Setting up VLANs using OpenWrt Access Point connected to OPNSense

I've recently flashed my DIR-882 with OpenWRT and I've been having some trouble with setting up VLANs to work the way that I would want them to.

To summarize my current network configuration, my devices are connected as follows.

Modem <--> OPNSense <--> OpenWRT (DIR-882)

Currently my OPNSense is my Firewall/DHCP server. OpenWRT is set up to act as a dumb AP with no firewall or DHCP service, and the interfaces are as follows:

br-lan consists of the following ports:

  • LAN 1
  • LAN 2
  • LAN 3
  • LAN 4
  • WAN (Gateway: 10.0.0.1, OpenWRT IP: 10.0.0.2)
  • WLAN 2.4g
  • WLAN 5g

I have a trunk line running from my OPNSense to the router, and for simplicity I used the WAN port for the trunk line, although it makes no difference since they're all bridged as a switch effectively.

What I'm trying to achieve is:

  1. WLAN 2.4: All devices connected to this SSID are assigned to VLAN0.10 with no internet access just Local Network access
  2. All other LAN/WLAN connections can be assigned to a generic "Home Devices" Vlan0.20 with full network access

But I'm running into some issues with executing this task so I'll summarize what I've done:

In OPNSense:
1) Set up VLAN0.10 interface (Gateway 10.0.10.1) and VLAN0.20 (Gateway 10.0.20.1)
2) Set up DHCP for VLAN0.10 (IP Range: 10.0.10.50 - 10.0.10.200) and VLAN0.20 (IP Range: 10.0.20.50 - 10.0.20.200)
3) Set up firewall rules for VLAN0.10 and VLAN0.20
4) Assigned

In OpenWRT:
1) Turned on Bridge VLAN Filtering on "br-lan" with the following settings:
1a) Lan 1-4: Untagged with Vlan0.20 set as Primary VLAN
1a) WAN: Tagged for both VLANs
2) Changed lan interface to "vlan0.20" since that's the generic traffic vlan0
3) Changed Wlan 2.4g to VLAN0.10 network

However here's the issue and some of my questions:

  1. Is VLAN0.20 even necessary? Given that the only devices I need to restrict are my IoT, can't I have all other connected devices to the access point not be a member of a vlan and have their IP range in the 10.0.0.1/24 range?
  2. What is the fundamental difference (and the use cases) of creating VLANs under the "Bridge VLAN filtering" vs creating a new VLAN 802.1q with base device eth0
  3. My setup above was reporting all devices in the 10.0.0.1/24 range under OPNSense which makes me think I didn't set it up correctly, so what's the correct procedure for setting up VLAN so that it reports correctly to OPNense? A lot of the guides I see are outdated or don't apply when you have an OPNSense router.

This isn't really neccesary, since they these ports can be bridged to whatever bridge you want. They'd be properly tagged going out the wan port.

You can basically leave br-lan as-is from first boot. (LAN1-4 will be your "access" ports until further notice)

After first boot: Delete WAN interface and add the wan port to a new vlan bridge, let's call this bridge "vlans", and do the vlan filtering. Make two new unmanaged interfaces, add the vlans.10 and vlans.20 devices to their respective interfaces. Then make your SSIDs and add them to their respective interfaces. Thats all you need to do on the OpenWrt AP.

If you ever want to bridge your LAN1-4 to the interfaces, then you'd need to create a bridge device where you attach the physical lanport and vlan device, since you can just attach 1 device to each interface.

Strictly speaking you can run untagged and tagged on the same wire. but I'd recommend just tagging both 10 and 20. It just seems more foolproof imho.o

Appreciate the feedback, so just for clarification:

Currently my WAN port is acting as an additional LAN port in my switch and it's the port I'm using for my trunk line. You're saying remove this port from the br-lan and create a VLAN bridge using the WAN port with the two VLANs added to this bridge. If I do this, won't the trunk line be isolated from LAN1-4 effectively cutting the internet to these ports?

If that's the case, since I won't need VLAN for the hardwired devices what would be the best practice for giving them internet access? Would it be to bridge vlan.20 to lan1?

No, br-lan you don't need to touch I understood that you're using the wan port as a trunk port, and the wan port was never part of br-lan in the first place.

I kinda wrote the steps from the perspective of a default/reset config, after booting up the first time.
I wrote delete the "wan" interface, seeing that would free up the wan to be added to the new "vlans" bridge. (Ofc you can just simply unattach the wan port from the wan interface if you somehow wanted to keep this around...but let's just keep this simple)

If you ever want to bridge your LAN1-4 to the vlan interfaces , then you'd need to create a bridge device where you attach the physical lanport and vlan device, since you can just attach 1 device to each interface .

Make a new bridge called br-vlanxx, attach vlans.xx and whatever lan1-4 to that bridge (remember to remove the respective lan ports from br-lan). Then add this bridge to the correct interface, replacing the vlans.xx device. Say you want to add lan1-3, just remove lan1-3 from br-lan and add them to the new bridge together with vlans.xx. Only lan4 is still left of br-lan, and port4 will let you access the AP in case you need to change the config.

1 Like

Ah ok! Thanks, I'll give that a shot.

So I attempted to set up the way you described but something in my setup is causing issues. My setup is as follows:

Devices:

  1. br-lan: LAN1-4
  2. VLANS: WAN (Trunk port) with VLAN filtering enabled with the two VLANS both tagged on WAN port

Interfaces:

  1. Unmanaged port VLAN.10 (General)
  2. Unmanaged port VLAN.20 (IoT)
  3. br-lan: LAN1-4

Wifi:

  1. 2.4G SSID using IoT Interface

For some reason, my phone cannot connect to my wifi at all with this setup. I'm still not sure how br-lan is getting internet access if WAN is being used in a separate bridge. What am I missing? Does this happen by default through eth0?

br-lan won’t get internet, it’s basically just for accessing the router itself. If you need internet access on any of the lan ports then just add them to the general interface by removing the respective ports from br-lan and adding them to br-vlan10.

Only the 2 unmanaged interfaces will get internet, but that itself is up to your opnsense router to provide. Be sure that tagged vlan 10 and 20 are routed to the right networks with their own dhcp server and all the firewall rules etc regarding dhcp/dns are taken care of. (Just generally speaking, I’m not familiar with opnsense so I can’t be more specific). Reading your initial post it seems you are on the right track, but obviously you should get IP addresses on different subnets depending on what vlan you’re on.

Also:
Instead of using unmanaged interfaces on the OpenWrt AP, you could either switch to static or dhcp if you don’t want to only rely on a physical port/br-lan to configure the OpenWrt AP.

Using DHCP is a good way to check that everything's working as it should. You should see in Luci that the interfaces are getting an IP address from your opnsense router on different subnets. Often your phone will not connect to an ssid if it's not getting an IP address, meaning something's wrong. In this case I'd recheck your opnsense config.

br-lan won’t get internet, it’s basically just for accessing the router itself.

This is what's confusing me. Right now my ethernet devices plugged in to br-lan have internet and I have no idea why.

Using DHCP is a good way to check that everything's working as it should. You should see in Luci that the interfaces are getting an IP address from your opnsense router on different subnets. Often your phone will not connect to an ssid if it's not getting an IP address, meaning something's wrong. In this case I'd recheck your opnsense config.

I'll double check OPNSense but it looks like the interfaces are not being assigned an IP using DHCP. Even using a static IP interface doesn't work in OpenWRT for some reason. All my traffic is being routed through my trunk gateway (10.0.0.1) and VLAN is not being used at all.

Let’s see your openwrt config

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd17:ab5f:3d10::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.0.10.2'
        option gateway '10.0.10.1'
        list dns '10.0.10.1'

config interface 'IoT'
        option type 'bridge'
        option device 'vlan0.20'
        option proto 'static'
        option ipaddr '10.0.20.2'
        option netmask '255.255.255.0'
        option gateway '10.0.20.1'
        list dns '10.0.20.1'

config interface 'HomeDevices'
        option device 'vlan0.11'
        option proto 'dhcp'

config device
        option type 'bridge'
        option name 'vlan0'
        list ports 'wan'
        option ipv6 '0'
        option acceptlocal '1'

config bridge-vlan
        option device 'vlan0'
        option vlan '11'
        list ports 'wan:t'

config bridge-vlan
        option device 'vlan0'
        option vlan '20'
        list ports 'wan:t'

I did some testing with Unmanaged, DHCP and static IP type interfaces. None of them work. My OPNSense logs don't even show "vlan0.11" or "vlan0.20" trying to connect

Let me know if I got this wrong:

You want your wired devices that are connected to you OpenWrt AP to be part of the general network/vlan 10. Then you the correct way is to add those ports to the br-vlan10 bridge (which tagged vlan10 device is also bridged to) and then add that bridge to to the general interface that you just created. If you did this then everything should be ok, save your opnsense config.

(Just forget about br-lan, in my example it’s just a «random» leftover. we keep it around to access the router but we could name it whatever. It’s basically acting as a closed admin network)

You are correct but I haven't gotten that far in my setup yet. I uploaded my config file in the comment above yours. Effectively the wired devices are fine to remain as part of the general network, but if it's best practice to tag them under vlan10 (or more specifically vlan 11, as I have it set up) then I'm fine with that as I can route it in OPNSense.

My current configs don't have then lan ports bridged to anything except each other under br-lan. I haven't tried to bridge the vlan11 to those ports yet because vlans in general aren't working. No DHCP Request is being received by my OPNSense by either the IoT Vlan or the General VLAN when I tried having both set to DHCP

See, here’s part of the confusion. When I wrote general network, i meant vlan10 (or maybe it was 20, adding to the confusion), as that what was you called your network in your first post aka «general» I didn’t mean general as in the default br-lan network.

Understood, that's my mistake. I tried to simplify my setup explanation but that resulted in more confusion. I guess a far more basic question is my IoT vlan20 which is only being used with the 2.4g SSID not working so I suppose I can focus on that for now. What's causing the issue there? If I can sort that out I can get a better understanding and resolve the other vlan.

Ok... there are a bunch of issues that I see.

Can you confirm that I understand what you're trying to do and answer a few questions:

  1. VLAN 20 untagged on ports LAN 1 - LAN4 (these ports will be access ports for VLAN 20)
  2. VLAN 20 attached to a wireless network
  3. VLAN 10 attached to a wireless network, but not associated with any ethernet ports (aside from the trunk)
  4. WAN port serves at the trunk

If all this is correct, my question is this:

  • Which VLAN should be used to manage the OpenWrt device?

It seems to me your basic network config regarding the wan port is correct. I even tried to replicate it. it works fine on a DSA based Lyra here. Pretty sure the problem is your opnsens router, but even that seems pretty straightforward to configure judging by the first result that came up on google https://www.wundertech.net/how-to-set-up-a-vlan-in-opnsense/

VLAN 20 untagged on ports LAN 1 - LAN4 (these ports will be access ports for VLAN 20)
VLAN 20 attached to a wireless network
VLAN 10 attached to a wireless network, but not associated with any ethernet ports (aside from the trunk)
WAN port serves at the trunk

Not quite, some of the VLANs are swapped around.

  1. VLAN 10 untagged on ports LAN 1 - LAN 4
  2. VLAN 10 attached to 5g Wifi
  3. VLAN 20 will only exist on the 2.4g Wifi. No ethernet port required.
  4. Correct. WAN port serves as the trunk coming from OPNSense

VLAN 10 (Being effectively the "Catchall" VLAN) will serve as the access point to manage the OpenWRT

It seems to me your basic network config regarding the wan port is correct. I even tried to replicate it. it works fine on a DSA based Lyra here. Pretty sure the problem is your opnsens router, but even that seems pretty straightforward to configure judging by the first result that came up on google

I've confirmed my OPNSense set up is correct, the logs just don't show any requests from either of the VLANs. Is it possible my router's hardware being unable to pass through VLAN information?

Also I'm still unsure how I'm able to get internet when connected to LAN 4, despite it not being bridged to the WAN or any of the VLANs at the moment.

Hard to say but I doubt that.

You could set up a loopback interface for a quick test to see if everything works:
Remove lan1 from br-lan.
Make a new bridge with lan1, "vlan1".
VLAN filter tagged vid 11.
Make a new static interface, attach vlan1.11, enable dhcp server, add it to LAN zone.
Connect a cable between lan1 and wan port.
Your HomeDevices interface (whic has dhcp client enabled pr. your posted config) should now get an IP address from your new interface.

You could set up a loopback interface for a quick test to see if everything works:
Remove lan1 from br-lan.
Make a new bridge with lan1, "vlan1".
VLAN filter tagged vid 11.
Make a new static interface, attach vlan1.11, enable dhcp server, add it to LAN zone.
Connect a cable between lan1 and wan port.
Your HomeDevices interface (whic has dhcp client enabled pr. your posted config) should now get an IP address from your new interface.

When setting up this test, I thought of something; since I'm running this DLink router as an access point I have dnsmasq, firewall and odhcpd services disabled. Given that those would all be handled with OPNSense so could it be one of those services being disabled that's interfering? Specifically odhcpd?

Edit: Performed the test and the "HomeDevices" still does not have an IP. And this is after enabling odhcpd, firewall and dnsmasq