SOLVED: Guest (W)LAN through router cascade

Hello,

I've got an AVM Fritz!Box 7490 (not the scope of this thread!) coming along with my DSL account for free from my provider. The Fritz!Box comes with a nice feature: It's got an easy to configure feature that separates the internal LAN (and WIFI) from a so called guest-(W)LAN. Therefore, the integrated switch has 3 internal LAN ports and a 4th that is dedicated to the guest network. To make that a complete feature, the Fritz!Box also spawns two different SSIDs. This is all based upon VLANs and works perfectly fine, if you're in small home. But I've got the problem that I have to cover a slightly bigger home...

So, what I'm trying to accomplish is to connect a LEDE-based router (preferably TP-Link Archer C7 AC1750, as I've already got some of them...) to the Fritz!Box, using two "uplinks", one for the internal and the other for the guest network. This router should then a) again spawn the two SSIDs for WIFI b) have at least one LAN connector for each of the VLANs (where I could optionally connect devices) and c) a trunkt port for cascading down to the next router.
The second router could then be connected to the trunk as it's WAN-port and on the other side supply the rest of the network with the features a), b) and c) again. Accordingly, this should be extensible with another level again... and again...

I've created a little schamtic picture of what I mean:

Simplified_Scheme

I already was able to create a guest network on a single router - but when it comes to VLANs I'm kinda newbie and all my tries ended up with having to factory-reset my devices :disappointed_relieved:

So my questions are:

  1. Is this possible at all? Or am I totally wrong with my understanding of how VLANs work?
  2. Anyone who can explain me, how to configure my routers to accomplish what I want?
  3. Does anyone know good explanations on VLANs in general and/or with LEDE / OpenWRT as the system? At best, I'd prefer it in german - but english is ok, too :sunglasses:

Bart Simpson

It's possible but you should configure the LEDE devices as wireless access points instead of routers. And they only need one IP address each, probably in VLAN #1, for access to the web interface and ssh.

Yes, all the Archer C7's will be "dumb" in this scenario. They will distribute user or guest traffic back to the Fritzbox, which makes all routing and firewall decisions. Read the dumb AP guides about turning off the DHCP server and not using the WAN network.

You will need to create a new network interface to bridge the guests from their wifi AP to the VLAN on the cable and ultimately to the Fritzbox. This network should be "Unmanaged", having no IP address, so that guests cannot reach the router OS.

Each Archer C7 will have two VLAN's in the switch. The ports that go to a trunk cable or to the router CPU (for administration and wifi access) are tagged in both VLANs. The ports that go to / from the Fritzbox or to ordinary user devices (LAN or guest) are untagged in that VLAN and off in the other one.

Before starting to set this up, set up a LAN or management AP on wifi, connected to the LAN. Set the LAN IP's to a unique number for each C7. Know how to set a static IP on your PC's wifi. Then you can log into the routers by wifi if the Ethernet is mis-configured.

Thanks for your replies!
I was now able to get some basic setup working, but not completely yet...

What I've achieved so far is:
The "wired" part of my config is working - I have separate VLANs and I'm getting the Fritzbox in each of them.

The problem now lies in setting up the wireless part...
I could do something like the following in the wireless config:

config wifi-iface
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'InternalWifi'

That works like a charm regarding that the associated SSID belongs to the internal devices section (i.e. the green part in my image). But how do I set up the other WLAN? I either get it into the internal network, too (what is just wrong) or without any uplink at all...:roll_eyes:

So, how do I tell a wireless network, that it belongs to one specific VLAN? I supposed it can somehow be managed via defining another interface in the network - but I do not know how to do that correctly... Seems like I missed some basic understanding regarding that. :disappointed_relieved:

So, how do I tell a wireless network, that it belongs to one specific VLAN? I supposed it can somehow be managed via defining another interface in the network - but I do not know how to do that correctly

You wrote that the wired part of the config is working. Doesn't that mean you already have added another interface, maybe called "guest". Otherwise I don't understand how the wired external devices can work.

You wrote that the wired part of the config is working. Doesn’t that mean you already have added another interface, maybe called “guest”.

Yes, the wired part is working - but maybe in a way it isn't supposed to in my case :wink:

I achieved this just by having one interface called 'lan' and setting up the switch config in a way, so that the ports are either tagged, untagged or off in the desired VLAN. So in my eyes, no further setup neccessary for that - it just did the job.

But maybe I missed the point at your and mk24's explanations... As I wrote in the OP, I do not have a broad knowledge on VLAN techniques. Despite that, I'm not a complete newbie in networking techniques. But all VLAN-tutorials I found until now, work in a way that doesn't really help: Half of them tries to achieve on specific setup and does so by telling you "do this... and that...and then that" - but no explanation of the why's. That makes it very hard to transfer the gained knowledge to a new problem case. And the other half tells you, that it's all about the tags in the headers - but no word about how to do get your equiment set up for doing it... :face_with_raised_eyebrow:
Especially in the context of LEDE and/or OpenWrt, there seems to be no really covering tutorial - but correct me, if I'm wrong :wink:

No problem, configuring the VLAN switch as you have done is enough to get the guest vlan untagged on an Ethernet port. But for WiFi you need to define a guest interface and use it in a guest WiFi SSID your create. This will create an Ethernet bridge containing the vlan and the guest WiFi. But the guest interface doesn't need any IP address since the device doesn't need to do any routing which will be handled by the fritzbox.

Hmmm.... More and more, I'm starting to think, I've got less understanding of networks than I thought... :wink:

First of all, I do not understand, how I set up an interface with no IP at all. As far as I understand the docs, the option proto is a must have...
The second problem problem is, that whenever I introduce a 'guest' interface of type bridge that uses eth1, I can no longer connect to the device and therefore have to reset it (i.e. failsafe mode + reset config).
Currently my config is quite near to the default - I've got a 'lan' interface and the vlan's configured via switch:

config interface 'lan'
  option ifname 'eth1'
  option force_link '1'
  option type 'bridge'
  option proto 'static'
  option ip6assign '60'
  option ipaddr '10.11.12.10'
  option netmask '255.255.252.0'
  option gateway '10.11.12.1'

config switch
  option name 'switch0'
  option reset '1'
  option enable_vlan '1'
  option mirror_source_port '0'
  option mirror_monitor_port '0'

config switch_vlan
  option device 'switch0'
  option vlan '1'
  option vid '1'
  option ports '0 1 2 4t 6'

config switch_vlan
  option device 'switch0'
  option vlan '2'
  option vid '2'
  option ports '3 4t 5'

What am I doing wrong? Can you / somenone tell me, what config entries I'd have to set for my case?
Thanks in advance!

It appears that you have made eth1 the lan for priveleged users and eth0 is the guest.

A wifi AP cannot be linked directly to an Ethernet port. It needs to go intermediately through a bridge in the kernel. Thus you create a "guest" interface. Option protocol is required, but "option protocol none" exists for this purpose.

config interface 'guest'
    option type 'bridge'
    option protocol 'none'
    option ifname 'eth0'

Then in wireless, attach the guest's AP to the guest network.

brctl show will show the bridges that have been set up. You should have two: br-lan and br-guest, with one ethernet port and one wifi AP in each one.

According to the openwrt wiki (https://wiki.openwrt.org/toh/tp-link/tl-wdr7500#port_map) port 6 in the switch is eth0, and it should be connected to vlan 2 I think:

config switch_vlan
  option device 'switch0'
  option vlan '1'
  option vid '1'
  option ports '0 1 2 4t'

config switch_vlan
  option device 'switch0'
  option vlan '2'
  option vid '2'
  option ports '3 4t 5 6'

Hey guys! I have to thank you all! It just works now :smiley:

It's just as almost always: As soon as you understand, what's going on under the hoods, it suddenly looks kind of easy...
Just a litte summary in case someone else has the same problem:

  • The "router(s)" is now configured just as a dumb switch (and dumb access point for wifi). That's why I put it in quotation marks here..
  • It has only one IP for management purposes.
  • The switch config defines which ports are either in the private or the guest VLAN - or whether they are trunk ports for connecting to the next "router"
  • There is one interface ('lan') defined as bridge on eth1 having a static IP
  • There is another interface ('guests') defined as bridge on eth0 with no IP *)
  • The wifi networks are bound to 'lan' respectively 'guests'
  • (The final trick:) eth0 and eth1 are mapped to the corresponding VLAN (via switch config), too. (That seemed to be the point I was missing all the time... :smirk:)

This setup is kinda usefull as I removed the predefined interfaces for WAN and WAN6. I therefore can now also use the WAN port just as a normal switch port (what means it can be VLAN1, VLAN2 or a Trunk).
Furthermore it's possible to build a rather complex cascade of "routers" just by changing the switch port configuration and thereby changing the port's belonging to VLAN1, VLAN2 or Trunk.

*) This is one point, I don't fully understand: The docs say, that setting option proto to 'none' means "Unspecified protocol, therefore all the other interface settings will be ignored (like disabling the configuration)"
Maybe this is a bit misleading - but I thought that means it's just (kind of) off... :face_with_raised_eyebrow:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.