Hi!
I have a TP-Link Archer c6 v2 as a router + AP (no other network hardware). I'd like to setup a couple of VLANs on it:
- personal devices (laptops, phones etc) - should have 5Hz wifi and internet access. Should have all physical ports except port 4.
- iot devices - should have 2.4Hz wifi with isolated clients and no internet access except for a couple of exceptions (i.e. smart speakers).
- a NAS - no wifi, only cable access via port 4.
- guest - 2.4Hz wifi with isolated clients, with internet access.
Some requirements concerning communication between the VLANs:
- VLAN1 will have a Home Assistant server on it, and ideally it should be able to discover devices in VLAN2. I would also like to be able to discover the speakers to play music on them via google cast.
- VLAN3 can only be accessed from VLAN1.
- VLAN2 devices cannot talk to each other (except for smart speakers to create speaker groups) or devices in other VLANs.
I'd appreciate any help with this setup (the first part especially since I've been bashing my head against it for God knows how long).
The main problem I have right now is that DHCP doesn't seem to be kicking in when I try connecting to the iot wifi: I can't get an IP address.
I previously tried setting up the iot interface identically to the lan interface but with .3.1 subnet, which gave me the same result.
I've tried a lot of different guides to achieve this setup, so my configs may be a bit of a mess. I'll post them below.
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '___::/48'
config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option type 'bridge'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2 3 5'
option vid '1'
option description 'personal devices'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '0t 4'
option vid '3'
option description 'iot'
config interface 'iot'
option proto 'none'
option device 'br-iot'
option type 'bridge'
config device
option type 'bridge'
option name 'br-iot'
list ports 'eth0.3'
option ipv6 '0'
option igmp_snooping '1'
config device
option name 'eth0.3'
option type '8021q'
option ifname 'eth0'
option vid '3'
option ipv6 '0'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan wan'
option mode 'ap'
option ssid '___'
option encryption 'psk2'
option key '___'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option country 'RU'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid '___'
option encryption 'psk2'
option key '___'
option network 'iot'
option hidden '1'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid '___'
option encryption 'psk2'
option key '___'
option network 'lan wan'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'iot'
option interface 'iot'
option start '100'
option limit '150'
option leasetime '12h'
config host
option name 'home-assistant'
list mac '____'
option ip '192.168.1.152'
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'iot'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot'
config rule
option name 'Allow iot-mDNS'
list proto 'udp'
option src_port '5353'
list dest_ip '224.0.0.251'
option dest_port '5353'
option target 'ACCEPT'
option family 'ipv4'
option src '*'
option dest '*'
config forwarding
option src 'iot'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'iot'
config rule
option name 'allow upd from iot'
list proto 'udp'
option src 'lan'
option src_port '6668'
option target 'ACCEPT'
option dest 'iot'
option dest_port '6668'
list src_ip '192.168.1.152'
config rule
option name 'allow upd 6666'
list proto 'udp'
option src '*'
option src_port '6666'
option dest '*'
option dest_port '6666'
option target 'ACCEPT'