VLAN & INTERFACES & Acces Point setup on version 21.02

Installing and Using OpenWrt Network and Wireless Configuration
1

Changed my text and wrote a how to. I was searching about how to do it.

VLAN is actually more straight forward since the new OpenWRT version 21.02.

My goal was to set up as a Acces Point only (that was easy, but a Wizard or such should be helpful that can disable many settings), ofcourse it all worked fine out. For convenience I found a guide, see link below.

I couldn’t get my head arround for the VLAN setup. I have many VLAN’s and have to deal with several SSID's I wanted to assign to a to VLAN.
There are many examples, YoutTube (horrible presentations and explanations, perhaps i should give it a shot), that didn’t fit my use case. I didn’t need the router function in OpenWRT, for this is have PFSense and also my gateway to the internet and ofcourse my firewall.

Assumption you have network knowledge to follow this guide, i don’t explain the technology itself, only how to get it done.

The steps I have followed to get it done:

First my Hardware: TP-LINK Archer C6U > OpenWRT 21.02
I wanted to try Mediatek chipset, looks good and feels stable (using OpenWRT since 2011).

  1. Access Point setup
  2. Convert WAN as an usable interface
  3. Create/add VLAN's
  4. Change "Bridge: br lan" into "Sofware VLAN: [vlan you have created]"
  5. Create Interface's for the added VLAN's
  6. SSID's assigned to their "Ïnterface" VLAN's

Step 1 - Access Point setup
Follow the guide as written in the guide for OpenWRT 21.01
Do the steps 1 - 9 (till you read: In versions of OpenWrt older than 21.02.0)
[OpenWrt Wiki] Wireless Access Point / Dumb Access Point

Additional: I have removed ALL firewall policies and disabled SYN-flood:
|> Network |> Firewall |> [removed all polices]

Step 2 - Convert WAN as an usable interface
Just delete any WAN the interfaces:
|> Network |> Interfaces |> [delete all WAN}

Step 3 - Create/add VLAN (only submit changes when in step 4 when doing this for the first time)
|> Network |> Devices |> Configure [br-lan] |> Bridge VLAN filtering |> Enable VLAN Filtering |> [create/add your VLAN's]
VLAN will "devices"wil be automatically created

When configuring "Egress untagged" on the Physical Interface (can be only done for 1 VLAN at a time), it makes sense to tik the box of "Primary VLAN ID", if devices should communicate on the local interfaces in the same VLAN on your TP-LINK device.

Assigned my TP-Link physical WAN interface as my TRUNK interface: [Egress tagged] for the VLAN's I want them trunked.

Step 4 - Change "Bridge: br lan" into "Sofware VLAN: [vlan you have created]"
|> Network |> Interfaces |> [br-lan] Edit |> Device |> [change] "Bridge: br lan" into "Sofware VLAN: [vlan you have created]"

Make sure the IP sits in the Subnet of that VLAN you creates...

Step 5 - Create Interface's for the added VLAN's
To assign your SSID to an VLAN, a Interface is needed. Make sure the VLAN is set [Egress tagged] as described in Step 3.
|> Network |> Interfaces |> Add new interface |> Name [give it a name] |> Protocol [Unmanaged] |> Device [select your Sofware VLAN: br-lan.xx]

Now you have an interface that can be selected when creating a new SSID.

Step 6 - SSID's assigned to their "Ïnterface" VLAN's
|> Network |> Wireless |> [select your SSID/ or create one] Edit |> Network |> [select here your VLAN/your created Interface]

This worked for me.

My home network:
PFSense that is my firewall and gateway to the internet (and VPN to my home). PfSense has many virtual interfaces for the VLAN's.
Netgear switches where VLAN and TRUNK is enabled and have un-tagged interfaces.
many TP-Link devices running with OpenWRT that provided WiFi AP in my house with multiple SSID's in their own VLAN.
Using ESX hypervisor to setup VM's for home services.

2

Do you have a DSA device or a combo with both switch menu and device settings?

3

Nevermind, started to read the documentations to understand what they have done:

[OpenWrt Wiki] DSA Mini-Tutorial

And reading (its not only me who thinks someone made a mess):

The current naming OpenWrt has is incorrect and confusing. The “interfaces” under Network → Interfaces actually represent networks. The actual interfaces are called “device” which is not necessarily wrong but implies as if they only have to be physical interfaces.

When you run ip link, each entry represents an interface on the system. Some are physical, some are logical interfaces.

UCI treats “config interface” as configuring networks but “config device” as configuring interfaces.

If you head to Network → Wireless and assign a wireless interface to a network, it will literally call the networks under Network → Interfaces as “Network”.

So, in my opinion:

  • “config interface” should be renamed to “config network”

  • “config device” should be renamed to “config interface”

4

see first post

5

This was actually renamed between RC1 and RC2 if I remember right.

The interface is level 3 system. You can have a interface without a network.

Usually a hardware switch or L2 equipment is a device and not a interface. It is pretty hard to lift up a interface from the table and connect power to a interface.

6

Rewrote my 1st post and created an howto. Hope this helps other too.

7

You probably win the prize (if we had one!) for the absolute most extreme rewritten original post ever!?

You did actually go from the “the worst firmware ever” to “21.02 is the best” on a dime…

8

Got out of bed on the wrong side :zipper_mouth_face:

9

Excellent explanation of the changes and howto setup VLAN in OpenWRT 21:

10

Necroposting, but just wanted to say thanks for this!

Like you said... a lot of bad/confusing explanations/videos online. As a first time user of OpenWRT I spent probably a whole day of severe frustration trying to get it to work before coming across your post. The old vs new v21 changes also had me confused for a while until I read up on the changes.

Naming of Devices and Interfaces and seemingly odd location to hide VLAN config is not great for making it intuitive or logical set up to me, hope that gets resolved in a future update. I've seen other posts stating the same. I'm in an infrastructure team by day so these concepts aren't new to me, but working out how the moving parts to come together to get it working in OpenWRT wasn't easy.

I also use pfSense (on a SFF PC) as my main router and was setting OpenWRT up on an old access point from work, an Aerohive HiveAP121. I have set the AP to get its address from DHCP on pfSense (with a static assignment). Another gotcha for anyone else is to make sure when setting up VLANs on pfSense or the main router is to temporarily set a firewall rule for ANY protocol, from ANY source, to ANY destination on that VLAN interface to confirm it's up and running. You can then modify firewall rules later to lock down acess to/from that VLAN. I was rushing and overlooked the protocol was set to the default TCP which didn't help when troubleshooting early on, stupid mistake.

11

November 2022, looking back at the situation how to configure Interfaces and VLAN on OpenWRT..... :rage: :sob: :sob:

How they implemented it is a job really terrible done....

This must be art of an DEVELOPER00 with ZERO network knowledge and had to deliver something because of some team lead has it fit in his misfit brain...

1 Like