Hi,
I recently bought two Cudy WR3000S routers to replace my old Wi-Fi5 hardware. I set them up as access points and they work great. I'm very happy with them. Since they are also my first DSA hardware, I'm not sure, however, if I set up the VLANs and bridges in the best or most efficient way. Hence, I would like some more experienced people have a look at my configuration to see if I used the best possible approach. Thanks in advance!
My network design:
Both access points are connected to a managed switch, which in turn is connected to a router. Each connection is configured as a VLAN trunk, carrying four tagged VLANs. One of these VLANs is a management VLAN which the access points join in DHCP client mode. The other three VLANs are used for three seperate wireless networks or SSIDs. The access points should just bridge each wireless network to the specific VLAN on the VLAN trunk port, but not get an IP address on these networks.
What I did:
On the access points I left the default br-lan bridge as it was and chose to use the wan interface as my VLAN trunk. The idea is, if I ever lose access to my devices over the management network or VLAN trunk port, I can connect to one of the lan ports directly and access the device.
I removed the default wan configuration and just setup four 8021q devices on the wan port: wan.10, wan.20, wan.30, wan.40.
With wan.40 I set up an interface of the type dhcp. This is the management interface. For each of the other 8021q devices, I then set up a bridge interface with the interface type none (as they should not get IPs) and added one of the 8021q devices. So, for example, I create a bridge called br-trusted and added the device wan.10 to it.
Then, in my wireless setup, each of the three SSIDs joins one of the bridge interfaces.
Two more notes:
- Just to be clear: My setup works as desired. All the wireless clients join the right networks and I can manage the access points just fine. The question is just, whether there's a better way to achieve this on a DSA device.
- I disabled (or actually removed) firewall4, dnsmasq and odhcpd, as I don't need them on the access points.
Here's my network configuration:
/etc/config/network
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option defaultroute '0'
option peerdns '0'
option delegate '0'
config device
option type '8021q'
option ifname 'wan'
option vid '10'
option name 'wan.10'
option ipv6 '0'
config device
option type '8021q'
option ifname 'wan'
option vid '20'
option name 'wan.20'
option ipv6 '0'
config device
option type '8021q'
option ifname 'wan'
option vid '30'
option name 'wan.30'
option ipv6 '0'
config device
option type '8021q'
option ifname 'wan'
option vid '40'
option name 'wan.40'
option ipv6 '0'
config device
option type 'bridge'
option name 'br-trusted'
list ports 'wan.10'
option ipv6 '0'
config device
option type 'bridge'
option name 'br-internal'
list ports 'wan.20'
option ipv6 '0'
config device
option type 'bridge'
option name 'br-guest'
list ports 'wan.30'
option ipv6 '0'
config interface 'mgmt'
option proto 'dhcp'
option device 'wan.40'
option delegate '0'
config interface 'trusted'
option proto 'none'
option device 'br-trusted'
option defaultroute '0'
option peerdns '0'
option delegate '0'
config interface 'guest'
option proto 'none'
option device 'br-guest'
option defaultroute '0'
option peerdns '0'
option delegate '0'
config interface 'internal'
option proto 'none'
option device 'br-internal'
option defaultroute '0'
option peerdns '0'
option delegate '0'
(I left out some sections here that are irrelevant to the question, e.g. the loopback interface.)
And on the wireless side (just showing one wireless network or SSID as an example here):
/etc/config/wireless
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'MYSSID'
option encryption 'sae-mixed'
option ifname 'wifi1'
option disassoc_low_ack '0'
option key 'MYKEY'
option ieee80211w '2'
option ocv '1'
option wpa_disable_eapol_key_retries '1'
option sae_require_mfp '1'
option sae_pwe '2'
option auth_cache '1'
option network 'trusted'
This SSID joins the bridge br-trusted. I have additional wifi-iface sections for the other two bridges br-guest and br-internal (and actually one per band, 2.4GHz and 5GHz).
Sidenote regarding the performance:
If anyone is wondering what kind of wireless throughput can be expected from this device: In close proximity (1-1.5m) of the access points I get about 920Mbit/s on the 5GHz band at 80MHz channel width. But even with the laptop on my desk, about 5m away from the AP and a wall and door inbetween, I still get around 700-800Mbit/s.
The CPU load in top hits a maximum of ~30% during the maximum throughput test in close proximity.