VLAN Devices vs Bridge Filtering?

Hello!

I have a ZyXEL NWA50AX Pro. I'm a bit confused how to setup VLAN tagging. I will have a DHCP client for managment on VLAN 32, an SSID linked to VLAN 34, and another SSID linked to VLAN 35. Nothing is untagged. There seem to be two ways to do it (or I am very confused).

Method 1:

  1. Create VLAN "devices" for each VLAN with eth0 as the parent: eth0.32, eth0.34, eth0.35
  2. Create an interface for eth0.32 as a DHCP client
  3. Create a bridge for each of eth0.34 and eth0.35
  4. Connect the SSIDs to the br-34 and br-35

Method 2(?):

  1. Create a single bridge with port eth0 in it
  2. Go to the "Bridge VLAN filtering" tab and enter in my VLANs as tagged
  3. Not sure how this works from here?

Mainly I am confused on the difference between creating VLAN devices vs adding a parent device to a bridge and using the VLAN settings for the bridge.

How should I set this up?

Thanks!

Let’s see your current config - that will help us show you the method.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network

Thanks for the fast response!

Here is the dump:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'REDACTED/48'

# NOTE: This is a temporary/default device just for configuring right now
config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

# NOTE: This is a temporary/default interface just for configuring right now
config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '32'
	option name 'eth0.32'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '34'
	option name 'eth0.34'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '35'
	option name 'eth0.35'

config interface 'mynet_mgmt'
	option proto 'dhcp'
	option device 'eth0.32'

config device
	option type 'bridge'
	option name 'br-mynet-lan'
	list ports 'eth0.34'

config device
	option type 'bridge'
	option name 'br-mynet-iot'
	list ports 'eth0.35'

config interface 'mynet_lan'
	option proto 'none'
	option device 'br-mynet-lan'

config interface 'mynet_iot'
	option proto 'none'
	option device 'br-mynet-iot'
config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wifi'
	option channel 'auto'
	option band '2g'
	option htmode 'HE40'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'mynet_lan'
	option mode 'ap'
	option ssid 'MyNet'
	option encryption 'sae-mixed'
	option key 'REDACTED'
	option wpa_disable_eapol_key_retries '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/18000000.wifi+1'
	option channel 'auto'
	option band '5g'
	option htmode 'HE160'
	option cell_density '0'
	option country 'US'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'mynet_lan'
	option mode 'ap'
	option ssid 'MyNet'
	option encryption 'sae-mixed'
	option key 'REDACTED'
	option wpa_disable_eapol_key_retries '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'MyNet IoT'
	option encryption 'sae-mixed'
	option key 'REDACTED'
	option network 'mynet_iot'
	option hidden '1'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'MyNet IoT'
	option encryption 'sae'
	option key 'REDACTED'
	option network 'mynet_iot'
	option hidden '1'

Some questions from this:

  1. Do I need the bridges? It looks like I can create an interface directly for any 802.1q device (without a bridge_ and I can assign an SSID to any interface (doesn't have to be an interface with a bridge).
  2. Should I have one bridge and use the "VLAN Bridge Filtering" tab options? Unsure what that does.
  1. Has to be bridge https://w1.fi/cgit/hostap/tree/hostapd/hostapd.conf#n21
  2. You can do either way, best to stick with defaults, i.e fat bridge with vlans for partitions in DSA, or multiple bridges bridging ethX.vlan in swconfig. No benefit or loss doing vice-versa.

In general long random name is better than hidden AP.

1 Like

If this was a multi-port device where I was trying to have it act as a switch would it make more sense to use the other method? Since the other method makes a single bridge interface, would I have to create tagged devices with the bridge as the parent in that case (to assign them to SSIDs and interfaces)?

For this use I don't care so much that is secret as much as I would rather not flood my neighbors' SSID list with 3 or 4 SSIDs lol.

You can connect wifi to a bridge without ports ("bring up empty bridge") or br-lan vlan without physical cables, the routing and nat will be done this way too.