VLAN and isolated Wifi

Hi!

I am new here and new to OpenWRT and I feel really dumb asking the question I am about to ask, but I just cannot understand how I can get this working - I am moving from ubiquiti to OpenWRT.

So, my scenario:

I have 3 openwrt units that should act as wifi access points and managed switches, that are connected via cable to one another.

https://romait-opentelemetry.revision.app/api/svg/9MghjCuEAQ3f
Simple diagram

I have a fiber-media-box providing Internet to LAN1 on an OpenWRT router. The router has 4 LAN ports (again, Lan1 = WAN). The OpenWRT router does have 4 different Ethernet adapters, so no virtual ports here. Lan2, Lan3 and Lan4 are bridged. Lan1 is used as a dhcp client interface and the bridge is used as a static address (192.168.1.1).

Also, the router is connected to two different OpenWRT units that provide WIFI and also is connected to my office (that is in the garage).

What I want to achieve is the following:

  1. Provide a separate WIFI for office work - the wifi should be accessible from all access points (OPENWRT)
  2. Provide a VLAN to my office that is located in the garage

Don't know if that makes sense, but I have a really hard time to understand how I can make a vlan in this scenario.

The configuration on the two OpenWRT that are connected to the first one does basically only have one device ( a bridge that connects all 3 ethernet adapters ) and one interface that is a DHCP client using the bridge.

I am super grateful for all help I can get, this drives me crazy.

The image is not zooming, so it's impossible to read.
What you want is possible. Some example from wiki.

Hi, here comes the image link: https://romait-opentelemetry.revision.app/api/svg/9MghjCuEAQ3f it's an SVG - it's a work in progress.

Ok, but that sounds good, thanks for the examples, I will check that out.

@trendy how does this work?

Assume I have 3 pcs of OpenWRT units, whereas the first unit is the router and the 2nd and 3rd are directly connected to the 1st. The vlan connection I need to establish using wire is from 2nd openwrt.

Will I

  1. Setup VLAN on 2nd OpenWRT providing vlan to correct rj45 outlet.
  2. Setup VLAN Filtering according to your link on 1st and 3rd?
  3. Setup WIFI on all nodes and provide interface having the vlan?

Hi, I have a similar setup to divide work/personal devices on different subnets/vlans, since the image for me is not opening could you also paste here /etc/config/network info (without private information). What devices are you using, what OWRT version ?

Here comes the image as an actual image ( don't know why it didn't work, sorry for that )

Regarding the config:
here it goes - link, I don't know what you are looking for exactly that's why I am pasting my entire config. Right now it's in factory, I have not yet even setup the wireless lan, since I was about to use the easymesh functionality, but that seemed to not allow me choose another interface for the different wireless ssids.

The units I am using are the following:

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.
------------------------------------------------------------------------
That being said, the principal is that you allocate one vlan for home+management and one for work, let's say 10 and 20 respectively.
In the main unit vlan 10 is untagged and native for all lan ports. Vlan 20 is tagged on lan2 and lan3, not member of the others.

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan1'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'lan4'

Create a new interface for the work vlan with the necessary DHCP server and firewall zone settings.
The remote units now, add wan in the bridge and for vlan10 you make it untagged and native for all ports, then vlan20 tagged on the wan.

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'wan'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'wan:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'wan:t'

The work vlan can be unmanaged so you don't need to add DHCP server or firewall zone.
Last but not least, add an SSID to the new interface for the wifi.
Best of luck!

Thanks! yes, I am aware of the custom firmware stuff, I am not yet sure if I will stay with openwrt, but hopefully I will find out the correct hardware specs to identify which openwrt to flash it with. I assume I can just flash the IOWRT with openwrt - that's atleast what I hope. The only reason why I am sticking to IOWRT right now is because it's easy to do a factory reset.

tried what you described, but as soon as I create a new static address + dhcp server for my VLAN - it bricks and I need to do a factory reset.

Please see recorded gif here - https://romaitab-my.sharepoint.com/:i:/g/personal/robert_romait_se/EZb8fJ78LhdGigVFgjYSsA0BOJVEjxtAzIpQ5H5Q3lMeQA?e=VlOxVr

The firewall zone in the recorded gif was just reused for test purposes. When things start to work, I will have separate Firewalls.

Update: I did some testing and it seemed that Vlan filtering doesn't work. So I finally managed to create a tagged vlan (at least on host - also, needed to disable easymesh) by creating two VLAN 802.1q devices for each port and then create a bridge between them. Also, I have created a wifi that uses that bridge.

As you may understand, we are not able to provide much help for non official OpenWrt builds here.
My last piece of advice to you to avoid getting locked out of the routers is to first configure an out of band connection first, connect to that, then make changes on the interfaces. This can be a simple interface bound to an SSID, no ethernet ports. Also do a backup before you start.

I finally managed to get things to act like openwrt, there are default bridges setup that do not support vlan bridge filtering. So basically I needed to set those up from scratch.

However, I kind of switched my approach. I now have a ubiquiti router in front of each openWRT AP.

I changed to just having one bridge, with vlan filtering as you mentioned.
Also I have setup two interfaces. One that is a static ip for vlan10 and one unmanaged for vlan20.
However when setting up WIFI SSIDs, what’s happening is that I sometimes and sometimes not get kicked of the APs and I need factory reset.
I wonder what’s the reason for this. Am I missing some device to setup? That even happens on my raspberry pi 4 running just openwrt occasionally while I was testing.

Thankful for any advice!

We are not able to understand much from the description. If your devices are working fine and then they are randomly dropping the connection after you configure something, it sounds to me that you are introducing some change which is impacting the ethernet ports.
Other than that, you should use the rollback functionality to avoid getting locked out due to bad configurations.

That is my conclusion now. Some of the settings are working and then after a restart or even after x number of minutes, the device is not responsive. The WIFIs I have set up work, but the device cannot be accessed using luci endpoint.

If I would go on and want to install OpenWRT on a device like that, what would the procedure be - how could this device be added to the list of openwrt devices?

Thanks for your help @trendy

1 Like