Hello! I have a Mikrotik device as the main router and 3 dumb APs with openwrt, everything is working as expected.
I have 3 vlans to separate lan, iot and guest devices.
I have configurated the vlan interfaces for iot and guest as "unmanaged", but playing with them I can see that is possible to configure them with static IP and it works. The main difference I see is that the unmanaged does not requires an IP.
But, what is the real difference between the unmanaged and the static interface when using vlans?
Thanks!
config interface 'iot'
option proto 'none'
none Unspecified protocol, therefore all the other interface settings will be ignored (like disabling the configuration) -
as the documentation says an unmanaged interface has no ip address, it doesn't respond so you have classic ping, nmap, etc commands
it could be useful to assign an ip address in the hypothesis that you want to serve a service provided by a dump-ap (samba, http, etc.)
Um, im using openwrt just as ap with a opnsense.
lan, iot and nvr are 3 vlan interfaces with a different subnet managed by opnsense.
Every interface has a dns and gateway set.
Everything is working fine, only that openwrt itself routes over the last interface by default which it should not. So right now only internet on openwrt itself is not working.
A virtual local area network (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2). In this context, virtual refers to a physical object recreated and altered by additional logic, within the local area network. VLANs work by applying tags to network frames and handling these tags in networking systems – creating the appearance and functionality of network traffic that is physically on a single network but acts as if it is VLANs...
1 Like
however, I recommend keeping an ip address on your dump-ac's br-lan so that you can maintain/manage the same ex:
config interface 'lan'
option proto 'static'
option device 'br-lan.vlanx'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
option delegate '0'
list dns '192.168.1.1'
2 Likes
Hi
the real difference is possible attack vector
for ex, you have
so, basically, someone from IoT/GUEST network could not (easily) attack your dumb AP
3 Likes
Thanks all for your help!
I will left the vlans as unmanaged (iot, guest) and only the vlan for lan as static. Seems more simple in this way.
With vlans as static, ssh & luci are accessible from all vlans by default, unless you configure them to only listen in one specific ip.
2 Likes
the correct answer (solution) to your question is surely to be given to
NPeca75
as it pointed out to you the reason for using VLANs.
as for ssh and/or luci access it depends on both your main router configurations if hosts on guest zone / iot zone can access resources in lan, or your dump-ap configuration if you allow it to accept connections on static ip addresses assigned to your guest/iot interfaces.
it was a pleasure to be able to help you.
1 Like
system
August 19, 2023, 7:56pm
8
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.