Dear members of the forum, I'd like to know if my idea is okay and possible to implement. I use a TP-Link Archer C6 as my OpenWrt device (10.12.20.1), behind the ISP modem in bridge mode. I have the LAN4 port connected to another router, which was needed to provide internet to another office which couldn't reach the Wi-Fi signal from the main router. So, I already created some interfaces and firewall zones for the different SSID's, but the thing that really nags me is that the second router gets an IP from my main DHCP pool (10.12.20.112). So I was thinking if giving that LAN port a VLAN could solve the "issue"?
I appreciate your comments and please forgive my ignorance.
Yes, you could set it up much like a guest wifi network except that you would connect it to port lan4 instead of an SSID/radio. When combined with the firewall rules, the networks can be isolated from each other, but both networks can have normal internet access.
Thanks for your answer! Is there any good guide I could follow in order to do this? Or maybe you could give me a hand? I'm more comfortable using LuCI, but I'll try whatever is best. (I've search the web but couldn't find anything specific to my problem).
I haven't really seen a good wiki guide for this, but the forum search no doubt turn up many results.
I generally work with the text config files... if you provide those, I could make some suggestions based on that...
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
Everything around VLANs can be configured via luci, most more experienced users tend to prefer working with the config files though (much easier to retain an overview, much easier to help others (just think about how many screenshots would be needed to post)).
root@OpenWrt:~# ubus call system board
{
"kernel": "5.10.138",
"hostname": "OpenWrt",
"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
"model": "TP-Link Archer C60 v3",
"board_name": "tplink,archer-c60-v3",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.0",
"revision": "r19685-512e76967f",
"target": "ath79/generic",
"description": "OpenWrt 22.03.0 r19685-512e76967f"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdca:ae32:3c52::/48'
config interface 'wan'
option device 'eth1'
option proto 'pppoe'
option username 'xxx'
option password 'xxx'
option ipv6 'auto'
option peerdns '0'
list dns '45.90.28.75'
list dns '45.90.30.75'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.12.20.1'
list dns '45.90.28.75'
list dns '45.90.30.75'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config wireguard_wg
list allowed_ips '10.12.21.2/32'
option description 'xxx'
option public_key 'xxx'
option preshared_key 'xxx'
config wireguard_wg
option description 'xxx'
option public_key 'xxx'
list allowed_ips '10.12.21.3/32'
option preshared_key 'xxx'
config wireguard_wg
option description 'xxx'
option public_key 'xxx'
list allowed_ips 'xxx'
option preshared_key 'xxx
config wireguard_wg
option description 'xxx'
list allowed_ips 'xxx'
option preshared_key 'xxx'
option public_key 'xxx'
config interface 'wg0'
option proto 'wireguard'
option listen_port '51820'
list addresses '10.12.21.1/24'
option private_key 'xxx'
config wireguard_wg0
option description 'xxx'
list allowed_ips '10.12.21.13'
option public_key 'xxx'
option private_key 'xxx'
option route_allowed_ips '1'
config wireguard_wg0
option description 'xxx'
option public_key 'xxx'
option private_key 'xxx'
option route_allowed_ips '1'
list allowed_ips '10.12.21.10'
config interface 'GUESTS'
option proto 'static'
option netmask '255.255.255.0'
list dns '45.90.28.75'
list dns '45.90.30.75'
option ipaddr '10.12.22.1'
config interface 'DPTOS'
option proto 'static'
option netmask '255.255.255.0'
list dns '45.90.28.75'
list dns '45.90.30.75'
option ipaddr '10.12.23.1'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option domainneeded '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option dns '1'
option mac 'xxx'
option ip '10.12.20.2'
option leasetime 'infinite'
option name 'xxx'
config host
option dns '1'
option mac 'xxx'
option leasetime 'infinite'
option name 'xxx'
option ip '10.12.20.3'
config host
option dns '1'
option ip '10.12.20.4'
option leasetime 'infinite'
option name 'xxx'
option mac 'xxx'
config host
option dns '1'
option mac 'xxx'
option leasetime 'infinite'
option name 'xxx'
option ip '10.12.20.5'
config host
option dns '1'
option leasetime 'infinite'
option mac 'xxx'
option ip '10.12.20.6'
option name 'xxx'
config host
option name 'xxx'
option dns '1'
option mac 'xxx'
option leasetime 'infinite'
option ip '10.12.20.7'
config host
option dns '1'
option leasetime 'infinite'
option mac 'xxx'
option name 'xxx'
option ip '10.12.20.8'
config host
option name 'xxx'
option dns '1'
option mac 'xxx'
option leasetime 'infinite'
option ip '10.12.20.9'
config host
option name 'xxx'
option dns '1'
option mac 'xxx'
option ip '10.12.20.10'
option leasetime 'infinite'
config host
option name 'xxx'
option dns '1'
option mac 'xxx'
option leasetime 'infinite'
option duid 'xxx'
option ip '10.12.20.11'
config host
option name 'xxx'
option dns '1'
option mac 'xxx'
option ip '10.12.20.12'
option leasetime 'infinite'
config host
option name 'xxx'
option dns '1'
option mac 'xxx'
option ip '10.12.20.13'
option leasetime 'infinite'
config host
option name 'xxx'
option dns '1'
option mac 'xxx'
option ip '10.12.20.50'
option leasetime 'infinite'
config host
option name 'xxx'
option dns '1'
option mac 'xxx'
option ip '10.12.20.51'
option leasetime 'infinite'
config dhcp 'wg0'
option interface 'wg0'
config dhcp 'GUESTS'
option interface 'GUESTS'
option start '100'
option limit '108'
option leasetime '2h'
config dhcp 'DPTOS'
option interface 'DPTOS'
option start '100'
option leasetime '12h'
option limit '108'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option dest_ip '10.12.20.50'
list proto 'tcp'
option name 'xxx'
option src_dport 'xxx'
option dest_port 'xxx'
config redirect
option dest 'lan'
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option src_dport 'xxx'
option dest_ip '10.12.20.50'
option dest_port 'xxx'
option name 'xxx'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option dest_ip '10.12.20.51'
option name 'xxx'
list proto 'tcp'
option src_dport 'xxx'
option dest_port 'xxx'
config redirect
option dest 'lan'
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option dest_ip '10.12.20.51'
option name 'xxx'
option src_dport 'xxx'
option dest_port 'xxx'
config zone
option name 'wg'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wg0'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'wg'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'wg'
config forwarding
option src 'wan'
option dest 'wg'
config rule
list proto 'udp'
option src 'wan'
option dest_port '51820'
option target 'ACCEPT'
option name 'Allow-Wireguard'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'xxx'
option src 'wan'
option src_dport 'xxx'
option dest_ip '10.12.20.11'
option dest_port 'xxx'
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'guests'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'GUESTS'
config forwarding
option src 'guests'
option dest 'wan'
config zone
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'DPTOS'
option name 'dpts'
config forwarding
option dest 'wan'
option src 'dpts'
config rule
option name 'Allow-DHCP-DNS-Guests'
option src 'guests'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-DNS-Dptos'
option dest_port '53 67 68'
option target 'ACCEPT'
option src 'dpts'
I have two IP cameras and a PC with the software to record the feeds from them, all of which have port forward rules. I also have an interface for WireGuard and different peers configured. I did this to eliminate the port forward rules, but I haven't yet.
So you basically have the foundations of this type of config already setup with your guest and dpots networks. You can replicate that 'recipe' and then with a quick edit to to the switch config, you'll be set to go... like this:
First, we'll edit the switch config to remove logical port 4 from vlan 1 and then put it in a new stanza for vlan 3 like this:
Now, we can create a new network using device eth0.3... I've called it business and iven it an address of 10.12.3.1, but feel free to change these things:
config zone
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'business'
option name 'business'
config forwarding
option dest 'wan'
option src 'business'
config rule
option name 'Allow-DHCP-DNS-business'
option src 'business'
option dest_port '53 67 68'
option target 'ACCEPT'
Restart and it should be good!
The only question mark here is the mapping of logical ports to physical ports -- I'm making an assumption that logical port 4 -> physical port lan4. But this could be incorrect. You may have to test to figure out which port is which since they don't always map 1:1.
If you change the names of things, just make sure you're consistent with all the other places it shows up. And if you change the logical port that is used, be sure to do the accounting so that the ports are assigned properly.
BIG THANK YOU!!!
I'll try thoset configuration changes tomorrow and I'll let you know.
Just one question: Why there's a VLAN ID '1' already there? And why the new VLAN will be set to '3'? Shouldn't it be set to the existing one?
1 and 2 are usually used (lan and wan, respectively) by default; in your specific case wan is appears to be its own interface (eth1), in many cases it's on the same switch as all the lan ports (just with vid 2).
Each network must have a unique VLAN ID if it is connected to the switch as we are doing here. This ensures that the networks are treated as unique entities in the switch chip.
@slh descrbied the typical VLAN IDs 1 and 2. Even though your device doesn't use VLAN 2, I avoided it because of the fact that it is often used for the WAN, so VLAN 3 is the 'safe' choice. It can be any unique/unused ID from 1-4094 (although some typically older hardware only supports VLAN IDs 1-15).
It was, in fact, not mapped 1:1. It's actually logical port 1 -> physical port 4. But after changing that, the second router is now getting the IP of 10.12.3.112... NICE!
So, the VLAN interface has the eth0.3 device, but my guest interface doesn't have any device, it says unspecified. What does it mean?
What is the difference between having the wifi guest network, for example, in a different subnet (with its own interface and firewall zone), than having it in a VLAN (if that's even possible with wifi).
I created an IoT interface and firewall zone (watching a tutorial). I have 2 IP cameras connected directly to the OpenWrt router. Should I assing them to the IoT subnet? Will I be able to reach them using Wireguard VPN or with port forwarding?
Should I include Alexa devices in this IoT subnet?
I didn't ask for your wireless file, but I'm guessing that you have an SSID that is linked against the guest network. That is fine -- the wireless file has a field for "network" and that's how the wireless connects to the network interfaces.
If you're using just a single radio, it works just with network. If you are using multiple radios and/or ethernet + wifi, you need a to create a bridge device and use that in your network interface.
VLANs are actually related to ethernet only. If you are using a guest network and setting up an SSID on the same device, you don't need to use VLANs. If you want to put multiple networks on a single cable, VLANs are required.
That's up to you, but sure. And yes, you can usually access them that way (although there can be some nuance), provided you have the firewall configured appropraitely.
Up to you... how much do you trust/dis-trust those devices?
I am using multiple radios. 5GHz has 1 SSID, 2.4 has 3. On each one, the interfaces are giving IP's to the devices. I'm also using ethernet for 4 devices (2 IP cams, 1 card reader and the second router I mentioned at the beginning).
Sorry if it was unclear...
If a single network is being used on more than radio, it needs a bridge. So, if you create a network that is 2.4GHz only (often done for IoT), you don't need a bridge. OTOH, a network that will span both 2.4G and 5G radios will need a bridge.
I'll review your wireless file and let you know if you will want to make any changes.
No. Leave that blank unless you are connecting to a bridge or ethernet.
You'll have difficulty preventing them from dialing home... if you do block that, they won't work.
Generally speaking, the purpose of creating an IoT network is to allow your untrusted IoT devices to reach the internet but not have any access to your trusted devices. Sometimes people will also setup a non-internet IoT network for untrusted devices that do not require an internet connection at all, but that's not appliacble for the Alexa devices.
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0'
option cell_density '0'
option country 'EC'
option htmode 'VHT40'
option channel '149'
option txpower '18'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'platform/ahb/18100000.wmac'
option htmode 'HT20'
option cell_density '0'
option channel '1'
option country 'EC'
option txpower '13'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'XXX'
option ieee80211w '1'
option key 'xxx'
option macfilter 'allow'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
option encryption 'sae-mixed'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'XXX GUESTS'
option key 'xxx'
option ieee80211w '1'
option network 'GUESTS'
option isolate '1'
option encryption 'sae-mixed'
config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'XXX'
option key 'xxx'
option ieee80211w '1'
option network 'DPTOS'
option encryption 'sae-mixed'
config wifi-iface 'wifinet6'
option device 'radio0'
option mode 'ap'
option macfilter 'allow'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
list maclist 'xx:xx:xx:xx:xx:xx'
option key 'xxx'
option network 'lan'
option ieee80211w '1'
option encryption 'sae-mixed'
option ssid 'xxx'
The 2.4GHz radio has 3 SSIDs, one of them is also in the 5GHz radio, with the same password. I personally would eliminate the 2.4 but it's needed for some old clients. I chose the channels based on what was available in the area, trying to avoid other signals in the neighborhood.
Keep in mind that some client devices don't work well with sae-mixed (WPA2/WPA3 mixed mode).. in those cases, you may be better off running WPA2 only. But if it is working for you, keep it as is.
But I don't want them to 'dial home'.