[SOLVED] In a right muddle - V21, VLANs and Wifi + h/w switch

Hi,

h/w: Linksys WRT3200acm + NG NK R8000 + Gl.Net-AR150 + TPLink smart switch + NG 8 port smart switch.

Physical layout:

I am aiming to create two VLANs. LAN and GUEST over both Wired and Wireless, spanning all of the switches/routers, so that they share a single DHCP server etc. Only DNS needs to transit to the LAN.

Start on the positive. I managed to configure the wired VLANs through the 2 switches and get the Linksys WRT to play along. (After LOTS of fiddling and struggling with V19 docs and howtos not working).

I have become stuck with the Netgear Nighthawk R8000. Suprisingly it's Wifi works, all 3 radios and I get up to 500Mbit on radio 2. I can also get it to work on VLAN 1.

The issue is assigning wifi (or anything?) to VLANs. The R8000 has a "single interface 4 port hardware BCM switch".

By default OpenWRT attaches to eth0.1 (VLAN 1). On the hardware switch eth0.1 is set as tagged on CPU. If I add my "Guest" VLAN (3) I get an eth0.3. However there is clearly some confusion as to what eth0.3 is. Most times it seems to default to a Software VLAN. Other times it's a "Switch VLAN" When I have managed to create it as a "Network Device" and it shows as "Switch VLAN eth0.3" placing an interface on it and trying to assign a wlan radio to it... doesn't work.

tcpdump shows the radio/wlan dhcp packet arrive, but it does not appear on the eth0.3 vlan port OR on eth0 switch at all. It just disappears.

I also tried creating a software VLAN 3 on a new bridge as br-guest.3 and bridging it with eth0.3 but... no switch forwarding from Wifi on "guest" network via that bridge either.

Yet eth0.1 works fine for "LAN" zone traffic.

Don't worry about the name descriptions too much this is just LuCI trying to keep track of what you have set in the switch. The interface name and VLAN number is what matters.

On the switch page, create a new VLAN numbered 3 and make it tagged on both the CPU port and the uplink trunk cable. Also it's a good idea to make VLAN1 also tagged on that cable and change the upstream switch to egress tagged packets in both VLANs.

Create a new bridge named br-guest and place eth0.3 as its only port. This bridge will eventually connect the wifi driver to the Ethernet port, but the wifi connection is made indirectly from the wireless page.

Create a new interface named guest of protocol Unmanaged and make br-guest its device. Note you don't use a VLAN number here. Guest traffic goes through the guest bridge untagged since the designation of eth0.3 in the bridge causes the Ethernet driver to add and remove tags on the way between the bridge and the Ethernet port. The protocol Unmanaged makes this only a layer 2 bridge which will take packets from the wifi and send them unchanged to the Ethernet port (which will then add a VLAN tag of 3). You generally don't want an AP to hold an IP address on the guest network, as that would only help guests try to hack into layer 3 services in the AP. Since there is no layer 3, you don't need a firewall zone for this guest interface. It is basically a dummy holder to force the br-guest to actually be created. If you don't have any network the bridge won't be created.

Finally in the wifi config, specify guest as the network for the guest AP.

1 Like

Thanks.

I got it working.

I had the setup as you suggested and it wouldn't work, kept saying that eth0.3 was a "Missing interface".

Then I noticed, this time around VLAN 3 was only configured as Tagged on CPU and Port 1, it was not untagged on any port and it seems the switch decided not to bother. I added it to an unused wired port and up it came.

Works great.

Again on the R8000. I tested it from the bedroom and still got 280Mbit/s and full 70Mbit internet, even through a wall and doors, which is the best 5Ghz I have seen so far in this house. Hopefully with a bit of tuning the WRT3200acm can deliver too. At the moment it's behaving a bit suspect, not accepting a few devices on 2.4Ghz or worse accepting them, but not flowing traffic to or from them. I don't seem to have luck with Wifi access points.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.