[Solved] Configure Guest Wifi to use VLAN on a dumb AP

While being an experienced user of OpenWrt, this is my first time I'm setting up my multiple "dumb" APs running OpenWrt to broadcast a guest wifi on a separate VLAN. And I know this question has been asked multiple times already. I've already read a bunch of posts and Wikis, but I was not able to solve this issue.

I have a single/trunk network wiring (with some switches in the path) connecting 3 access points (OpenWrt custom build 22.03.4 without firewall/dnsmasq configured as "dumb" AP on Redmi AX3200/AX6S) to the main router (NanoPI R4S also with OpenWrt, running OpenWrt 22.03.5). The same wiring is being used for both main and VLAN networks (trunk).

The good news is that my guest VLAN (interface lan_guest, device br-lan.100) is up, running and working correctly. I'm able to connect an wired device (in this case my laptopt) to any port of any of the APs, get an IP via DHCP from the guest range (192.168.100.x) and connect successfully to the internet (obviously I've configured the ethernet adapter of my laptop to use VLAN tag 100 to do these tests).

However my issue is with guest Wifi. I have not managet to make my guest Wifi (dsguest) configured in the APs to connect to the guest VLAN (interface lan_guest, device br-lan.100). This should be the simple and easiest part, but for some reason it is not working. I believe I may be missing some small detail...

Below are my configs.

Would the fact that I've removed firewall4 from the APs could prevent an Wifi adapter to bridge to a VLAN network? Any suggestion is much appreciated.

Router /etc/config/network
root@router:~# cat /etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'
	option packet_steering '1'

config device 'eth1'
        option name 'eth1'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	list dns_search 'home'
	option ip6assign '64'

config interface 'lan_guest'
        option device 'br-lan.100'
        option proto 'static'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'
        list dns_search 'home'

config device 'eth0'
	option name 'eth0'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option peerdns '0'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'modem_claro'
	option proto 'static'
	option ipaddr '192.168.0.100'
	option netmask '255.255.255.0'
	option device 'eth0'

(other wireguard entries omitted from this post)
Router /etc/config/firewall
root@router:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'

config zone
        option name 'lan_guest'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan_guest'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'modem_claro'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
        option src 'lan_guest'
        option dest 'wan'

(other firewall rules entries omitted from this post)
AP /etc/config/network
root@apesc:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'
	list dns_search 'home'
	option ipaddr '192.168.1.3'

config interface 'lan_guest'
	option device 'br-lan.100'
	option proto 'static'
	option ipaddr '192.168.100.3'
	option netmask '255.255.255.0'
	option gateway '192.168.100.1'

root@apesc:~#
AP /etc/config/wireless
root@apesc:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option country 'BR'
	option noscan '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'dshome'
	option encryption 'psk2+ccmp'
	option key '**************'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option country 'BR'
	option cell_density '0'
	option noscan '1'
	option channel '149'
	option htmode 'VHT80'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'dshome5ghz'
	option encryption 'psk2+ccmp'
	option key '**************'
	option disassoc_low_ack '0'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'dsguest'
	option encryption 'psk2'
	option key '**************'
	option network 'lan_guest'

On the router, you don’t have br-lan.100 defined anywhere, but you are using it on the guest network interface. You may not actually need to use bridge VLANs here, so I’d recommend making the main router look like this:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config device
	option name 'br-guest'
	option type 'bridge'
	list ports 'eth1.100'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	list dns_search 'home'
	option ip6assign '64'

config interface 'lan_guest'
        option device 'br-guest'
        option proto 'static'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'
        list dns_search 'home'

Then, on the AP, you have likewise used the br-lan.100 but not defined it anywhere. Further, you don’t need an address on the guest network on the AP. You’ll need to define a bridge-vlan device for each network.

Make it look like this (here, we’re assuming the wan port is being used as the uplink, and I’m actually assigning lan1 and lan2 to the lan, and then lan3 to the guest network — this way we can test and verify connectivity):

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'wan:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'lan3:u*'
	list ports 'wan:t'

Next, edit the lan network interface to use br-lan.1, and edit the guest interface so that it is unmanaged. They’ll look like this

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'
	list dns_search 'home'
	option ipaddr '192.168.1.3'

config interface 'lan_guest'
	option device 'br-lan.100'
	option proto 'none'

Try that…. Don’t forget to restart your devices after making the changes. By plugging a device directly into the dumb AP’s lan ports, you’ll be able to test that things are working properly for lan (using ports lan1 or lan2) and guest (lan3). The wireless should work, too, but the wired connections will help prove everything out.

1 Like

Thanks, I will try this. But notice that just declaring:

config interface 'lan_guest'
        option device 'br-lan.100'

Will automatically create br-lan.100 (so it does not need to be excplictly created), see below:

root@router:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 7E:25:4E:BD:58:31
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: xxxxxxxx/64 Scope:Link
          inet6 addr: xxxxxxxx/64 Scope:Global
          inet6 addr: xxxxxxxx/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:66686 errors:0 dropped:4 overruns:0 frame:0
          TX packets:42171 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:11007263 (10.4 MiB)  TX bytes:13952382 (13.3 MiB)

br-lan.100 Link encap:Ethernet  HWaddr 7E:25:4E:BD:58:31
          inet addr:192.168.100.1  Bcast:192.168.100.255  Mask:255.255.255.0
          inet6 addr:xxxxxxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4247 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3887 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:600981 (586.8 KiB)  TX bytes:2148153 (2.0 MiB)

So the VLAN is working fine. For example, I can ping my AP to Router via VLAN:

root@apesc:~# ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
64 bytes from 192.168.100.1: seq=0 ttl=64 time=0.799 ms
64 bytes from 192.168.100.1: seq=1 ttl=64 time=0.773 ms
64 bytes from 192.168.100.1: seq=2 ttl=64 time=0.971 ms
^C
--- 192.168.100.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.773/0.847/0.971 ms
root@apesc:~# ^C

My laptop is also able to get an IP from the router from the guest network tagged with VLAN:

~ $ ifconfig vlan0
vlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether 08:26:ae:38:fa:17
	inet6 fe80::8a3:1f55:89e9:87e8%vlan0 prefixlen 64 secured scopeid 0x13
	inet 192.168.100.112 netmask 0xffffff00 broadcast 192.168.100.255
	nd6 options=201<PERFORMNUD,DAD>
	vlan: 100 parent interface: en6
	media: autoselect (1000baseT <full-duplex>)
	status: active

~ $ ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
64 bytes from 192.168.100.1: icmp_seq=0 ttl=64 time=0.743 ms
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.813 ms
^C
--- 192.168.100.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.743/0.778/0.813/0.035 ms

~ $ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=53 time=31.797 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=53 time=31.468 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=53 time=31.780 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 31.468/31.682/31.797/0.151 ms

The only issue I have is how to connect the Wifi network to the VLAN network. I suspect it may be an mt76 issue, I will try with an old Archer C7 atheros and also your suggestion.

Thanks.

Give my recommendations a try. If it doesn’t work, post the configs from both after you make the changes.

1 Like

Sure, will do. I will update here the results. Once again thanks.

Correct, since it is a dumb AP, I'm using the WAN port as uplink (so it is assigned to the br-lan bridge with the other ports).

I've tried your suggestions and to my surprise it did work!

I then reverted my router's config back to my original config (but kept your suggestions in the AP config) and it continued working. So it seems the issue is related to the AP config, I will keep investigating.

Great! I’m not surprised that it worked. :grinning:

The dumb ap config was certainly an issue. The router config may have worked, but the syntax I suggested is typically preferred. either way, though, I’m glad we got it working.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like

Yep. I've tested some other configs in the AP but none worked. Your solution is the only one that worked in the AP.

Since you mentioned that this is the the preferred way, I will adopt it also in the router.

Once again thank you and have a nice weekend!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.