VLAN + DumbAP + software Layout

Installing and Using OpenWrt Network and Wireless Configuration
1

I am going to try VLANs setup with 4 routers. All my routers are DIR-878 which only has 5 NICs. I am thinking of getting one more powerful router. This router might be a different brand or model.

Q1. Did I miss anything? Is this a good design?
Q2. Can I use different brands and models or do they need to be identical?
Q3. Is there a good document describing how to make a router "dumb"? Is this best document? https://openwrt.org/docs/guide-user/network/wifi/dumbap
Q4. Can I setup roaming after I get everything working?
Q5. Can I clone the dumb setup between routers? Something like dd or some other duplication way?
Q6. Can I make the mesh communicate through the wire and only use wireless for the disconnected AP?

Dumb AP hardware

  1. Uses all 5 NICs including the yellow WAN NIC. But I don't need the yellow NIC to really be WAN NIC. I need to make it a "normal" nic
  2. Need the traffic to flow from the yellow WAN NIC to the real AP.
  3. Need the VLAN to flow to real AP even through the yellow WAN NIC.

Dumb AP Software
What other software should I have on the Dumb AP?

  1. No DHCP + DNS
  2. No firewall rules. I assume the VLAN will segment everything until it reaches the real AP with firewall rules.
  3. Mesh software (see below)
  4. NTP server using real AP

Common between dumb AP and real AP

  1. Do I need to keep the dumb AP the same VLAN as the real AP. I prefer to keep them common to make things simple
  2. Each SSID will have a new VLAN.
    1. I need to look into ROAMING but I would like to do this after everything works. Roaming on router + APs
  3. All will have the same SSIDs repeated in the dumb AP and real AP
  4. There will be a mesh between all the dumb AP and real AP
    1. One dumb AP will have only mesh and maybe a NTP server.
  5. Mesh might be installed every where. I hope I can have the routing use the wired way when possible and the wireless mesh only when needed. Still trying to figure out how to handle a couple of disconnected routers...
2

You mean one router and 3 dumb APs?

The videos I linked on the wiki will be helpful for your setup.

3

Yes 1 router + 3 dumb APs

They are for 21 not 23. Is it still relevant?

4

There are lots of questions, so I’ll answer a few generalities and then you can go from there.

Instead of calling your main device the “real AP,” I’d recommend referring to it as your router or “main router” — this way it is clear what task it has in your network. Also, if you end up getting a router that doesn’t have wifi (or where it goes unused), you don’t need to change any of your descriptions.

Regarding the dumb APs — the guide you have linked is the correct one. It applies to all recent versions of OpenWrt, although you should be running the latest since the old ones (earlier than 22.03) are EOL and unsupported. They may contain serious security vulnerabilities.

Roaming is actually a client-side operation. There are methods of tuning your APs (specifically the radio power and channel) so that it will encourage clients to roam most efficiently. Done well, this can be nearly seamless and can work really well. This is actually critical regardless if you use “traditional” roaming vs advanced/assisted (using 802.11k/r/v standards). Also, these newer standards don’t always work well with some client devices… so it is important to have a properly configured and tuned set of APs for the traditional roaming approaches.

It is critical that the dumb APs have DHCP disabled — this must be done by explicitly disabling the DHCP server in the config file itself, rather than simply disabling the dnsmasq service. This is because you want to make sure that the DHCP server will never accidentally become enabled again which will happen if you ever upgrade the device or reset and then restore the configs. Disabling is simple (set the dhcp server for the respective interface to “ignore”).

On VLANs — typically you’ll have a trusted LAN and then one or more untrusted networks. For the infrastructure devices (APs, etc.), you can setup a separate “management” VLAN or you can just use the trusted LAN — that’s up to you. The dumb APs only need an address on one network — the one that is used for management. The rest of them will be set to unmanaged (i.e. proto none).

And the firewall is unnecessary on a dumb AP, but it also won’t do anything if left enabled. You don’t need to mess with the firewall at all.

5

No relavant.

6

ad Q5: Yes. You could do a backup of the first and import the configuration on the second. But keep in mind that this will also clone all IP addresses, so you need to change at least the IP address and maybe some other relevant parameters after the restore, before connecting it to the network so that you don't get duplicate addresses.

ad Q6: Yes, it's just not called "mesh". A wired backhaul is faster and more stable. Your "mesh" will simply extend the wired backhaul over a wireless connection. There are several ways and guides to set this up - I did my first b.a.t.m.a.n.-adv setup two weeks ago for exactly this purpose.

7

I hadn't even thought of that... That might be a good solution for me. 1 main device (wireless switch) plus 4 dumb routers. Need to do some research.

8

I still need to understand what the difference is between VID and PVID

VID is the VLAN ID.
PVID is the port ID.

Typical usage or values I should avoid using to stop conflicts.

id description User can safely use
0 tagging the priority of frames or management ???
1 default VLAN ID for some products No May cause future problems
2
3968 to 4095 Cisco reserves No May cause future problems
9
  • VID: VLAN ID. Usually this is how you set the VLAN port memberships for tagged networks
  • PVID: Port VLAN ID. This is how untagged networks are specified. Also known as native/default.

Starting with the idea of VLANs/tagging…

Normal Ethernet connections are setup as “untagged” — that is what most end devices expect (think of computers, set-top-boxes/game consoles, printers, and the like).

The 802.1q standard was created to allow the use of VLANs (virtual local area networks). It does this by means of tagging the Ethernet frames so that the specific network to which the traffic belongs is clearly indicated.

The standard allows for:

  • Access port: a single untagged network, no tagged networks (i.e. normal Ethernet as above). PVID is used to define this network.
  • Trunk port: carry multiple networks on a single port/cable. VID is used to define the tagged networks here.
    • This may be a combination of zero or one untagged network [1] + one or many tagged networks on the port.
  • Tagged single network port: this has zero untagged networks and just one tagged network (this is sometimes used for special equipment like VOIP phones, etc.).

The standard does not allow multiple untagged networks on a single port (but more about this in a minute), as this would cause ambiguity about the network to which the traffic belongs.

Some managed switches will have a configuration option to have multiple VLANs untagged on a single port, but then you must create a PVID (Port VLAN ID) to define the actual VLAN that is active as untagged on a port (because only one untagged network is allowed). With those switches, you must set a port to be a member of a given VLAN as untagged and then also specify the PVID for that VLAN.

On the reserved VLAN IDs:

  • 0 is invalid. Your options are1-4095
  • It is generally not considered to be problematic to use VLAN 1 as tagged in most environments. Especially when you consider the opinions around trunk ports.
  • The Cisco “reserved” VLAN IDs are not relevant unless you are using Cisco business/enterprise grade equipment in your network.

  1. There are two schools of thought about if it is okay to use an untagged network on a trunk port. It is often a matter of persona/professional opinion, but some will say to only use tagged networks on a trunk port. The standard does allow it, aside from the opinion bit, some hardware actually chokes when mixing untagged + tagged. ↩︎