleshoot with less "moving parts" and to my majort frustration the VLANs were not working.

I am now 99% sure that the reason that is, is because I am using a virtualised pfsense in ESXi and that means that all interfaces connected to it, belong each to a virtual (ESXi) switch with VLAN tag "1". This means that all tagged packets are being rejected/modified with tag 1 and therefore it doesn't work. I am so tired reading about VLANs, learning stuff and then seeing it NOT work in practice. I guess that's what I get for being cheap and not getting a dedicated pfsense box lol. Strange that I didn't stumble upon this at all these days.

Anyway, I am really tired to deal with this any further, I simply added another NIC I had lying around and ended up with what I wanted, just with a few more cables. Once I decide to get myself a dedicated box, I will consider the VLAN route again, I think.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.