I'll describe first my setup before asking about the VLANs setup.
My ISP is Hyperoptic which provides "Gigabit" internet connection + VOIP. This comes as a cat5 ethernet to my home.
This goes to the hyperoptic router which is handling the voip telephone and have almost everything disabled (wifi, etc) and to my new pfsense router with a ethernet cable as WAN.
pfsense router is responsible for DHCP, DNS, firewall rules and VLAN separation.
An ethernet cable as LAN connects to a TP-Link Archer 7 v2 repurposed router. This is now working as a bridged AP for providing Wireless capabilities to my network.
The ethernet cable which comes from pfsense connects to port 1 of Switch in Archer 7 v2.
Port 2 of the Switch is connected to a simple (unmanaged) switch which shares the network.
The WAN port and interfaces in OpenWRT are not used (I should probably delete the interfaces).
OpenWRT have bridged LAN interface including wifi interfaces (2) + switch interface
The above works properly for all devices incuding wireless but I'd like to adjust it a bit with the following:
Set LAN to run over a VLAN instead (vlan.id 20), getting DHCP from pfsense
Add an IOT wifi which runs on a separate VLAN (vlan.id 30), getting DHCP from pfsense
Add a GUEST wifi which runs on a separate VLAN (vlan.id 40), getting DHCP from pfsense
I've been trying to read about setting a VLAN trunc port in OpenWRT on port 1 of the switch and use port 2 as VLAN 20 (LAN which goes to the unmanaged switch) but can't find anything concrete. Also considering the fact if I set the VLANs wrongly I could lose access to the OpenWRT interface I though it's better to ask.
So let's start with something small for now:
How can I setup a new GUEST wifi which runs over VLAN.id 30 on port 1? This won't have an actual physical port assigned to it as I expect to have only wifi IOT. I've setup a new Wireless interface and assign it to a new VLAN (with id 30) but I'm not sure about the tagging against Port 1.
PS: In pfsense I've already setup the VLANs and interfaces but everything seems to be untagged.
The switch on the Archer C7v2 can be set up using LuCI, or through the command line.
The driver can support a total of 128 VLANs. Use of VID over 127 will require setting the vid option explicitly.
jeff@office:~$ swconfig dev switch0 help
switch0: mdio-bus.0(Atheros AR8327), ports: 7 (cpu @ 0), vlans: 128
[...]
I typically configure directly in /etc/config/.network, but all of this can be done through LuCI
Set the VLANs as "tagged" on the ports that you want to be trunks, untagged on those that are intended for devices that aren't using VLAN tags.
Since you're using external DHCP (and possibly DNS) on several of your subnets, disable DHCP and DNS for those subnets on the OpenWrt box.
I typically set a management interface up on a trunked VLAN, or on a specific switch port. Confirming this is up and running helps avoid connectivity loss.
For this, just define a "bridge" and don't associate it with the switch if using OpenWrt DHCP and DNS. If using external DHCP and DNS, then you'll need to trunk it to the box providing those services (and, perhaps NTP).
You'll need firewall rules to prevent cross-VLAN routing.
If you're not using your "WAN" jack, that is, at least for me, a convenient place to put a management interface and/or your trunk as it's visually "different" than the other ports.
Thanks for the suggestion but it didn't work as I expected. As @jeff suggested I had setup WAN port as a Management interface so I wasn't locked out.
I'll try something even simpler:
Set a VLAN with id 20 on Port 2 which should go through Port 1 as tagged. Port 2 should connect a physical cable.
Bear with me for a minute as I describe my thoughts.
If I understood correctly on the Luci switch interface set "off" on all different rows (VLANs) for port 2 except the VLAN I'm interested on which is 20 on this case. Then on Port 1 it should be tagged in VLAN 20 row. So anything which belongs to VLAN 20 which is Port 1 and Port 2 should be tagged with VLAN.20 when transmitted from Port 1.
On the interface I'll need to create an interface, let's say LAN, which has physical interface set as eth1.20 (VLAN 20) and IP static on a network/ subnet which matches the interface from pfsense (10.120.20.0/24 in this case).
With the above settings I should be able to plug an ethernet cable on Port 2 and receive an IP from pfsense DHCP on the 10.120.20.0/24 network. And if DHCP works then I am able to connect to pfsense and if something doesn't work after (like DNS etc) then it's Firewall rules for that interface.
Am I missing something obvious on the above scenario?
As it is shown in the image above port 2 is tagging vlan 20, so whatever you connect there must be able to receive tagged frames. If it doesn't you need to select untagged.
You'll do that if you need a L3 interface on vlan20 in Openwrt. If not you can skip it.
Depends if the host you'll connect on port 2 is configured for vlan20 or not, as described in the beginning of this post.
So after some configuration play I managed to define a "Guest" Wifi interface and bridge it to VLAN 40 which have Port 1 as tagged and Port 4 as untagged. This work as expected and cooperates to pfsense for DHCP / DNS. So overal the GUEST vlan is setup and working as intented.
Now to a more complicated setup of setting the LAN up.
LAN should run on VLAN 20 and should include Port 1 as tagged, Port 2 and Port 3 as untagged along with Wifi from radio0 ("local0") and from radio1 (local1). As you suggested above to setup a L3 interface on it of 10.120.20.2/24 is set
With the above configuration the Port 3 is working fine and I got a DHCP lease from pfsense on the 10.120.20.0/24 network but anything from Wifi connections can't reach pfsense.
I'm not sure why the VLAN 20 configuration would be different than the GUEST, essentially it's the same thing extended to more Ports and Wifi netowrks.
Firewall is set to "Unspecified" so it shouldn't interfear.
What you described isn't too complicated. If I understand you correctly...all you need to do is change:
eth0.1 to eth0.20 on the LAN interface
Change 1 to 20 under Network > Switch
properly tag/untag the LAN ports in question
and get rid of whatever VLAN 20 settings are already present
That depends on your Global Firewall settings. It's always good to place Interfaces in a properly configured Firewall Zone. I'm not even sure why your LAN Interface isn't in the LAN Firewall Zone - like default.
Port 2 which is directly connected to a PC works fine and gets a IP from VLAN 20 (so packages are properly tagged).
Port 3 is connected to a Netgear Switch (GS110TP - managed but has no VLAN setup) but the clients on the Netgear Switch don't get IPs from DHCP server which is running on pfsense
The WIFI which are bridged to this VLAN interface don't get IPs from DHCP server which is running on pfsense
I assume this has to do with the interface definition and not the actual switch definition as the PC works fine and get it's packages tagged.
Then something wrong is with the switch. Check again if ports are configured properly in terms of vlan without tagging.
Other than that, you have configured 3 Interfaces in Openwrt with static IPs and gateways. This is wrong. There can be only one gateway, or it will be a mess. Since the Archer is a bridged AP as per your first post, you should keep only one managed interface with IP and Gateway. All routing functions are handled by pfSense.
From my understanding so far your PC is able to get address from pfSense DHCP server on ports 2 and 3. So VLAN20 works fine and packets are sent untagged out of the ports. If you connect it on port 4 you should get IP in VLAN40, according to your diagram.
If the cables work in these test cases, then they are fine. You don't need any special cable for VLANs.
The problem seems to be on the Netgear switch. Try to connect any dumb switch on ports 2 or 3 and verify that hosts connected on that will acquire settings.
Agreed I think it's something with the Netgear switch (and the OpenWRT Access Point where the Wifi which is bridged with VLAN.20 doesn't get IP from DHCP either.
So since this is a OpenWRT forum I'll stick to the OpenWRT questions and deal with the Netgear part myself.
Any idea why would the Bridged Interface (LAN) between VLAN.20 (eth1.20) and Access Points LAN2G (wlan1) and LAN5G (wlan0) only work for physical ports 2, 3 (marked untagged on the Switch UI) and not the wireless?
Note that the VLAN.40 setup works perfectly fine for both Port 4 and GUEST wifi (wlan1-1) and the firewall rules on pfsense are very similar and allow DHCP and DNS requests.
What is it not working here?
The SSID is broadcasting?
The clients can connect successfully?
Do you see DHCP Discovery packets traversing from Openwrt towards pfSense?
Post your firewall configuration also just in case...
I think they assosiate with the AP and don't get an IP. So for example the Android phone can't get an IP. Neither the laptop with Archlinux can get an IP through WiFi.
Hmm, I'm not sure how to ensure this happens.
/etc/config/firewall
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '10022'
option name 'LEDE+SSH'
option enabled '0'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Guest DNS'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option name 'Lan DNS'
option src 'lan'
option dest_port '53'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'Guest DHCP'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'udp'
option name 'Lan DHCP'
option src 'lan'
option dest_port '67-68'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'guest'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config zone
option output 'ACCEPT'
option name 'guest'
option input 'ACCEPT'
option forward 'ACCEPT'
option network ' '
config forwarding
option dest 'wan'
option src 'guest'
I can't see why they are any difference from GUEST WiFi setup.
Nevermind, I found the problem.
In firewall LAN zone you have the guest interface and the guest firewall zone has no interfaces. Fix that and it should be fine