VLAN guest for ext. AP & openWRT WIFI

Joern · January 8, 2025, 4:51pm

Hello,

I have a guest network using only openWRT WIFI today.
I want to extend guest network with external TP-Link Wifi one guest network via LAN 1 by using VLAN 10.

Thinking was: use same Interface: guest + device: br-guest

in device br-guest add LAN 1 (wifi has network: guest )
in device br-guest - add VLAN 10 Tagged for LAN 1

That all coming via LAN1 for VLAN10, should only enter the guest network...

Result - only blocking myself out

Relevant config without VLAN:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option delegate '0'
	option ip6hint '1'

config device
	option name 'br-guest'
	option type 'bridge'
	option bridge_empty '1'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'heeewifi'
	option encryption 'sae'
	option key 'abcd'
	option network 'guest'

psherman · January 8, 2025, 4:58pm

You need to use bridge-VLANs.

It will look like this:

Create two bridge-vlans:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'
	list ports 'lan5:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:t'

Edit your lan interface to use br-lan.1:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option delegate '0'
	option ip6hint '1'

Delete br-guest:

And edit the guest network to use br-lan.10:

config interface 'guest'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

Reboot and test again... you should have normal lan connectivity and your guest network should still work on wifi. Now, it will also be tagged as VLAN 10 on port lan1. You'll need the other side of the link to have the same configuration (untagged network is lan, guest is tagged on VLAN 10).

Joern · January 8, 2025, 6:25pm

Interface guest - br.lan10 was first a absent.device after reboot and so interface said
Error: Network device is not present.

After manually switching to "Software VLAN "br.lan10" (guest)" in the interface guest, now seems to work fine. Interface LAN had already proper: "Software VLAN "br.lan1" (lan)" selected and seems not to have changed config file itself...

@psherman -> Many thanks for fast support!

If someone is looking for same, here new config:

root@OpenWrt:~# cat /etc/config/dhcp 

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option port '5353'
	option noresolv '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '10'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.10.1'


root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option delegate '0'
	option ip6hint '1'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix '56'

config interface 'guest'
	option proto 'static'
	option device 'br-guest.10'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'
	list ports 'lan5:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:t'

root@OpenWrt:~# cat /etc/config/wireless 

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'heeewifi'
	option encryption 'sae'
	option key 'abc'
	option network 'guest'

system · January 18, 2025, 6:25pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.