Wireless AP with multiple SSIDs

Hi everybody,
I have a question similar to the one described here: Access point, multiple SSIDs, firewall

I have a router (Fritz!Box 7530) running OpenWrt connection via modem to the internet. I have configured several interfaces (lan, iot, guest) via bridges (don't know whether this is the correct way/needed, but seems to work somehow). Each of these interfaces provides a different subnet (192.168.1.1, 192.168.2.1, 192.168.3.1).

image1288×1036 77 KB

Here's an excerpt of my /etc/config/network of the router:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option type 'bridge'
        option name 'br-iot'
        list ports 'lan2'
        list ports 'lan3'
        option mtu '1500'
        option macaddr 'xxx'
        option txqueuelen '1000'

config interface 'iot'
        option proto 'static'
        option device 'br-iot'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'lan4'
        option mtu '1500'
        option macaddr 'xxx'
        option txqueuelen '1000'
        option mtu6 '1500'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

The main router has three SSIDs defined (currently 4, one will be deleted as soon as the setup is working). One linked to 'lan', one linked to 'guest', and one linked to 'iot'. Hope this makes sense until here :-). In theory this seems to work. However, I have an access point (GL.iNet GL-B1300) hard wired via an unmanaged switch to lan1 of the main router and wanted that AP to repeat the same three SSIDs but failed. I (think I) got it working with just one SSID linked to lan of the AP, but not all three of them, supposedly because I need some kind of VLAN magic or so?

image960×475 28.7 KB

/etc/config/network of the AP is as follows:

root@GL-B1300:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxx::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '3 4 0'

config device
        option name 'eth0'

Using snapshot version of OpenWrt on the router and 22.03 on the AP. Can somebody enlighten me pls and guide me through this? Read what I found so far but could not get it working (or didn't understand it :-)) :-(. If something else is needed, please let me know.

Thanks in advance and have a nice day.
KR

Update:
Okay, doesn't work as intended. Tried to connect to the iot WLAN (linked to the iot interface which should be in the 192.168.2.1/24 subnet) but got an 192.168.1.x IP :-(. Any suggestions for that? Thanks!

Yes, you do.

You will need to connect the router and the AP directly, because there is no guarantee how the unmanaged switch will treat the (larger) tagged frames. You could move lan2 to the LAN and plug it into the switch if you need more wired lan ports.

Here is an example configuration:

config device
        option name 'br0'
        option type 'bridge'
        list ports 'lan1'
	    list ports 'lan2'
        list ports 'lan3'
	    list ports 'lan4'
		
config bridge-vlan
	    option device 'br0'
	    option vlan '10'
	    list ports 'lan1'
	    list ports 'lan2'
		
config bridge-vlan
	    option device 'br0'
	    option vlan '20'
	    list ports 'lan1:t'
	    list ports 'lan3'
		
config bridge-vlan
	    option device 'br0'
	    option vlan '30'
	    list ports 'lan1:t'
	    list ports 'lan4'

config interface 'lan'
        option device 'br0.10'
        option proto 'static'
        ...

config interface 'iot'
        option device 'br0.20'
        option proto 'static'
        ...

config interface 'guest'
        option device 'br0.30'
        option proto 'static'
        ...

lan - vlan 10, lan1 and lan2 untagged
iot - vlan 20, lan1 tagged, lan3 untagged
guest - vlan 30, lan1 tagged, lan4 untagged

Router lan1 --> AP port number 3

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.10'

config device
        option name 'br-iot'
        option type 'bridge'
        list ports 'eth0.20'
		
config device
        option name 'br-guest'
        option type 'bridge'
        list ports 'eth0.30'
		
config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'
		
config interface 'iot'
        option device 'br-iot'
        option proto 'none'
		
config interface 'guest'
        option device 'br-guest'
        option proto 'none'
		
config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '10'
	    option vid '10'
        option ports '3 4 0t'
		
config switch_vlan
        option device 'switch0'
        option vlan '20'
	    option vid '20'
        option ports '3t 0t'
		
config switch_vlan
        option device 'switch0'
        option vlan '30'
	    option vid '30'
        option ports '3t 0t'

Port 3 - vlan 10 untagged, vlans 20 and 30 tagged
Port 4 - vlan 10 untagged

You need to find out how ports 3 and 4 correspond to the physical interfaces.

If the AP is not handling tagged and untagged frames correctly on the same physical interface, you may need to set tagging for vlan 10 as well.

Backup the configurations before you start making changes in case you get locked out and need to reset the devices.

https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial#multiple_networks_using_vlans

https://openwrt.org/docs/guide-user/network/vlan/switch_configuration#assigning_vlan_ids_on_vlan-enabled_switch_hardware

Thanks for your response. Unfortunately I cannot move lan2 to the lan2 - I strangely need two ports for the iot bridge (this is due to some wired y shaped network cable where I have to plug in 2 connectors from the Y cable into the router and the third into some kind of home system hub). Thus I fear I have to try how the unmanaged switch deals with VLANs?

That's the Y cable just for clarification:

If I got you right you would (for the iot VLAN) tag lan1 and untag lan2? How about lan3 that belongs to the iot bridge? I thought there can be only one untagged port?

image946×428 26 KB

Strangely lan2 and lan3 are connected with the "y network cable", but lan2 is shown as unconnected. However, a standard network cable instead of the "y cable" didn't work :-(. And I can't tag lan1 with this setup :-(.

image898×401 14.3 KB

Would this be how to setup? And a VLAN30 for the guest interface?

image904×397 13.7 KB

But then I have to include 'lan' also in the iot/guest bridge, correct? Just want to avoid playing around too much and locking myself out. That's a pain (and happened sometimes in the past :-))

Thanks a lot!

This is not a standard thing for normal ethernet. Ethernet cannot be 'split' directly. This type of cable is sometimes used to carry two 10/100 connections over the a single structured cable installation (when running a second is not possible) by splitting the usual 4 pair cables into 2x 2-pair. You'd need one of these (or equivalent) on each side of the cable if this is what is happening. But this would result in a maximum of 100Mbps on each 'cable' rather than 1Gbps. And that is what we see on your connection.

What is on the other side of this cable (at the far end)?

Thanks - your explanation supports what I observe. On the other side of the cable ("at the far end") there are 2 network adapters (obviously mimicking the y cable) where I can connect a standard network patch cable to and connect anything to the LAN.

In my case I have an AP connected - the one I want to install multiple SSIDs to. The second port connects to some kind of hub if I remember correctly :-). What I don't get though is why a standard network cable wont work (at least for one of the two network adapters) - but... okay :-).

Can you remove the adapter you found on the far end? If so, you should be able to use a normal connection (that would support up to 1Gbps).

Unfortunately not. The speed is okay with me (for the time being :-)) - I just want to configure the AP properly.

Ok... so really, you can ignore one of the connections on the Y cable... only one should be active and necessary from what I can tell.

This could be come an issue (the unmanaged switch, specifically)... these are not designed to carry VLANs and the behaivor of tagged networks is undefined. As a result some switches may be fine, others may not work at all (or might cause major network issues), and some can sit somewhere in the middle.
(this is already covered by @pavelgl , of course).

I think @pavelgl already explained the VLAN configuration... are you having trouble with making that work?

Yes, I'm having issues making the VLANs work (as mentioned in my post where I linked the y cable picture). @pavelgl sent me some more instructions that I'm trying at the moment (thanks for that)!

That's my switch: Zyxel 16-Port Gigabit Ethernet Unmanaged Switch GS1100-16v3. Maybe I have to invest in a managed switch? Although that Zyxel is pretty new :-(. Any suggestions for a (cheap) smart switch, >= 12 ports?

Update: Something like that should work, right? https://www.amazon.com/Zyxel-24-Gigabit-Managed-Rackmount-GS1900-24E/dp/B00GU1KSHS/ref=sr_1_1?keywords=zyxel+GS1900-24E&sr=8-1

Or even cheaper: TP-Link TL-SG116E 16-Port
https://www.amazon.com/TP-LINK-Gigabit-Ethernet-Network-TL-SG116E/dp/B07GRG63P6/ref=mp_s_a_1_2?crid=SK34V7PY2X6R&keywords=TP-Link+TL-SG116E+16-Port&qid=1680346806&sprefix=tp-link+tl-sg116e+16-port%2Caps%2C297&sr=8-2

Thanks!

The gs1900-24e is fine, if you include the used markets into your search, you may score one for just under 50 EUR/ USD.

I agree with @slh. I’ll also say, stay away from the entry level tp-link switches. They’re terrible.