VLAN traffic segmentation between AP,switch and router

Hi guys,

I have four Archer C7's configured as AP's. They are all similarly configured and wired to my x86 router (through manageable switch). It works great ... no issues whatsoever. AP's also double as edge switches for stuff that is connected by cable. Guest WiFi is handled by router itself for simplicity. Guest WLAN works from security perspective, but coverage is bad as my router radio is nowhere near as good as four Archer C7's...

So I would like to configure guest WiFi SSID's on AP's instead.Currently, all my LAN/WLAN traffic between AP<->switch<->router is untagged and trusted devices (whether they are originating from WLAN or cadled LAN) go into router through br-lan.

My first question would be: can I do this while still keep my LAN traffic untagged or do I have to start by reconfiguring my router and tagging all LAN traffic to begin with?

Second question: is it technically possible to achieve client isolation the same way as I have now (using only one WLAN interface in router) using four different AP's?

Thank you!

I would like my guest WLAN traffic (spanning four AP's) to use VLAN5 and "live" in 192.168.5.x address space. I have now done following for test purposes (on one of AP's):

  • Created VLAN 5 in AP switch, tagged CPU and LAN1 port to it. (AP is connected to rest of network on port 1)
  • Created "guest" SSID on one of my AP's (called "test").
  • Created additional interface called "guestap", gave it static adress and tagged it to interfaces eth0.5 and wlan1 (my new SSID) .

I guess I now need to make sure my smart switch will keep VLAN5 traffic separate from untagged traffic all the way to router? And then set up interface/rules on router for VLAN5?

"client isolation" is a wireless term... yes, within the AP this operates in the exact same manner....

"guest vlan5 host isolation" assuming your distributing and aggregating VLAN5 across all AP's would come down to the L3 handling ( router )... in other words, once they hit the VLAN they are "isolated" from the other VLANs ( assuming firewall is in place ), not each other... @jeff posted something about blackholing the native vlan that you might find relevant to your setup...

Depending on the switch, it either has a "blackhole" VLAN already (Cisco, for example, uses 4095), or you can create one yourself by not assigning it to untagged or tagged for any port. If you set the PVID to that blackhole VLAN, any untagged traffic that arrives will have nowhere to go.

While enterprise-grade switches and perhaps the switch chips in these all-in-one routers can be configured to reject incoming VLANs that aren't configured and/or untagged traffic, I've never looked into the driver used by OpenWrt to confirm how the switch chip is configured relative to those features.

1 Like

Thanks for reply. So basically, I can prevent devices from talking to each other by "client isolation" but only as long they are connected to same AP? If I have two devices on two different AP's being traposrted to router as VLAN5, they will be able to chat to each other already in my 24-p switch, correct?

Is there a way to prevent this? Perhaps I could create a specific VLAN for each AP and then aggregate them in router? That way, they will not be able to chat to each other in switch?

maybe one way would be ebtables on the AP's and have something like;

-d ! <vlangw> -j REJECT?

I found more info in this thread: Client isolation

It seems that this might be doable by tagging each guest AP with its own VLAN, then bridging them in router through package "kmod-br-netfilter" which add netfilter support for bridges. And then setting
echo 1 > /sys/class/net/br-guestlan/bridge/nf_call_iptables

Sounds plausible?

I will be answering my own questions:

Good news is that you can actually mix tagged and untagged traffic. I have successfully created guest WLAN on two of my AP's, tagged them both as VLAN5, got it to go through router through my switch, to be taken care of "Guest" zone/Interface. So "guest WLAN via AP" works!
Unfortunately, my clients can ping each other if they happen to be on different AP's.

I need some guidance on how to keep clients from reaching each other while on Guest WiFi.
Should I create one VLAN for each AP and then try to do some magic in router? (like using "kmod-br-netfilter" or is there easier way? I would prefer a solution where device can "roam" between AP's with same IP number.


1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.