VLAN setup with dumb AP and x86

Hi, I'm pretty lost as to how I need to setup things to make them work as desired.
I have two openwrt devices.
the first is the x86 main router, and the second is the dumb AP (Archer C7 v2) which also has physically connected devices (it's more physically reachable so using its LAN ports rather than the x86's ports).
I want to create 3 (additional) isolated WiFi networks.
one for guest, one for IoT with internet disabled, and one for IoT with internet enabled.
I only have 1 cable connecting the two devices, and all of the clients are connected via the dumb AP.
what configuration do I have to use to make work as wanted?

I tried reading the wiki pages for VLAN and watching some tutorials on youtube but it's all very confusing, and since the usage cases and physical devices scenarios are different, I can't seem to make sense of what I have to configure.
I would really appreciate any help.

1 Like

The first 3 videos I linked on the dumb ap wiki page will get you setup.

I just watched the first video before I posted the message, but in his setup, he uses two different ports of the main router, one for untagged (internal lan) and the second for the tagged vlans, but I'm only using a single port..
is it not possible?

I can't really use the first video since he's saying that while configuring, I'll need to use the port with untagged vlan, but I don't have such port in use, it's all going through the AP.

The x86 router is your first step. Configuring VLANs on that should be as simple as using dotted notation. For example, using device eth0 would be mean that the network is untagged on the port. Change that eth0.x would put the network as ragged using vlan id x (so eth0.6 is tagged vlan 6).

Create your networks on the x86 system and then post the files for review. Then we can move on to the ap.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

but according to the video, I shouldn't create a tagged vlan on the same port that the AP (which I'm connected thru) is connected to.
right now the x86 has the following /etc/config/network file:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'x:x:x::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'

config interface 'lan'
	option device 'br-lan'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option proto 'static'
	list dns '192.168.1.1'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth0'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'eth0'
	option reqaddress 'try'
	option reqprefix 'auto'
	option auto '0'

so eth0 is WAN and eth1 is the port that the AP is currently connected to.
what should I change?

I haven't watched the video, but I don't understand why they're telling you not to add a tagged VLAN.... that's how VLANs work.

A possible explanation is that some people (and devices) don't like mixing tagged and untagged networks on the same port. The thinking is that if you're using VLANs, all networks should be tagged (nothing untagged). The 802.1q standard does allow you to have an untagged network on a trunk port, but you will find people advising not to do this.

This stanza below will setup a new network with VLAN ID 10. You'll also need to setup a DHCP server and firewall rules for this, but this is all you should need on the x86 side in th network config file.

config interface 'iot'
	option device 'eth1.10'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option proto 'static'

On the dumb AP, you will setup a similar thing (VLAN ID 10, tagged) on the switch port that connects to the x86 router. Then it will be added to a bridge, and the network interface will use that bridge (but it will use proto 'none' since you don't need the AP to have an address on that network). If you want to share your network config file from the C7, I can help there, too.

2 Likes

huge thanks for your help!

I added 2 vlans and added DHCP and firewall configuration on the x86. please correct me if I'm wrong.
/etc/config/network:

...

config interface 'iot_online'
        option device 'eth1.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option proto 'static'

config interface 'iot_offline'
        option device 'eth1.11'
        option ipaddr '192.168.11.1'
        option netmask '255.255.255.0'
        option proto 'static'

...

/etc/config/dhcp:

...

config dhcp 'iot_online'
        option interface 'iot_online'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config dhcp 'iot_offline'
        option interface 'iot_offline'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

...

/etc/config/firewall:

...

config rule
        option name 'Allow-iot-offline-DHCP'
        list proto 'udp'
        option dest_port '67-68'
        option target 'ACCEPT'
        option src 'iot_offline'

config rule
        option name 'Allow-iot-online-DNS'
        option dest_port '53'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        option src 'iot_online'

config rule
        option name 'Allow-iot-online-DHCP'
        list proto 'udp'
        option dest_port '67-68'
        option target 'ACCEPT'
        option src 'iot_online'

...

now, on to the C7.
this is /etc/config/network on the Archer C7:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'x:x:x::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.2'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'
        option ifname 'eth0.2 eth1.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option auto '0'

config interface 'wan6'
        option ipv6 'auto'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'

looking at the configuration, I guess there are remnants here from when this device was the router too (two vlans for wan (1) and lan (2,3,4,5) ?).
while were at it, what should I change to make all 5 ports the same?
and in subject, what needs to be changed to support the vlans created in the x86?

What version of OpenWrt is running on the C7?

ubus call system board

The VLANs on the x86 machine look good, as do the dhcp and firewall rules. The only things I don't see are the zone definitions that you are using for those, as well as any zone fowarding rules.

1 Like

it's a SFE/Flow offload version from some years back, if memory serves me.. (might be gwlim's builds)

{
	"kernel": "5.4.24",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
	"model": "TP-Link Archer C7 v2",
	"board_name": "tplink,archer-c7-v2",
	"release": {
		"distribution": "OpenWrt",
		"version": "SFE",
		"revision": "r12706-1fb3c003d6",
		"target": "ath79/generic",
		"description": "OpenWrt SFE r12706-1fb3c003d6"
	}
}

forgot about the zones and forwarding rules. is this correct?

config zone
        option name 'iot_online'
        option network 'iot_online'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'

config zone
        option name 'iot_offline'
        option network 'iot_offline'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'

config forwarding
        option src 'iot_online'
        option dest 'lan'

config forwarding
        option src 'iot_offline'
        option dest 'lan'

should I also have LAN blocking rules like this?

config rule
        option src 'iot'
        option dest 'lan'
        option target 'DROP'
        list proto 'all'
        list dest_ip '192.168.1.0/24'
        option name 'Guest-Block LAN'

Do you want the iot networks to be able to initiate connections to your trusted lan? Usually it is the other way around. Also, the online zone should probably have forwarding to the wan zone so it can reach the internet.

As far as your ap goes, Iā€™d recommend upgrading to the latest version of the official openwrt. What you are using is ancient. Do not keep settings when you do the upgrade and configure from scratch. Post the network config file when that is done.

1 Like

thanks for all of the comments! changed to:

config forwarding
        option src 'iot_online'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'iot_online'

config forwarding
        option src 'lan'
        option dest 'iot_offline'

I have Home Assistant running on my LAN, and I need two way connectivity for that only, so I'll just add a rule:

config rule
        option name 'Allow-iot-HA'
        list proto 'udp'
        list proto 'tcp'
        option dest_port '8123'
        option dest_ip '192.168.1.X'
        option target 'ACCEPT'
        option src 'iot_offline'

this should do the trick right?

I'll do the AP upgrade later today and post the configuration

hi,

let me chip in a bit:

how do you need it exactly? with your forwarding rule above any traffic initiated from lan to iot and the corresponding reply is allowed. but no traffic initiated from iot to lan is allowed.
so, does your iot devices initiate traffic toward HA, or HA polling your devices?

it should be verified, but I think that a few of the sensors I'm using should initiate (push) updates to HA.
I'm not really sure about this, but for Tuya devices this might be the case (for example, the "local tuya" integration says it's using push and not polling for updates).

if this is the case, will the forwarding rule in combination with the traffic rule be what is needed?

if HA is not a docker image running on your router itself for example, but running on lan host, then yes, you will need traffic rule too to allow iot device initiated traffic.

flipping change to drop in the rule you can easily verify if iot device works in push or pull mode.

1 Like

Yes, that rule looks right. If it doesn't work, there may be some other things to investigate and/or experiment.

1 Like

AP upgrade done, now running 22.03.4:

{
	"kernel": "5.10.176",
	"hostname": "AP",
	"system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
	"model": "TP-Link Archer C7 v2",
	"board_name": "tplink,archer-c7-v2",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.4",
		"revision": "r20123-38ccc47687",
		"target": "ath79/generic",
		"description": "OpenWrt 22.03.4 r20123-38ccc47687"
	}
}

here's /etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'x:x:x::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.2'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 3 4 5 1'
	option vid '1'

@psherman after upgrading the AP, can you say what the configuration on it should look like to enable the said VLANs?

Sorry for the delay. It should be pretty simple... although I don't know which physical port you're using to connect the dumb AP to the router and also I don't know how the logical-to-physical port mapping is setup on your device.

But let's assume that logical port 1 is your uplink... the following should work (add what you see below):

config device
	option name 'br-iotonline'
	option type 'bridge'
	list ports 'eth1.10'

config device
	option name 'br-iotoffline'
	option type 'bridge'
	list ports 'eth1.11'

config interface 'iotonline'
	option device 'br-iotonline'
	option proto 'none'

config interface 'iotoffline'
	option device 'br-iotoffline'
	option proto 'none'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 1t'
	option vid '10'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 1t'
	option vid '11'

Then, create the two SSIDs, and associate them with the respective networks.

Keep in mind that if you're not currently connected by the correct physical/logical port, those networks won't work... try the other ports in that situation, or adjust the config.

EDIT: Corrected a typo in the iotoffline network stanza.

1 Like

I setup two WiFi networks, one for each of iot* network.
iot-online seems to work fine now, thanks!
but iot-offline does not. in Luci -> Network -> Interface, I see Error: Network device is not present
trying to connect to the attached WiFI network produces a couldn't get an IP address error

let's see the config files (network and wireless).