Hello everyone,
I made a dumb wireless AP (10.0.0.3, main router IP is 10.0.0.1) with Guest Wi-Fi (192.168.5.1/24) using LuCI because I'm a newbie here. It is the R7800 running OpenWrt 25.12.0 which have the new DSA thing.
I followed these two guides:
Guest Wi-Fi is not working. (Probably because one of the guides wasn't made for DSA.)
I need to create a port based VLAN on LAN port 4, it must be the same subnet/network as the Guest Wi-Fi.
Thanks!
That guide should work if you're creating a guest wifi network specifically on the bridged AP (and not originating on the main router).
That said, can you clarify the following:
Please post the following (from both routers if the main one is also OpenWrt):
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
The main router is a very limited ISP modem/router, not VLAN aware, no bridge feature and no Guest Wi-Fi.
I wish I could but I might do that in the future.
Yes thats what I want, it should be enough for now. Yes the guest network need to be used with ethernet (lan port 4 on the router) + wifi.
Thanks! =)
Ok... the solution should be pretty simple, but involves setting up VLANs on your bridged AP. I'll show you the changes that need to be made, but I need to see the configs.
Don’t need to mess with VLAN as DSA already separates the individual lan ports.
Just create a new network on the r7800: 192.168.5.1/24
Basically a copy of the default br-lan just with different ip. (Copy zones etc too)
Unattach lan4 from br-lan and attach it to the new network.
Or course, disable dhcp on your AP. Disconnect/reconnect lan cable if neccesary.
That should get you going.
To get total guest isolation you need to limit access to the router/subnets/etc but you can easily google that.
This is incorrect advice. Bridge VLANs are required.
No it’s not. He’s literally connecting the AP by cable to lan4. Just attach that port to the guest network bridge and you’re done.
I think you've misunderstood the OP's goals.
Because of the last requirement, a bridge for the guest network is required. But, more specifically, a bridge-vlan is necessary.
The correct way to achieve this is to leave port lan4 in the existing bridge (br-lan) and then create two bridge VLANs (one for the normal trusted lan with ports lan1-lan3 untagged, and then another bridge-vlan with only lan4 untagged for the guest network).
It is tempting to say that you can simply make a second bridge for the guest network, but his does not work on (most) DSA systems -- DSA typically only works with a single bridge. Therefore, using bridge-VLANs is the guaranteed method to ensure a functional setup.
maybe I read it wrong, It's late/early here 
Is he using the R7800 as both an AP and router (for the guest network)? At least that's the only way I can see this work on this context since the ISP router is locked down,
He still doesn't really need to use vlan to achieve what he wants though. Attach Lan4 to guest network, then attach guest wifi to guest network should do the trick.
I have a seperate guest network bridge on my R7800. It works perfectly fine.
..or maybe the nomenclature of vlan/network/bridge are a bit confusing. They tend to overlap eachother on this forum.
Yes, precisely. There is a "recipe' for creating a guest network on a bridged AP (linked in the OP's first post).
No, this won't work.
A network can only connect to a single 'device' -- that device can be a single wifi radio, a single ethernet port or a bridge. A bridge is essentially a software defined unmanaged switch which allows multiple devices (i.e. 2 or more ethernet ports, 2 or more wifi radios, or ethernet + wifi) to connect to a single network interface.
With that said, a bridge is required if the goal is to use wifi + ethernet. But remember what I said above -- DSA only works with a single bridge. Thus, bridge-VLANs allow a single bridge to be segmented as needed, such as in this case where port lan4 will be for the guest network (as well as one or two wifi radios in an SSID).
It can be confusing. Hopefully my explanation has helped clarify it a bit. I have done this literally hundreds of times, so I am positive that my approach is accurate.
They way I see it:
He needs 2 network interfaces.
the first one is unmanaged and is an AP to the ISP router. To this network a bridge consisting of Lan 1-3 + private wifi is attached.
The second network interface is the guest network. This one has a proper subnet/routing/dhcp. To this a bridge of Lan4 + guest wifi is attached.
I can confirm DSA works with several bridges on my R7800. VLAN bridge filtering can be confusing and most(?) people don't really need it.
This is correct and there is no disagreement.
Many DSA devices do not work with multiple bridges on the same switch chip (i.e. what would be necessary to achieve what you are describing). Some may work, and there also may have been changes under the hood that may have enabled the use of multiple bridges. However, I always recommend the use of bridge-VLANs because it is guaranteed to work and it also adds flexibility. And, as I see it, there is no downside to using bridge-VLANs.
That said, if you have a comparable configuration, could you post it here (only /etc/config/network is required)?
I agree it can be confusing initially, but I think the learning curve is pretty simple on this topic once you have a working config to look at. And, per my points earlier, it offers greater flexibility and has zero downsides (except maybe the initial learning curve). I'll also point out that when I provide a solution, I show the exact edits that need to be made, so simply implementing those (and then looking at the resulting config to understand the full context) is usually a good way for people to see how easy it can be to learn how to use bridge-vlans.
Sorry for the delay
root@OpenWrt:~# ubus call system board
{
"kernel": "6.12.71",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "Netgear Nighthawk X4S R7800",
"board_name": "netgear,r7800",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "25.12.0",
"firmware_url": "https://downloads.openwrt.org/",
"revision": "r32713-f919e7899d",
"target": "ipq806x/generic",
"description": "OpenWrt 25.12.0 r32713-f919e7899d",
"builddate": "1772496855"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'
config globals 'globals'
option dhcp_default_duid '00042ad0bd86f7a24870a7481347413927ff'
option ula_prefix 'fdd5:207:744e::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
list ipaddr '10.0.0.3/24'
option multipath 'off'
option gateway '10.0.0.1'
list dns '10.0.0.1'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.5.1'
option netmask '255.255.255.0'
option multipath 'off'
option gateway '10.0.0.1'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/1b500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option band '5g'
option channel '161'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'openwrt'
option encryption 'psk2+ccmp'
option key 'openwrt12345'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/1b700000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0'
option band '2g'
option channel '6'
option cell_density '0'
option htmode 'HT20'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'openwrt'
option encryption 'psk2+ccmp'
option key 'openwrt12345'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'guest'
option encryption 'psk2+ccmp'
option key 'guest12345'
option network 'guest'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'guest'
option encryption 'psk2+ccmp'
option key 'guest12345'
option network 'guest'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra_preference 'medium'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/odhcpd.leases'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piodir '/tmp/odhcpd-piodir'
option hostsdir '/tmp/hosts'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'lan'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'lan'
config rule
option src 'guest'
option name 'Guest_DHCP'
list proto 'udp'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option src 'guest'
option name 'Guest_DNS'
option dest_port '53'
option target 'ACCEPT'
config rule
option src 'guest'
option dest 'lan'
option name 'Block_Guest_from_Lan'
list proto 'all'
list dest_ip '10.0.0.0/24'
option target 'REJECT'
Thanks.
Create two bridge-vlans:
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '5'
list ports 'lan4:u*'
Edit the lan interface to use device br-lan.1:
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ip6assign '60'
list ipaddr '10.0.0.3/24'
option multipath 'off'
option gateway '10.0.0.1'
list dns '10.0.0.1'
delete this:
And edit the guest network to use device br-lan.5. Also, the gateway line should be removed and although not required, change the ipaddr line to use CIDR notation and remove the netmask line:
config interface 'guest'
option proto 'static'
option device 'br-lan.5'
option ipaddr '192.168.5.1/24'
option multipath 'off'
Reboot and test.
EDIT: corrected typo (bridged-vlan -> bridge-vlan)
Thank you very much. I gonna try this right now. I'm coming from DD-WRT / FreshTomato but I feel like OpenWrt have way too much potential to give up. Here are my notes I've been using when creating my WAPs + Guest Wi-Fi + VLAN:
------DD-WRT Wireless Access Point (WAP) Setup:
A secondary router connected via LAN-to-LAN, on the same subnet as the primary router.
1. Hard reset the router to DD-WRT default settings
2. Connect to the router @ http://192.168.1.1
*Do not connect the router to the primary router until setup is complete.
3. Open the Setup -> Basic Setup tab
WAN Connection Type: Disabled
*The WAN port should now work as a LAN port. Avoid using this port with the primary router to prevent collisions after a reset.
*(Optional) Go to Switch Config, move the WAN port from vlan2 to vlan1.
*(Optional) Go to Networking -> WAN Port Assignment, change vlan2 to vlan1.
Local IP Address: e.g. 192.168.1.2 (same subnet as primary router but outside the DHCP range)
Gateway: IP address of primary router
Local DNS: IP address of primary router
DHCP Server: Disable (do not use DHCP Forwarder)
NTP Client: Enable (Canada/Eastern), then save and apply
4. Open the Wireless -> Basic Settings tab
*(Recommended) Set the Network Mode to "N/G Mixed" for 2.4 GHz and "AC/N Mixed" for 5 GHz.
Set the Wireless Network Name (SSID) as desired. (can use the same SSID and password as the main router)
*Do not leave Wireless Channel at Auto.
*Set different non overlapping Wireless Channel on each router. (e.g. 36, 40, 44, 48 or 149, 153, 157, 161 for 5 GHz and 1, 6, 11 for 2.4 GHz)
*Set the Channel Width to 20 MHz for 2.4 GHz and 80 MHz for 5 GHz.
5. Open the Wireless -> Wireless Security tab
Security Mode: WPA2-PSK
WPA Algorithm: CCMP-128 (AES)
WPA Shared Key: =>8 characters, then save and apply
6. Open the Administration -> Management tab
*(Recommended) Info Site Password Protection: Enable, then save and apply
-Enable VLAN on the Wireless Access Point (WAP):
1. Open the Setup -> Switch Config tab
Create a new VLAN (usually vlan3), move the desired LAN ports from vlan1 to vlan3. (e.g. LAN ports 3 and 4)
Save and apply.
2. Open the Setup -> Networking tab
Go to Create a bridge, create a new bridge called br1, turn off STP then save and apply.
Go to Assign to bridge, assign vlan3 to br1 then save and apply.
Scroll down to Network Configuration br1, enter the IP address for br1 (e.g. 192.168.5.1/24).
*Leave "Net Isolation" disabled as it does not work on a WAP.
*Go to Multiple DHCP Server, add a DHCP server for br1. (e.g. 192.168.5.11,192.168.5.244)
*When the DHCP server is set only through Dnsmasq Additional Options, clients connecting to VAPs bridged to br1 may experience a slight delay.
Save and apply.
-Enable Guest Wi-Fi on the Wireless Access Point (WAP):
1. Open the Wireless -> Basic Settings tab
Add two new 2.4 GHz and 5 GHz VAPS (Virtual Access Points).
*In Advanced Settings, enable "AP Isolation" but leave "Net Isolation" disabled as it does not work on a WAP.
Save and apply.
2. Open the Setup -> Networking tab
Go to Assign to bridge, assign both VAPs to br1. (In this case 2.4 GHz VAP is wl0.1 and 5 GHz VAP is wl1.1)
Save and apply.
3. Open the Services -> Services tab
*Go to Dnsmasq Infrastructure and make sure dnsmask is enabled.
-Put this code in Additional Options, then save and apply:
# br1 DHCP settings
interface=br1
dhcp-option=br1,3,192.168.5.1
dhcp-option=br1,6,1.1.1.1,1.0.0.1
dhcp-range=br1,192.168.5.11,192.168.5.244,255.255.255.0,24h
4. Open the Administration -> Commands tab
Put this code in the commands box and click Save Firewall:
# Enable NAT to give guests internet access from br0
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
# Net Isolation does not work on a WAP so keep it disabled and add this to the firewall
iptables -I FORWARD -i br1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
# Isolate the WAP itself from guests
iptables -I INPUT -i br1 -m state --state NEW -j REJECT
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
# Isolate guests from known private subnets
iptables -I FORWARD -i br1 -d 192.168.0.0/16 -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -d 10.0.0.0/8 -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -d 172.16.0.0/12 -m state --state NEW -j REJECT
# Isolate guests from each other
iptables -I FORWARD -i br1 -o wl0.1 -m state --state NEW -j REJECT
iptables -I FORWARD -i wl0.1 -o br1 -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -o wl1.1 -m state --state NEW -j REJECT
iptables -I FORWARD -i wl1.1 -o br1 -m state --state NEW -j REJECT
Make sure all settings have been saved and applied then reboot the router.
Connect a LAN port from the Wireless Access Point to a LAN port on the main router.
If not working, you may have to reboot the PC or "ipconfig /release" then "ipconfig /renew" in Windows.
------FreshTomato Wireless Access Point (WAP) Setup:
A secondary router connected via LAN-to-LAN, on the same subnet as the primary router.
1. Hard reset the router to FreshTomato default settings
2. Connect to the router @ http://192.168.1.1
*Do not connect the router to the primary router until setup is complete.
3. Go to Administration -> Admin Access
Set Username and Password (Username = admin)
4. Go to Basic -> Network
Disable WAN
*(Optional) Go to Advanced -> VLAN, move the WAN port from vlan2 to vlan1.
IP Address: e.g. 192.168.1.2 (same subnet as primary router but outside the DHCP range)
Disable DHCP
Gateway: IP address of primary router
Static DNS: IP address of primary router
5. Go to Basic -> Time
UTC offsets: UTC-05:00 Eastern Time
Upstream Server: North America
6. Go to Advanced -> Virtual Wireless
Set the Wireless Network Name (SSID) as desired (can use the same SSID and password as the main router)
*Do not leave Wireless Channel at Auto.
*Set different non overlapping Wireless Channel on each router. (e.g. 36, 40, 44, 48 or 149, 153, 157, 161 for 5 GHz and 1, 6, 11 for 2.4 GHz)
*Set the Channel Width to 20 MHz for 2.4 GHz and 80 MHz for 5 GHz.
Security: WPA2 Personal
Encryption: AES
Shared Key: =>8 characters, then save
-Enable VLAN and Guest Wi-Fi on the FreshTomato Wireless Access Point (WAP):
1. Go to Advanced -> VLAN, create VLAN 3 (br1), click ok and save.
*Optionnal: Move the desired LAN ports from VLAN 1 to VLAN 3. (e.g. LAN ports 3 and 4)
2. Go to Basic -> Network
Enter the IP address for br1 (e.g. 192.168.5.1), disable DHCP, click ok then save.
3. Go to Advanced -> Virtual Wireless Interfaces
Create two Guest Wi-Fi interfaces (2.4 GHz + 5 GHz), assign them to br1, click ok and save. (2.4 GHz VAP is wl0.1 and 5 GHz VAP is wl1.1)
*Enable AP Isolation, set wireless settings and security for both Guest Wi-Fi interfaces.
4. Go to Advanced -> DHCP/DNS/TFTP
*Enable "Use user-entered gateway if WAN is disabled"
-Put this code in Dnsmasq Custom configuration, then save:
# br1 DHCP settings
interface=br1
dhcp-option=br1,3,192.168.5.1
dhcp-option=br1,6,1.1.1.1,1.0.0.1
dhcp-range=br1,192.168.5.11,192.168.5.244,255.255.255.0,24h
5. Go to Administration -> Scripts
Put this code in Firewall and click Save:
# Allow new connections from br1 (Needed because VLANs are isolated by default in FreshTomato)
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
# Enable NAT to give guests internet access from br0
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
# Net Isolation for FreshTomato WAP (Block access to private LAN IPs from guests)
iptables -I FORWARD -i br1 -d 192.168.1.0/24 -m state --state NEW -j REJECT
# Isolate the WAP itself from guests
iptables -I INPUT -i br1 -m state --state NEW -j REJECT
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
# Isolate guests from known private subnets
iptables -I FORWARD -i br1 -d 192.168.0.0/16 -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -d 10.0.0.0/8 -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -d 172.16.0.0/12 -m state --state NEW -j REJECT
# Isolate guests from each other
iptables -I FORWARD -i br1 -o wl0.1 -m state --state NEW -j REJECT
iptables -I FORWARD -i wl0.1 -o br1 -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -o wl1.1 -m state --state NEW -j REJECT
iptables -I FORWARD -i wl1.1 -o br1 -m state --state NEW -j REJECT
Make sure all settings have been saved and applied then reboot the router.
Connect a LAN port from the Wireless Access Point to a LAN port on the main router.
If not working, you may have to reboot the PC or "ipconfig /release" then "ipconfig /renew" in Windows.
The firewall config there isn’t necessary and is also deprecated. You can make the firewall rules using uci instead, per the guests wifi tutorial you linked earlier.
Makes a lot of sense. I tried two times from SSH but after rebooting I can't access the router anymore. Then I have to reset the router and restore my backup. Idk maybe I should try to do the changes from LuCI to avoid getting locked out again?
Thanks!
root@OpenWrt:~# vi /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'
config globals 'globals'
option dhcp_default_duid '00042ad0bd86f7a24870a7481347413927ff'
option ula_prefix 'fdd5:207:744e::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config bridged-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
config bridged-vlan
option device 'br-lan'
option vlan '5'
list ports 'lan4:u*'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ip6assign '60'
list ipaddr '10.0.0.3/24'
option multipath 'off'
option gateway '10.0.0.1'
list dns '10.0.0.1'
config interface 'guest'
option proto 'static'
option device 'br-lan.5'
option ipaddr '192.168.5.1/24'
option multipath 'off'
This config looks correct. Is it not working?
Unfortunately not but it does look correct which is strange.
Let’s see the complete config.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
And did you create any other firewall rules using methods like you had shown in your notes?