Setup the guest network on the main router, and then use VLANs to run them out to the dumb APs

Hello!

My network topology:

image1115×426 29.4 KB

My config (router):

root@R4S:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "R4S",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R4S",
        "board_name": "friendlyarm,nanopi-r4s",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "rockchip/armv8",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}
root@R4S:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd0a:bb4c:8eb9::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'
        option macaddr 'REDACTED'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0'
        option macaddr 'REDACTED'

config interface 'wan'
        option device 'eth0'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option gateway '192.168.1.254'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'
        option reqaddress 'none'
        option reqprefix 'auto'

root@R4S:~# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
root@R4S:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option port '54'
        list server '10.0.0.1'
        option rebind_localhost '1'

config dhcp 'lan'
        option interface 'lan'
        option start '10'
        option limit '90'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'
        list dhcp_option '6,10.0.0.1'
        list dhcp_option '3,10.0.0.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'
        option master '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'

config host
        option name 'TL-SG108PE'
        option mac 'REDACTED'
        option ip '10.0.0.2'

config host
        option name 'U6Lite'
        option mac 'REDACTED'
        option ip '10.0.0.3'

config host
        option name 'ArcherC6'
        option mac 'REDACTED'
        option ip '10.0.0.4'
		
config host
        option name 'rpi3-wired'
        option mac 'REDACTED'
        option ip '10.0.0.5'

config domain
        option name 'REDACTED.nsupdate.info'
        option ip '10.0.0.5'

I'd like to setup the guest network on the main router, and then use VLANs to run them out to the dumb APs. Is that possible, @psherman? If so, how to achieve this?

Will 802.11r be possible on the guest network using this setup?

Thanks!

Thanks for starting the new thread. Referencing your old thread, you were using the 10.0.1.0/24 subnet for the guest network. So we'll replicate that here.

Let's start with the network file. We're going to use device eth1.10 which will be tagged VLAN 10 on port eth1. Add the following

config interface 'guest'
        option proto 'static'
        option device 'eth1.10'
        option ipaddr '10.0.1.1'
        option netmask '255.255.255.0'

Next, we'll add this to your DHCP file (using the range you wanted from your previous thread):

config dhcp 'guest'
        option interface 'guest'
        option start '10'
        option limit '90'
        option leasetime '12h'

And then the firewall -- for now, we'll allow the guest network to reach the router itself, but we can tighten that down later (the goal here is to reduce any variables that could cause problems):

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

Next, you'll need to set your switch to handle VLAN 10. It needs to be tagged on 3 ports (I don't know the port numbers you're using, but these are the functional connections):

• Uplink to the router
• connection to the U6 Lite
• connection to the C6.

And, I would also recommend making it untagged + PVID on any spare port that you have on your switch so that we can test to make sure the VLAN is working.

Now, restart your router and plug an ethernet connected device into the untagged + PVID port you setup above. It should get an address in the guest network and it should be able to reach the internet. Please confirm that and we can move onto the APs.

Switch ports:

• 1: AP (U6 Lite)
• 2: free
• 3: free
• 4: free
• 5: AP (Archer C6)
• 6: RPi 3
• 7: PC
• 8: Uplink to the router

I'm picking the second port to test the VLAN:

image691×527 15.1 KB

(Is that correct?)

Router and switch restarted. Plugged my PC on the switch's second port:

image704×137 3.93 KB

My PC got an address in the guest network! But I can't reach the internet.

Did I do something wrong?

It is probably a dns issue.

Try to ping 8.8.8.8 and then openwrt.org. What are the results?

You're correct. I can ping 8.8.8.8; but I can't ping openwrt.org.

Did you setup adguard or other dns filtering (or doh/dot) solutions?

Does your guest network need to use the same dns, or is a public dns sufficient?

Did you setup adguard or other dns filtering (or doh/dot) solutions?
Answer: AdGuard Home, using DNS over HTTPS from Cloudflare.

image1197×423 7.53 KB

Does your guest network need to use the same dns, or is a public dns sufficient?
Answer: A public DNS is sufficient... I guess? Using AdGuard Home for the guest network would be cool, though.

What do you suggest?

Set dhcp option 6 on your guest dhcp server and use a dns server of your choice.

Or

Others may be able to help you setup agh against the guest network. (This is outside my normal skill set)

Done:

Now all domains resolve properly on the guest network.

Great. Now post your network and wireless files for the 1st AP.

Sure!

root@U6Lite:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "U6Lite",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Ubiquiti UniFi 6 Lite",
        "board_name": "ubnt,unifi-6-lite",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

root@U6Lite:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9d:cebe:f1e6::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.3'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '10.0.0.1'
        list dns '10.0.0.1'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '10.0.1.1'
        option netmask '255.255.255.0'

root@U6Lite:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '13'
        option band '2g'
        option htmode 'HT20'
        option country 'BR'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '48'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'
        option country 'BR'

config wifi-iface 'wifinet0'
        option device 'radio1'
        option mode 'ap'
        option ssid 'REDACTED'
        option encryption 'psk2+ccmp'
        option key 'REDACTED'
        option ieee80211r '1'
        option mobility_domain 'REDACTED'
        option reassociation_deadline '20000'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option network 'lan'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid 'REDACTED'
        option encryption 'sae'
        option key 'REDACTED'
        option network 'guest'

Delete this:

Add bridge VLANs:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan:t'

Edit the lan to use be-lan.1:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '10.0.0.3'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '10.0.0.1'
        list dns '10.0.0.1'

And edit the guest network to use br-lan.10 and it should also be unmanaged:

config interface 'guest'
        option proto 'none'
        option device 'br-lan.10'

Restart the device and connect to the guest ssid. (You may want to temporarily unplug the other ap so that there is only one device broadcasting the ssid)

It works, @psherman! Thank you so much!

And how to do that on the Archer C6?

One more question (screenshot from the switch's dashboard:

image694×526 14.8 KB

On VLAN ID 1, do I have to tag ports 1, 5 (APs) and 8 (uplink to the router), like I did on VLAN ID 10? Or can I leave them untagged?

Thanks again!

lol!!!

sorry

Archer C6 has 1 WAN port and 4 LAN ports.

Let’s see the config files from that device. I also need to know which port is used on the c6 to connect it to the switch.

Your switch looks fine. You can leave it as it is.

root@ArcherC6:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "ArcherC6",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "TP-Link Archer C6 v3",
        "board_name": "tplink,archer-c6-v3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

root@ArcherC6:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd1:982c:d384::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.4'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '10.0.0.1'
        list dns '10.0.0.1'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '10.0.1.1'
        option netmask '255.255.255.0'

root@ArcherC6:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '7'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'
        option country 'BR'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'REDACTED'
        option encryption 'psk2+ccmp'
        option key 'REDACTED'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '48'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option country 'BR'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'REDACTED'
        option encryption 'psk2+ccmp'
        option key 'REDACTED'
        option ieee80211r '1'
        option mobility_domain 'REDACTED'
        option reassociation_deadline '20000'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'REDACTED'
        option encryption 'sae'
        option key 'REDACTED'
        option network 'guest'

Which port are you using to connect it to the switch?