Setting up VLAN for WiFi in Bridge connection

Network Setup: Airtel router ---> Bridge mode -----> connected to TP link Ancher C6 (Openwrt) via Ethernet - Airtel LAN4 to WAN port of Ancher C6
All the devices are connected via WiFi
I would like to configure VLAN to separate IOT and Guest WiFi.
Have gone through lot of videos and articles and totally confused.
Could someone guide me to set it up or point me to a article?

If all devices are connected on WiFi, then you don't need vlans. Unless you mean that the vlans are propagated to a trunk link between the airtel and the archer.
Here are a few guides for creating a guest SSID. It depends on the role of the OpenWrt, if it is dumbAP or router.

Thanks for the link, OpenWRT is acting as router. I followed the link and created guest SSID, can I use the same bridge and create 2nd SSID for the IOT?

i'm doing the same, succefull. but i noted that devices on guest network have access to luci of the dumb AP. i followed and set all firewall rules as per wiki.
is like that for you too?

I am not sure what you mean by bridge, but you definitely can use the same guide and add another SSID for iot.

The OP's setup is not using a dumbAP. If you have some issue better open your own topic rather than mixing it here.

I created the GUEST SSID following the instructions, However I have used the same interface to create IOT ssid also which uses br-guest interface. Is it right to do so or should I follow the same guide and create IOT SSID from scratch?
Sorry if I am creating confusion, I am not allowed to upload pictures yet

If you don't mind the iot and guest sharing the same interface, then it's not so terrible.
You can always paste here the configuration, which is better than screenshots.

Use ssh to connect to the device.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

"kernel": "5.15.162",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "TP-Link Archer C6 v3",
"board_name": "tplink,archer-c6-v3",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "ramips/mt7621",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
package network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd30:fa9a:5eb9::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
option ip6assign '60'

config interface 'wan'
option device 'wan'
option proto 'pppoe'
option username 'xxxxxxxxxx'
option password 'xxxxxxxx'
option ipv6 'auto'
option peerdns '0'
list dns '94.140.14.14'
list dns '94.140.15.15'

config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option peerdns '0'
option reqaddress 'try'
option reqprefix 'auto'
list dns '2a10:50c0::ad1:ff'
list dns '2a10:50c0::ad2:ff'

config interface 'Airtel'
option proto 'static'
option device 'wan'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'

config device 'guest_dev'
option type 'bridge'
option name 'br-guest'

config interface 'guest'
option proto 'static'
option device 'br-guest'
list ipaddr '192.168.3.1/24'

package wireless

config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel 'auto'
option band '2g'
option htmode 'HT20'
option cell_density '0'

config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'Xyster'
option encryption 'psk2'
option key 'xxxxxxxxx'

config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel 'auto'
option band '5g'
option htmode 'VHT80'
option cell_density '0'

config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'Xyster'
option encryption 'sae-mixed'
option key 'xxxxxxxx'

config wifi-iface 'guest'
option device 'radio0'
option mode 'ap'
option network 'guest'
option ssid 'Guest'
option encryption 'psk2'
option isolate '1'
option key 'xxxxxxx'

config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'Guest'
option encryption 'psk2'
option key 'xxxxxxxx'
option network 'guest'
option disabled '1'

config wifi-iface 'wifinet4'
option device 'radio0'
option mode 'ap'
option ssid 'Jarvis'
option encryption 'psk2'
option key 'xxxxxxx'
option network 'guest'

config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'Jarvis'
option encryption 'psk2'
option key 'xxxxxxx'

package dhcp

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
list addnhosts '/var/run/adblock-fast/dnsmasq.addnhosts'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '6,94.140.14.14,94.140.15.15'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'

config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '1h'
list dhcp_option '6,94.140.14.14,94.140.15.15'

config host
option name 'homeassistant'
option ip '192.168.0.101'
option mac '08:00:27:61:BE:77'

package firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
list network 'lan'

config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'

config zone 'guest'
option name 'guest'
option network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'

config forwarding 'guest_wan'
option src 'guest'
option dest 'wan'

config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'

config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Guest_block_private'
list proto 'all'
option src 'guest'
option dest '*'
list dest_ip '192.168.1.1/24'
list dest_ip 'fd88::/64'
list dest_ip 'fc00::/7'
option target 'REJECT'

lrwxrwxrwx 1 root root 16 Jul 16 03:44 /etc/resolv.conf -> /tm p/resolv.conf
-rw-r--r-- 1 root root 47 Jul 26 07:02 /tmp/resolv.conf
-rw-r--r-- 1 root root 82 Jul 26 07:02 /tmp/resolv.conf.d/reso lv.conf.auto
-rw-r--r-- 1 root root 50 Jul 26 07:01 /tmp/resolv.conf.ppp

/tmp/resolv.conf.d:
-rw-r--r-- 1 root root 82 Jul 26 07:02 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.ppp <==
nameserver 202.56.215.6
nameserver 59.144.144.100

==> /tmp/resolv.conf.d/resolv.conf.auto <==

Interface wan

nameserver 94.140.14.14
nameserver 94.140.15.15

Interface wan_6

type or paste code here

Please edit the post above and put the console text inside the preformated text tags.
```
your console output
```

Change this into 1 since you have the wan6 interface present.

uci set network.wan.ipv6='1'
uci commit network
ifup wan

Here you have created a bridge and assigned guest interface to it, but this is not necessary, since there are no ethernet ports assigned to guest interface.
You can delete the guest_dev and remove br-guest from guest interface.
Therefore, you can add another interface "iot" and assign the wifi-iface for iot to it.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.