[Solved] Simple VLAN for guest wifi network

raider974 · February 1, 2024, 7:44am

Hello all,

Need to ask for assistance because I'm stumped.
I am trying to create a simple VLAN for guest network over my wifi. Let's say VLAN99.
Got my pfsense and cisco switch all ready for tagged vlan99.
i tried creating bridges, VLANs... tried assigning different interfaces, tried tagging and untagging and nothing works. Very often i lock myself out.

Just need a few tips to help me resolve this.

Thanks a bunch.

psherman · February 1, 2024, 7:46am

It's necessary to know what device and version of OpenWrt you are using, as well as what port is used for the trunk to your upstream network.

Also, is the guest VLAN proven to work when you connect a computer via ethernet to the switch (if you haven't already, create an access port for the guest network and test it) -- it's critical to make sure your main router and switch are both properly configured before you move onto wifi.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

raider974 · February 1, 2024, 7:57am

OK, thanks. Here we go. DHCP and FW are not used as we are talking about dumb AP configuration. In case you need those anyway just shout.

"kernel": "5.15.137",
        "hostname": "AP1_radna",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "TP-Link Archer AX23 v1",
        "board_name": "tplink,archer-ax23-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd1:2e76:2643::/48'
        option packet_steering '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.103'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '10.0.0.101'
        option broadcast '10.0.0.255'
        list dns '10.0.0.101'
        list dns '1.1.1.1'

config device
        option name 'phy1-ap0'
        option ipv6 '0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'
        option ipv6 '0'

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel 'auto'
        option band '2g'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'aux'
        option encryption 'psk2'
        option key '*'
        option ieee80211r '1'
        option mobility_domain '4f57'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option channel 'auto'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'
        option country 'HR'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'internjec'
        option encryption 'psk2'
        option key '*'
        option ieee80211r '1'
        option mobility_domain '4f57'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'mgmt'
        option encryption 'psk2'
        option hidden '1'
        option key '*'
        option ieee80211r '1'
        option mobility_domain '4f57'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option network 'lan'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'guest'
        option encryption 'psk2'
        option key '*'
        option ieee80211r '1'
        option mobility_domain '4f57'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

psherman · February 1, 2024, 7:58am

You will use DSA syntax with bridge VLANs.

raider974 · February 1, 2024, 8:48am

Thank you Sir.
Could you please just tell me if I use the existing bridge and want to add VLANs to it do I have to have VLAN1? Is it mandatory or not?

psherman · February 1, 2024, 5:03pm

VLAN 1 -- as in the actual VLAN ID 1, is not required. It can be any valid VLAN ID. However, all network interfaces that use br-lan must be edited to use br-lan.x where x is the VLAN ID.

I can give you specific edits, but I need to know the VLAN-port membership (and tagging status per VLAN on each port).

raider974 · February 2, 2024, 5:17am

Thank you Peter.
What I did is added VLAN ID 1 anyway and 99 right below. Changed my br-lan interface to br-lan1 (which is the answer btw. as I've never done that before) and it works. Will leave it that way as I plan to add another VLAN and see where it takes me.

psherman · February 2, 2024, 5:54am

Great.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

system · February 12, 2024, 5:54am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.