Vlan trunk over wlan

bhubert1978 · July 31, 2017, 2:26pm

hi ppl,

I came a long way from dd-wrt over openwrt now to lede

I really hope somebody can give me an anwer on my question if this is possible:

I have a firewall which handles my four vlans. now I have two archer c7v2 with lede on them. I want to create a trunked port on archer #1 with all vlans - start an ap with 2.4 and 5ghz and start a ssid per single vlan.

now the deal is to create an additional ssid which archer #2 will be client of (over wlan) - receive all trunked vlan traffic over wlan and re-broadcasts all ssid / vlans again on 2.4 and 5ghz.

I am not sure if I am allowed to put in external links but I imagine something like this would work:

https://coredump.net.au/tp-link-archer-c7-multiple-ssid-and-vlan-tagging-with-openwrt/ (mutliple vlans/ssids)
https://dev.openwrt.org/ticket/19561 (vlan trunk over wlan)

if there is anyone who could help me on that one I really really would appreciate it - I am even willing to pay some bucks to get a working configuration - I have tried hours and hours with configs out of the internet, never succeeded

thanks in advance, regards, Hubert

corrideat · August 1, 2017, 9:37am

I'm not entirely sure I follow what you want to do, or what you currently have working.

Do you have VLANs working on your primary C7? I can help you with that.

Regarding the secondary C7, you have three options:

Connect it using a wired connection. This is what I would recommend.
Tunnel Ethernet somehow (for example, using EoIP), and connect your secondary C7 to your primary C1, then use the tunnel to provide the different VLANs. This is the preferred solution if using a wired connection isn't an option and you have a lot of VLANs.
Connect your secondary C2 as a wireless client to each of your different VLANs, and then configure it as a wireless bridge for each. This is simple but doesn't scale.

bhubert1978 · August 1, 2017, 11:36am

hi corrideat

thanks for your answer, right now I don't have any vlans configured on my tplinks. that should be not that problem at all I think. The problem is that tunneling - which I really need because there is no chance to get a cable there so I need to roll out my networks over wlan...

is it possible for a tplink to act as a client bridge and access point at the same time (which most probably would be needed so that I can connect tplink2 to tplink1?)

Thanks, hubert

joe_internet · August 1, 2017, 6:53pm

Why not use a VPN or L2TPv3 tunnel (option 2 above)?

I did something similar by using pseudowire over a point-to-point wireless link between two buildings. I bridged the pseudowire on the other side and distributed my vlans to individual SSID's. If you want wired, you could bridge the wired interfaces as well on either side.

Performance might not be awesome, and you'll need to do some MTU experimentation to ensure packets aren't squashed when they enter the tunnel, but either of these options might get you in the right direction.

skids · August 1, 2017, 7:22pm

Look for material on "WDS" clientmode.

https://wiki.openwrt.org/doc/howto/clientmode

It is good you have two matching APs. Never done it, but you'd be looking at the mac80211 WDS implementation:

https://wiki.openwrt.org/doc/recipes/atheroswds

...and you'd need to set up one transparent WDS bridge for each vlan, I think, because I don't believe even the "4-address format" has a usable VLAN tag... though I could be wrong there.

corrideat · August 9, 2017, 6:41pm

I'm confused now. Isn't this thread about VLANs and WLANs? If you don't have VLANs, the setup is quite simple. If you do have VLANs, you will need some sort of tunnelling mechanism (or, alternatively, you can modify the mac80211 implementation to send VLANs over the air, which I wouldn't recommend.)

If you don't have VLANs yet, but want to add them, the switch documentation will get you started. I highly recommend you get VLANs working first, as then you can do the bridging based on your setup (unless you choose option 3, no tunnelling, in which case the setup steps remain the same.)

Yes, it is possible (see @skids's links) . However, if you do this with the same radio, you will have to use the same channel for both your clients and for bridging, which could affect performance. I haven't looked into doing this (nor know if the C7 supports it), but 802.11s might help somehow. If you must bridge wirelessly, it may be wise to get a dedicated USB radio for the client part and using the internal radios for the AP parts.

The reason performance is hurt when you use the same radio is because you essentially halve the transmission rate (you need to split the bandwidth between the stations and the main AP.) If you use the same channel (or an overlapping one), you also introduce noise to the medium, as Wi-Fi synchronisation only works between an AP and its associated stations, but not across APs.)

If you are not using 802.1X (so called WPA-Enterprise or WPA2-Enterprise), and you have VLANs, each VLAN is a different SSID, and you don't have a lot of VLANs (I'd say, no more than 2-5), option 3 in my original response requires no tunnelling and still is the simplest to set up.

Adding to @joe_internet, how I would do tunnelling would be more or less:

tplink1: Add a dedicated VLAN for bridging. Set up a tunnling protocol of your choice here.
tplink2: Connect to dedicated bridging VLAN. Configure the tunnel client. Replicate the VLAN and SSID configuration in tplink1 using the tunnel.
Enjoy your extended coverage.

I don't know what you're dealing with, and WLANs may very well be the sole option you have. However, if you have other sorts of wiring available, such as coaxial or electrical, there exist devices and protocols to use these to transmit ethernet traffic. (WiMAX can also do what you need, but it may be a case of over-engineering in this case.) What all these solutions have in common, including WLANs, is that performance is usually not great.

EDIT: About the USB radio suggestion: since the C7 has two radios, you could technically use one of the radios for connecting to tplink1 and the other one for stations. However, by doing this you forefeit using two bands for stations, which is disadvantageous (you'll most likely bridge over 2.4GHz, leaving 5GHz only for clients, which not all devices may support). I just wanted to point this out to explain my reasoning.

jeff · August 10, 2017, 5:12pm

Create multiple SSIDs, one for each VLAN that needs to be trunked to the other router.

I can confirm that this works like a charm with multiple Archer C7s and the VLANs allows me to put my IoT devices on their own "dead-end" VLANs, firewalled off from the outside world and the rest of my internal networks. With multiple SSIDs available on each of the radios, there is no need to "sacrifice" a band to backhaul.

golialive · August 11, 2017, 1:18pm

I don't get it. We already discussed it in detail.

I used gretap through any trusted IP connection. No matter if its WDS, wifi client, any VPN you like or powerlan. As long as you use gretap to tunnel through any IP connection, there's nearly no overhead to the tunnel itself ans you can easily use that gretap tunnel as vlan trunk assigning e.g. @trunk.100 for vlan 100.

See:

https://forum.openwrt.org/viewtopic.php?id=71080

I even provided you with a working example that I confirmed to be working on Virtualbox.

gist.github.com

https://gist.github.com/stephanschuler/6f1e0ef82e0fe2451b9e817a04fb432e

network AP1

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd88:568f:bf94::/48'

config interface 'wan'

This file has been truncated. show original

network AP2

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd88:568f:bf93::/48'

config interface 'wan'

This file has been truncated. show original

bhubert1978 · September 14, 2017, 11:18am

hi Stephan,

sorry for the long delay in responding and sorry to disturb you more than I should. I have now tried to apply your config on my archers but to be honest, I even was not able to install gretap - only gre package was available on lede?! (opkg install gre)...

as far as I see I have to do this configuration over Shell, which should be no Problem. Though I have a question on the configuration. where you wrote "Of course this is only for demonstration. Use wifi and wifi client instead. But wifi client isn't covered by my example." I will put the WLAN interfface instead of eth2 and on the other archer I will first connect to the ssid like "tunnel" and then apply this config with Interface "WLAN.xxx" right?

then I will add the vlans to the trunk on both sides and the trunk to the tunnel Interface right? sorry for asking I am just trying to understand the whole concept.

thanks in advance, best regards

miketedeschi · November 8, 2017, 9:50pm

Thanks for the GRE suggestion. I have gretap working over wireless, sending vlans to the 2nd access point. Everything appears to work at first, but I have a problem. Dhcp devices get ip addresses and can ping just fine, but most tcp connections fail.

I have tried playing with the mtu settings but no luck. Any ideas? This setup is so close to working perfectly....Thanks

Also, what if I wanted multiple of these satellite access points? A gre tunnel isn't scalable since its not ptmp, would openvpn tap without encryption be a good option?

Ubiquiti firmware does multiple vlans just fine over WDS, but I'm not sure how, yet.