Setting Up Automated VLAN Assignment for IoT Devices on TP-Link Archer C7 (v5)

Hello OpenWRT Community,

I’m going to set up my TP-Link Archer C7 (v5) as a "dumb AP" following the guide on the official OpenWRT documentation site (https://openwrt.org/docs/guide-user/network/wifi/dumbap). My main router is at 10.0.0.1, so I will give the dumb AP 10.0.0.2. The router is running OpenWRT version 23.05.2, with the system specs being a Qualcomm Atheros QCA956X ver 1 rev 0 and firmware version "OpenWrt 23.05.2 r23630-842932a63d". I figured I would factory reset before posting this to make everything more simple.

My bigger goal is to further enhance my home network's security and management by setting up multiple VLANs, specifically for isolating my IoT devices. Each device should automatically be assigned to its own VLAN upon joining the network. These VLANs are intended to keep the IoT devices isolated from each other, only allowing internet access. Furthermore, I want the capability to easily revoke internet access for any device as needed.

To start simple, I want to create two separate VLANs. It's crucial for the IoT devices not to be aware of these VLANs or have the ability to communicate with each other. Their only permitted connection should be to the internet.

I'm reaching out for guidance on how to achieve the following:

  1. How can I configure my network so that IoT devices are automatically assigned to their respective VLANs upon connection?
  2. What settings or rules need to be implemented to ensure these devices remain isolated from each other while retaining internet access?
  3. What's the best method to enable/disable internet access for specific VLANs/devices on demand?

Below are some of the system details I can provide for better assistance:

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link Archer C7 v5",
	"board_name": "tplink,archer-c7-v5",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ath79/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

Network config file:

root@OpenWrt:~# vi /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd66:626a:24b4::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'e4:c3:2a:da:4d:29'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

Wireless config file:

root@OpenWrt:~# vi /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

Here are some code snippets from my config C7 v2 :slight_smile:
OpenWrt 22.03.5, r20134-5f15225c1e

/etc/config/network
...
config device
        option type 'bridge'
        option name 'br-vlan172'
        list ports 'eth0.172'
        option igmp_snooping '1'
        option acceptlocal '1'
        option promisc '1'
...

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '172'
        option description 'VLAN172'
        option ports '6t 1t'
...
/etc/config/wireless
...
config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option encryption 'psk2'
        option key 'redacted'
        option ssid 'redacted'
        option network 'VLAN172'
        option dtim_period '5'
...
  1. Setup dedicated routing, supplement by firewall rules

  2. Firewall rules per (groups of) device(s)

Hello, thank you for your response.

I am finding it difficult to understand what to do from the small snippet you gave me. We are not sure how to set up dedicated routing.

Also, have you tried this using OpenWRT version 23? I am thinking about downgrading to 22 because I am not finding enough information online about setting up VLANs on 23.

There are three ways to do this in total:

  1. (easiest) Create a unique SSID for the IoT devices. That SSID will be associated with an IoT network interface that allows internet access but not access to your main trusted lan.
  2. (medium difficulty) Setup a single SSID with different passphrases for each network. The password used will determine the VLAN to which the device is connected. Read up on that here.
  3. (most difficult, serious overkill for home): Setup a RADIUS server and use 802.1x authentication to direct devices to their respective VLANs.

You can follow the guest wifi guide which implements essentially the same thing in terms of an isolated network. This particular guide deals only with wifi -- do you have any IoT devices that need ethernet connectivity and/or multiple APs that need to broadcast the IoT SSID?

If you want to isolate wifi clients from each other, you can do this by adding option isolate '1' in the wifi interface stanza. This works on a single radio, but it won't entirely isolate everything if you have the IoT network spread across multiple wifi radios/APs and/or ethernet.

You can create firewall rules that allow/deny a list of devices (by MAC address or IP address). Depending on the granularity you need, the number of devices, and the details of your goal here, you can set this up in several different ways, including a unique VLAN just for IoT devices that should have access and another that does not allow internet access.

See @psherman response above, Essentially what I shared with you in my previous post.

This is not specific to 23.x - I had the same config on 22.x .

Good luck trying ! If you have errors, please come back and post them for troubleshooting.