Unfamiliar Network Help

Untitled Diagram.drawio

Hello, there OpenWrt community. I've been using OpenWrt for quite some time now, but just recently moved into a new apartment complex and I'm slightly confused on how to set my settings.

In the attached diagram, all of the arrows represent SINGLE ethernet cables from one device to the next.

My ISP in this building just has one ethernet cable coming through to my unit. Rather than picking my living room or my bedroom, I wanted to utilize both so I grabbed an unmanaged switch.

Now, I have a Netgear RAX70 that I use as an access point set at 192.168.1.2, which is connected to the unmanaged switch.

My OpenWRT router (RC7800) is connected to the switches well.

I'm not quite sure how to get my OpenWRT to talk to my access point. I have the access point connected to a LAN port.

I did have it working for about... a minute before, for some reason, I lost the WAN connection.

A few questions I have:

  1. On my Access Point, I SHOULD be using the LAN port to connect to the unmanaged switch, yes?

  2. On my OpenWRT, which port should I be using? WAN or LAN?

  3. How should I be configuring the OpenWRT is serving as my main router (connection to WAN, DHCP, DNS)? I imagine it's more of a Switch configuration than an interface configuration, but I could be wrong.

  4. Is it possible with this unmanaged switch set up or am I trying to do something that's not possible? My ISP said the unmanaged switch is something they recommend to their customers if they want to take advantage of both ethernet ports in the unit.

Thank you very much.

If you connect an unmanaged switch that way then all ports on the switch should be considered WAN ports that you shouldn't trust and you should have a firewall on all devices connected to the switch. If you want devices on the AP to access resources on the router then you should set up and use a VPN server on the router.

2 Likes

You may want to look at VLANs (which require a VLAN aware smart/managed switch; the unmanaged switch is not suitable for this purpose), and/or run some additional cables. As was stated earlier, you should treat the connection from the building as a WAN -- untrusted. Your current physical topology doesn't make it possible to have the two Netgear devices work together as a trusted network.

1 Like

This makes perfect sense because if I plug in routers with factory settings, they both have their own public IP addresses.

I do have a managed switch I could put in there and create a single VLAN. I would specify 1 port as WAN and the rest as part of VLAN.

If I do this, I think I'd still need help on:

  1. Which OpenWrt port should the ethernet cable running from the managed switch be using?

  2. How should I be configuring my OpenWrt Switch and/or interfaces?

Thanks, again. [=

Where are all the devices physically? Can you not connect your router directly to the incoming cable and then connect that to the AP?

hi @zero.builder

from my point of view, whatever you do, you are doomed to sinlge ETH cable
so, your devices need to be capable (at least main router) to use tagged vlans on WAN port

I really wanted to be able to do this, but... the switch is the only thing I could get to fit inside the panel. The panel runs two wired connections to the rest of my apartment. I have an ethernet port in my living room and one in my bedroom.

This is what I'm stuck on, I think. This is the first time I've had to configure OpenWrt to use a single ethernet cable. I have an R7800, which I think has that capability, but I'm unsure on how to configure it.

i hope you have some sort of full managed switch. Why ? if you have some sh*** tp-link or similar cheap web/easy managed switch, you are open to whole world. As you say, both devices get PUB IP, so in cheap managed switches you could never turn off native vlan1 and your cheap switch will be exposed to PUB
good recipe for disaster

ok, neither i am sure. I using OWRT with older devices which use SWCONFIG
now some are migrated to DSA, some stay in SWCONFIG
but i could describe you and then you could try by your own

so, my idea is
leave the unmanaged switch as it is

on main AP leave native vlan1 as it is , untagged
on top of that , add another VLAN, for ex Vlan10

on dumb AP turn off WAN dhcp portition. you dont need PUB IP on AP2
instead, make Vlan10 on AP2

this Vlan10 will be used for communicating between AP1 and AP2

what is a drawback ?
everyone in building who like to make a mess on NET could scan your Vlan10
at least, if everywhere in buildings are dumb switches

Do not use the unmanaged switch if you are going to use VLANs.

1 Like

We can get to the details about how to configure your switch later, but lets start with this: what brand and model is your managed switch?

1 Like

Unfortunately, I think I have a rather cheap-o switch. It's a NETGEAR GS105Ev2.

Actually, AFAIK, the Netgear switches are okay. The TP-Link entry level smart switches have some major flaws in their implementation (I have one of these sitting in my closet and I don't use it much for that reason).

To clarify, you have a Netgear RC7800 running OpenWrt and an RAX70 that is running the stock firmware, correct?

And then from a physical topology perspective, you can't run any additional cables -- you're stuck with 1 cable to each of the Netgear devices, all coming together in the panel where you are able to fit a switch, but that's all. Do I have that correct?

Yes. Everything you are stating is correct.

There can be a bit of a chicken or egg situation with setting some of this stuff up, and there are situations where you can get locked out of your gear and have to reset things. So start simple and build your way up to the full solution.

Here is what I would suggest as a template. You can change VLAN IDs and ports if you want, but just giving a framework here:

  • WAN (from building) > GS105Ev2 Port 1.
  • GS105Ev2 Port 2 > RC7800 Port 1
  • GS105Ev2 Port 3 > RAX70 Port 1

VLAN Strategy:
VLAN 10 = WAN
VLAN 1 = LAN

GS105Ev2 VLAN configuration:

  • VLAN 10 untagged on port 1 + PVID VLAN 10 on port 1
  • VLAN 10 tagged on port 2
  • VLAN 10 disabled on all other ports
  • VLAN 1 tagged on port 2
  • VLAN 1 untagged on port 3 + PVID VLAN 1 on port 3.
  • VLAN 1 optionally untagged on ports 4 and 5 + PVID VLAN 1 on those ports, if in use.
  • VLAN 1 disabled on port 1.

Netgear RC7800 OpenWrt Configuration (do this while physically connected to anything other than port 1)

  • Create VLAN 10 on the switch, assign it as tagged on port 1
  • Change VLAN 1 to tagged on port 1.
  • Edit the WAN interface > General Settings > Device. Select the switch VLAN that is VLAN 10 (this may show up as ethx.10 or switch0.10 or something like that).

Once you make the connections, things should start working.

1 Like

@psherman Thank you very much for the instructions. I'll work on them in a bit. One thing: which PVID should port 2 be on 1 or 10? Unfortunately, there isn't an option to NOT have it on one.

Setting the PVID on each port requires 2 steps on those Netgear switches (described in a moment). The PVID (Port VLAN ID) sets the active untagged network on a given port (sometimes also called default, or native network on the port). You can only have a single untagged network active on a port at any given time. On some switches, you can actually set multiple networks to be available as untagged on each port, but as I mentioned, you can only have one active untagged network at a time, and it is the PVID setting that selects which one is active.

On the Netgear switch, you will go to the VLAN page and set each port to be a member of the VLAN as Tagged or Untagged; or you can set the port so that it is not a member of a given VLAN (depending on the implementation/firmware, it is either blank or Exclude.).

So...
Set VLAN 1:

  • T on port 2
  • U on port 3
  • optionally U on ports 4-5

Set VLAN 10:

  • U on port 1
  • T on port 2
  • Off (blank or E) on ports 3-5

Then set the PVIDs:

  • Port 1 = PVID 10
  • Port 2 = PVID (blank if you can, otherwise 1)
  • Port 3 = PVID 1
  • Ports 4 and 5 = optionally PVID 1
1 Like

Hey, there. Working on this part on my OpenWrt right now.

I did as you said, but there doesn't seem to be a device for e*.10 switch. Maybe I am missing other values below?

Should be a simple fix. Change vlan 10 to tagged on the cpu (instead of off)

1 Like

I assume you mean the eth1, but just wanted to make sure...