I currently have an XR500 running OpenWrt 22.03.3 with 5 SSIDs. These consist of 3 isolated guest networks for various IoT/guest devices and configurations, and the default LAN zone split into 1 SSID for the 2.4 ghz radio and 1 SSID for the 5 ghz radio.
I want to essentially create the same thing as a guest wifi for one port on my router, which will be connected to a cable IoT device that receives channel information for our TVs. I'd like the device connected to this port to be unable to reach other wired devices, the router, and any of the wifi SSIDs.
Would I need to do any bridging or more complicated setup than what's outlined here? This video is basically the same information, just in video format.
The reason I ask is that I wasn't able to find much information for this specific use case, and this seems far more simple than other VLAN guides I've found.
Do you want this wired guest network to be tied to one of the existing guest SSIDs, or is this separate?
if it should be tied, you'll create a bridge that contains the ethernet port (details TBD based on your current config), and then adjust the network to use that bridge
if it should be independent and isolated, create a new network with the ethernet port as the device (again, details TBD).
Once we know what you want above, and based on your network config file, we can easily suggest the changes.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
I'd like to make this guest network completely separate from all SSIDs and other wired devices. I'd like it to be completely isolated from accessing the router and everything else except the internet.
What we'll do is split out one of the ports from VLAN 1 (which is used for the lan connected ethernet ports). The first stanza is your existing VLAN 1 statement, but with logical port 4 removed. The second one is VLAN 3 with logical port 4 assigned. Then the next is a new network that uses the new VLAN.
Then create a DHCP server for this new network, and setup the firewall appropraitely. Let me know if you need help with those (if so, post your dhcp and firewall files).
EDIT: The above is just an example -- you can adapt using a different logical port (1, 2, or 3) if you don't like using logical port 4 (FWIW, I don't know what the physical-to-logical port mapping looks like for this device). Also, you can use any non-overlapping address and name for that new network.
Just to double check, would this be how I'd make the VLAN changes from LuCI? I was unsure about what to label the eth0 and eth1 CPUs, since other routers don't seem to have two of these.
And then proceeded to set up the interface as I had done when making the guest wifi networks. I assigned an IP range, a netmask of 255.255.255.0, created a new firewall zone, and turned on the DHCP server.
Yup... all looks correct based on the screenshots. The configs are a better way to verify this, but I think you've probably already got pretty good indications that it is working as expected.
The only real difference I can see in comparing your original config outline to these configs, is that the third VLAN's option ports are set to option ports '1 6t'. Would the 1 signify a bind to the first physical port? The correct port is being bound (physical port 4 is the one that doesn't allow connections over SSH and etc.), so it doesn't seem to be a big issue.
Your config looks fine. The 1 vs 4 is a logical port, which may or may not directly relate to the physical port number (in your case, maybe they are in reverse order). This is not a problem, as long as you know what physical port corresponds with the logical port you’re designating.
