Using Router as just AP and Managed Switch

Installing and Using OpenWrt Network and Wireless Configuration
#1

I am in the process of offloading SQM and other Layer 3 services from my Linksys router to an x86 box, leaving the Linksys device just acting as a managed switch and AP. The x86 device will act as router and firewall and also provide DHCP. There will be two VLANS extended onto the Linksys switch/AP, one for regular LAN '101', one for Guest Wifi '102'.

To setup the VLANs I have followed the instructions here: https://openwrt.org/docs/guide-user/network/vlan/extend_router_ports_managed_switch This is fairly straight-forward.

I have a few questions I hope you can help with however:

  1. How do I attach the wireless interfaces on the Linksys to the VLANs? Do I create software bridges to do this? (i.e. create a 'LAN' bridge with the Wireless interface and the 101 VLAN interface, and a 'Guest' bridge with the Guest wireless and 102 VLAN interface? Is that all that is required?

  2. How do I completely disable the firewall on the Linksys device? Apart from the bridging of the Wireless connections I want this device to be essentially be a dumb device, not filtering any traffic.

  3. If I want to maintain a single LAN port on the Linksys device for direct Luci/SSH access in case of fudged VLAN config (static IP and DHCP) how do I configure this interface? Do I just create an interface and attach it to the port directly with no VLAN (i.e. eth0.5)?

Thanks in advance!

Some questions on setting up OpenWrt as managed switch and AP
#2
  1. Mostly yes.
  2. If you have luci System>Startup>firewall disable.
  3. Interface for SSH don't require anything more than disabling DHCP functionality, as you are moving it to x86 machine.
#3

Thanks for that. Re.3 - I mean SSH access to the linksys (Access Point) in case I need to reconfig that device with the rest of the network down.

#4

To have access to AP you have to know its IP. The easiest way to do that is by setting it static. As it is at the moment. You probably want that address to be in vlan 101 so the bridge you will make for that vlan and wifi have to have static address and no dhcp enabled on it.

#5

Got you - so then I can use any physical port assigned to VLAN 101 to access the router by manually configuring IP address on the client and hitting the static IP of the router.

I was trying to be too clever - creating a whole other VLAN purely for management that would have it's own IP range, DHCP etc... on a dedicated port, just because I'm lazy and hate having to manually config adapters in Windows :smiley:

#6

yep

You can assign one port to 3th vlan just for management and have dhcp server on the ap just for this vlan.

#7

So this is what I want to acheive... I find diagram easier to work with!

image

One thing I an confused about - for the interface "br-guest-wifi" on the AP, if I don't want the AP to have an IP address on this interface at all, is that possible?

To see it bigger: Right Click -> Open image in new tab

#8

Yes, it is. If you are configuring with luci, on any interface when editing there is a dropdown menu beside protocol. Choose unmanaged there. Or alternately, when you are creating new interface, the menu is besides "Protocol of the new interface"

#9

Awesome thanks.

And are my VLAN configs right? So in full it would be:
vlan, eth0.1, eth0.2, eth0.3, eth0.4, eth0.5
100, untagged, untagged, untagged, untagged, off
101, tagged, untagged, untagged, untagged, off
102, tagged, off, off, off, off
103, off, off, off, off, untagged

#10

In Linux eth0.{some number} denotes tagged vlan interface with id {some number}. I assume that you are using these to denote AP Ethernet ports. Am i right?

Having that assumption in mind, no. You have to know which port is directly conected to the CPU of the AP. Everything there should be tagged. What is vlan 100 for? You can't have more than one untaged vlan on one port. Some CISCO purists will argue that even one untaged and few taged is wrong. In your case i'll mostly agree with them.

Wath is your Linksys model?

#11

Yes my bad on the notation there. Should be Port1... Port5 rather than 0.1...0.5

The notation on the Switch config page in Luci lists the ports as:

CPU (eth0), CPU (eth1), LAN1, LAN2, LAN3, LAN4, WAN

It's a WRT3200ACM.

My understanding was that there needed to be a VLAN on each port to handle traffic that arrives untagged? So traffic arriving untagged on port1 would be tagged as VLAN 100? Is that not needed?

#12

It's not needed to my knowledge. I don't have any untagged vlan on my trunk port which is connected to a managed switch.

Apparently pvid is set to 0 in this case, according to swconfig dev switch0 show. But I'm not sure if it means pvid is disabled or something else.

https://openwrt.org/docs/guide-user/base-system/basic-networking

†Typically defaults one of the VLAN tags associated with the port. Logic not clear when there are multiple VLANs on the port. '0' can occur. Certain values have been rejected; logic not clear on limitations.

#13

Thanks for that - I'll give it a go configuring this with LUCI without VLAN 100 and see what config I end up with.

One further question. I believe the hardware layout of the ethernet ports in the WRT3200ACM is a single switch with 5 ports. So why do I have both eth0 and eth1 CPU interfaces? Does this mean there are 2 physical interfaces to this switch from the CPU, or am I misunderstanding how this works and eth interfaces are virtual constructs?

#14

Yes that's right. This gives better performance during routing but is less relevant during AP usage

#15

OK cool - that actually makes everything make a lot more sense. Think I'm on top of it now.

Will report back this evening when I've had chance to test it out.

#16

OK - sorry, another question!

If I go with the above configuration and I connected an unmanaged device to the eth0 port of the x86 router - like a client device - what would happen? Is this where the pvid setting is important? So ideally I'd want untagged packets arriving on that port to go into VLAN101? Or should I create a new interface just on eth0 (no VLAN) to handle this?

#17

If you want untagged ports going to vlan101 you set up a port on the switch to participate in vlan101 untagged, and then make eth0 tagged for vlan 101 and make your LEDE interface connect to eth0.101

if you want to make eth0 by itself be its own interface, set up a port on the switch untagged for vlan 0 and make eth0 untagged for vlan 0 (I think vlan 0 is ok, otherwise you can actually use vlan 101 here as well maybe but make eth0 untagged)