We have Vodafone Fibre broadband, with a VF Connect VDSL/router/wifi all-in-one, currently set up to provide two SSIDs: one for "normal" usage and a separate "guest" one (which gives internet access but doesn't provide access to the wired or wireless devices on the main wifi/LAN, and doesn't allow access to the VF Connect admin/status webui).

This basic setup appears to work fine as far as it goes -- guest wifi users connect on a different subnet (192.168.5.* for guest, 192.168.1.* for main network). However, the VF Connect wifi is nowhere near strong enough to reach the whole house and garden (its a 5 bed house, so quite big, but bigger issue is the 2 foot thick internal solid stone walls which effectively separate the house into 3 separate "zones" which its hard to get wifi signals to reach between).

To address this I've bought 3 Access Points (Unifi UAP-AC-LRs) -- these are ceiling mounted and PoE powered, which means I can get them where needed to provide wifi coverage. The UAP-AC-LRs support multiple SSIDs (up to 4 each) and 802.1q VLAN tagging. I've also got a VLAN-capable managed switch (an old Dell Powerconnect 2716).

What I want to know is how I can set up the Unifi APs so that they expose both the main and guest networks, while maintaining the separation between those networks that I have now.

So far the possible solutions I've come up with are:

1) Configure the VF Connect so that one of its LAN ports is associated with the 192.168.5.* VLAN, then set up the switch so that traffic from the APs on the guest SSID/VLAN is directed to that specific LAN port on the VF Connect. However, I can't find any VLAN configuration in the VF Connect webui (and its locked down so that there is no telnet/ssh access available, AFAIK).

2) Put the VF Connect modem into PPPoE/bridge mode, then use another router as the gateway to the internet (either using the switch to separate the guest VLANs onto distinct physical cables into the gateway, or using 802.1q VLAN tagging on the gateway if it supports that). However, I have been told that the VF Connect modem doesn't support bridge/modem-only mode.

3) As for (2), but using a separate modem-only VDSL2 device, together with another router as the gateway. Does VF allow equipment other than their own to be used to access their network? Unfortunately, it appears that Vodafone are unwilling to provide their customers with their own username/password details to allow a third-party modem to be used to connect to the VF network.

4) Implement a "double NAT" solution, attaching all the "main" network devices (wired and wirelss) to a second router on a different subnet (e.g. 192.168.2.*), with NAT between that and the 192.168.1.* LAN network provided by the VF connect. This has the standard double-NAT disadvantages (e.g. peer-to-peer connections for gaming etc. are more likely to fail). It also allows the guest network users to attempt to access the VF Connect admin screens (though they would still have to guess the admin password).

5) Implement a more complex routing solution using a second router, configured to bridge (most of) the 192.168.1.* subnet provided by the VF Connect router to a 192.168.1.* on the "other side" of the second router. It feels like this might be possible -- it sounds similar to the way that a gateway router would need to be configured where an ISP provides a /29 or larger IP range (with the connection being via PPPoE/external xDSL modem) and the available public routable IP addresses are assigned to hosts within the local network. All internet traffic would go via both the second router and the VF Connect. Does anyone know whether such a configuration is possible?

In addition the the VF Connect and the 3 UAP-AC-LRs, I also have a couple of other VLAN-capable routers (an Archer C5 v1, and an Archer C50 v1, both of which I believe could be flashed to run OpenWRT/LEDE/similar). I may also have one or two old DD-WRT/OpenWRT-flashed 802.11g routers kicking about somewhere -- and tbh wouldn't mind buying an additional more powerful device if necessary (e.g. to provide sufficient CPU, memory and ethernet ports to run OpenWRT/Linux/pfSense with a more complex routing configuration).

Any help gratefully appreciated!

Misha

Hey there.

I have no clue which hardware your VF Connect brings. But since you mentioned "one of its LAN ports" I assume it has at least two of them.

You could make your VF box make one LAN port expose your 192.168.1.0/24 and another LAN port expose the 192.168.5.0/24 network.
Plug both into your managed switch, which means there are two cables from your VF box to your switch
Configure the port which connects to 192.168.1.0/24 "untagged vlan 1".
Configure the port which connects to 192.168.5.0/24 "untagged vlan 2".
Configure each port that connects to one of your APs "tagged vlans 1 and 2".
Now you can make your  APs span "lan" on "vlan 1" and "guest" on "vlan 2"

This configuration doesn't require your VF box to know anything about vlans. It probably does internally, but as long as there is no documentation of the VF box telling you how to configure a vlan trunk port (of lan and guest being both "tagged"), using two wires for the distance between your VF box and the switch is the most simple thing to do.

This has nothing to do with OpenWRT.

Regards,
Stephan.

(Last edited by golialive on 23 Apr 2017, 00:05)

Thanks Stephan. Yes, the VF Connect modem/router has 4 GbE LAN ports in addition to the DSL (RJ11) port. It seems to be a Vodafone-customised version of the Huawei HHG2500 - the GbE WAN port and the two "FXS" ports shown on wikidevi for the Huawei_HHG2500 are blocked with stickers saying "this port is not in use". According to wikidevi its a BCM63168 with a BCM4360 for 5GHz. So it should be able to either split the switch so that one LAN port is for the 192.168.1.0/24 and another is for the 192.168.5.0/24, as you suggest.

Unfortunately I can't find anywhere in the VF Connect admin screen where I could configure the LAN ports.

The "IPv4" settings page allows me to set the subnet for both the main and guest networks, but doesn't provide any control over LAN ports or VLANs. There is also a "Multiple Static IP" settings page, which allows me to enter address pool subnet (start and mask) and the CPE IP address within that pool, and to optionally select "VLAN separation" and to select a VLAN id.  But I don't have a static IP, so I don't think that page helps me with this problem.

I know its not an OpenWRT problem per se -- I was hoping I could introduce an OpenWRT router somewhere in order to workaround the apparent limitations of the VF Connect firmware!

(Last edited by mishad_work on 23 Apr 2017, 07:59)

Do the LAN ports carry the guest network at all?

If not, you can bridge the LAN to your network, and use a wifi client to double-NAT the guests.  Two connections from OpenWrt to the modem/router: one wired and one wireless.

No, they doesn't seem to. What's the best way to confirm? Connect a laptop with a static 192.168.5.* IP address to each of the VF Connect's LAN ports in turn and see if it can access the internet/anything else?

Is there a chance that the VF Connect is VLAN tagging the traffic? How could i test for that, given that I won't know the VLAN id?

Hmm I think that a wificlient doing double NATting could work. I'd need to put the OpenWRT wificlient within WiFi range of the VF Connect, and use ethernet to connect the OpenWRT device to the APs, but that's fine. And it would subject guests to the usual double NATting issues, but normal web browsing should work fine, which is good enough for guests.

I think I'd have to use the switch to combine the untagged trsffic main LAN with tagged "guest" traffic so that the Unifi APs can serve both sets of clients.

Something like:

Internet
 |
 |
DSL
 |
 |
 | <public IP>
ModemRouter. ~~~WLAN 192.168.5.0/24~~~~ 192.168.1.5.2~ OpenWRT wificlient
 | LAN1 192.168.1.254
 | (main lan on 192.168.1.0/24)
 |
 | (untagged = VLAN 0)
ManagedSwitch

Then connected to the switch I'd have:

OpenWRT wificlient
 | (trunked VLANs 0 and 100)
 | VLAN100 = 192.168.10.1 (Double-NATted guest network)
 | VLAN0 = 192.168.1.2 (used for openwrt access from main network)
 |
 | (trunked VLANs 0 and 100)
ManagedSwitch --- (trunked VLANs 0 and 100) ------- UAP-AC-LR 
 |  |  | (all untagged = VLAN 0)
 |. |. |
 |. |. | 192.168.1.*
Wired clients on main network

And I'd set up the UAP-AC-LRs to associate the guest SSID with VLAN 100 and leave the normal SSID as untagged/VLAN 0.

Does that look right? I guess I could use separate LAN ports on the OpenWRT for the main and doubke-NATted-guest network connections back to the switch, rather than using trunking, which might be simpler to set up?

If I did that, would I also be able to set up restrictions the OpenWRT config screens so that the setup pages cannot be accessed from 192.168.5.* or 192.168.10.* subnets? (So only wired clients and clients connected to the main SSID would be able to access the OpenWRT config pages.)

Also, would it be possible to set up OpenWRT to allow selective routing from 192.168.10.* to certain IP addresses in 192.168.1.0/24 eg for printing?

Thanks