VLANs conguration in AP mode with r7800 and pfsense firewall

Hi all,

I just finished setting up a number of vlans inside openwrt running in ap mode from a netgear r7800 in combination with a pfsense firewall and a couple of netgear switches in the middle of the two. Everything works well or so it seems to me; but I would really appreciate if you knowledgeable guys here could confirm what I did is correct since I am not totally sure.

While the vlan configuration at the pfsense and netgear switches level is quite clear to me now, it is not really the case for the openwrt part; I still have some doubts on why things are the way they are and I am not sure whether my settings are safe and optimal. This is notably the case when it comes to the Switch configuration. Here is a screenshot https://postimg.cc/4mvNVhWb and below:

image1120×851 64.4 KB

My network configuration is as follows: I have about 10 vlans distributed between two physical networks/nics at the pfsense router level (out of the 5 available, plus the WAN): LAN and OPT1. Ethernet cables connect the 2 nics with two switches, and the 2 switches with the openwrt ap lan ports 1 and 2 respectively. I assigned (tagged) the vlans to lan1 or lan2 depending on whether these ports are connected to LAN/switch 1 or to OPT1/switch 2. So 20 runs from lan 1, the rest from lan 2.

As for the interfaces, they all are unmanaged except for the one through which I access the openwrt web management page, which is my fully "trusted" vlan (20). All have the "bridge interfaces" under physical settings enabled and the firewall is always unspecified. Needless to say that dnsmasq, firewall and odhcpd are disabled under system/startup.

Here are the questions I am asking myself:

1- Is this configuration globally acceptable/correct/safe?

2- Is it optimal?

3- By default, openwrt comes with vlans 1 and 2. My understanding from the openwrt documentation is that vlan 1 corresponds to lan network and vlan 2 to the wan one. Is this right? Do I still need these two in my current configuration?

4- Inspired by some post I found in the net for a similar router with openwrt as an ap, I decided to tag all my vlans under "CPU (eth0)" but my understanding ti that I could also tag them under "CPU (eth1)", right? Any difference? Should I use both combined?

5- Can I get rid of the default lan interface (vlan 1)? I have disabled it for the moment.

6- What about the WAN port? Is there something I could/should be doing with it?

Thanks!

I would avoid mixing untagged and tagged frames in the same link. Use only tagged.

If you don't use them, you can delete them. Since anyway the management interface is vlan20, then they serve no purpose.

One CPU is dedicated to the lan and the other to the wan. So if you are tagging frames on the lan ports, better use the lan cpu.

Sure

It's up to you, you can use it as you please.

Thanks a lot for this complete and quick reply, it really helps.

Just to be completely sure I understand your recommendations:

• In order to avoid mixing tagged and untagged frames in the same link (port?) and since I do not need vlan 1, I can just delete vlan 1 and this problem is solved.

• If I delete vlan 2 (wan), this will not have any impact on internet connection. I recall now from reading the documentation that vlan 2 deals with the firewall, and since this is running in ap mode, there is no firewall, right?

• Since I am tagging frames in the lan cpu, which is eth1, I should move all my current tagged vlans under eth0 to eth1. When I move them, I will have to modify (rebridge) the interfaces. Will I lose access to the ap/the management portal when moving my trusted vlan 20 from eth0 to eth1?

Thanks!

Yes, that is correect.

I believe the internet for this device is from vlan20, therefore no impact. Vlan2 is just a vlan, nothing to do with the firewall.

If it works you can leave them where they are, don't bother. If you were doing it from the beginning I'd tell you to tag them on eth1.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.