I'm relatively new at OpenWRT and need some help. Im using the tp-link AC1750 Archer C7 v5.6 with firmware version: OpenWrt 19.07.3 r11063-85e04e9f46 / LuCI openwrt-19.07 branch git-20.136.49537-fb2f363. I have the device setup as a Wireless Access Point per this tutorial: https://openwrt.org/docs/guide-user/network/wifi/dumbap.
I made two 5GHz SSID wireless networks. I want to make each of them seperate vlans and both vlans connect to Ethernet Port 1 on the back of the router, wich will connect directly to a port on a pfsense router. The idea is that each wireless access point would get its own subnet ip address from the router and I can keep the traffic on bother wireless access points seperate from eachother.
Does this setup make sense or is there a better way to do this? Can someone point me in the right direction on how to setup the vlans and map them to the wifi networks and ports? I'm not sure what to search for so my searches arent getting me there.
Go to Network -> Switch -> Add VLAN and create the additional VLAN's you want. You would then need to configure them as "tagged" on the Ethernet Port towards the PFSense. Also would need have them tagged on the CPU.
Network -> Interface - Add new Interface. Create a new Interface with Protocol Unmanaged and on Physical Settings choose the VLAN.
In your Wireless settings for the respective SSID under "Network" choose the Interface
I have the same doubt, regarding that matter. I've got a main router that "deploys" the vlans through the network (i have more than one) and the idea is to broadcast several SSIDs according to the vlans. For instance:
One of the LAN ports on the main router acts as a "trunk": it does not pass untagged LAN traffic, but tagged traffic for the three VLANs.
The WAN port on the OpenWrt receives all three VLANs, and bridges each one with one wireless interface (notice you bridge the wireless interfaces to the WAN interfaces, not LAN). It can be a DHCP client on each network (so you can reach it from the main router, for example). And you can also separate the LAN ports, and bridge each one to a WAN interface.
In this setup the OpenWRT Device would only act as a AP not a router. You would create 3 Interfaces/VLAN's on the AP and tag them on the Trunk Port to the Main Router. Then in each Wifi SSID config you would bound it to the respective Interface/VLAN just as I explained in the post above.
The interface to the Main router can be physically WAN or LAN port of your OpenWRT device you would normally in this case not configure WAN Zone but make them all LAN.
Networks which only pass through as a wired to wireless converter should be defined as type Unmanaged bridges. Type Unmanaged (in the CLI, option proto none) means that the kernel does not hold an IP address on these networks, which makes it impossible for a hacker to access the router with a ssh etc connection. It is not necessary to have firewall zones or rules for these since they operate at layer 2.
Before trying to set up VLANs, at least temporarily set up a wifi AP on the lan network and log in via that connection. Then even with the Ethernet broken you still have access.
I tried to follow and read more about OpenWRT, but i couldn't achieve the outcome i was thinking about. Remember im configuring an access point, so im using the lan ports. First i tried like this, but i realized the untagged traffic wasent passing (where the access to the device is):
No problem when i access the vlan (on port lan3), but theres a problem on untagged traffic (on ports lan2/4).
The main router "deploys" in the same line (lan1) 1 vlan + untagged traffic. It seems OpenWRT can't "read" a port where exists the Vlan and untagged traffic togeather. Remember im configuring an access point, so im using the lan ports.
If i could, i would configure something like this on the switch (with 1 Vlan + untagged traffic), but it wont let me:
LAN1 is the "trunk"(vlan30) + untagged traffic (all in the same cable)
LAN2 is accessing the untaggged traffic
LAN3 is accessing vlan30
LAN4 is accessing the untagged traffic
I marked the CPU as untagged for the untagged traffic, and tagged on vlan30... what am i doing wrong?
Your second configuration will not work. Do not try to mix tagged and untagged packets on the same port. The CPU must be tagged in all VLANs that you want to enter the CPU. In the network physical settings, change any instances of eth0 to eth0.X with the proper VLAN number. Do not connect anything to plain eth0.
The AR934x internal switch is limited to 16 VLANs, so when setting up your own network, use VLAN numbers between 1 and 15.
If you must connect to an existing network using higher numbers, there is a way to make it work but it requires CLI configuration.
Another way around this limitation of this model would be to use the WAN port for the trunked cable. That port connects directly to the CPU as eth1, bypassing the switch. You can use eth1.X with any 802.3Q number to emit or receive tagged packets.
Mostly because the Linux kernel passes all packets that arrive to the parent interface e.g. eth0 even if they are tagged.
The standards do say that it is OK to mix tagged and untagged packets on a cable but this is something that is problematic in consumer grade equipment.
Ok, so there's absoltely no way i can receive untagged and tagged traffic on the same port? That will be difficult, as most devices i have are in the "untagged" lan... the goal here was to have that vlan30 and untagged traffic received in the same cable to "deploy" to different SSID (to wifi). Any workaround you could advise, besides configuring the "main" router to pass all "untagged" traffic to a vlan? - but that will cost a lot of money on new 802.1q 48port switches...
I have it configured like this: (draytek -> main router; openwrt -> ap; ignore vlan 1 and 2)
Thank you for all the knowledge and effort, but i found impossible to have this working like the last picture. Seems that the chip isnt able to "read" tagged+untagged traffic. It works if i hadnt got the untagged vlan (native vlan) together with the tagged one, i experimented with tagged vlans only and works like a charm... Its a pity, but well, its life!
Hi @Ramon, I have Port1 and 4 are using the same vlans because i need the untagged traffic + the vlans on different unmanaged switches (P1 connects to a switch and P4 to another) so that the end device can connect either to a vlan or to the untagged traffic, so the "trunk"+untagged will always be available to choose in the end. For instance, connecting to those unmanaged switches, i have 2 ubiquiti APs so i need to have different vlans that they can connect to. (and of course i need a lot more of APs, so this would be an excellent solution).
For your suggestion on the image, i suspect the openwrt router will broadcast those 3 vlans (1,2,3) to SSIDs with no problem, but those devices in Vlan1 (tag 10) wont be able to connect to the unmanaged devices (with no vlan tags - the point of having vlans is to separate networks)... so the openwrt would do the job fine, according to your proposed solution (assuming port1 is connected to the openwrt router) - but no connection between the untagged devices in the same LAN1 (tried it already).
I would love an hybrid solution, where i could connect a cable coming from the draytek with vlans+untagged and it would allow me to broadcast SSIDs with untagged or untagged traffic... if thats simply not possible because of the chip, ill go with the ubiquitis (i quit lol).
It depends on how the drayton is doing bridging. It looks like you can select a network for each VLAN, so chances are if you use the same, i.e. "LAN1" then they will be bridged. So the devices on the VLAN1 (id 10) from the OpenWrt will be able to connect to the devices on VLAN0 (untagged).
But will, like i said i dont know the drayton SW. It depends on how they implemented it...
