Hello,

i want to build a separated vlan for wlan guests on three openwrt routers in my house. all the routers (2x Tl-WR1043ND v2, 1x WDR4300) are configured as switch with WLAN-AP, because the main router is a hardware firewall appliance.

The physical network is addresses as 192.168.1.0/24, with 192.168.1.1 = firewall, 192.168.1.10/11/12 the openwrt devices.
Now i want to create a guest (w)lan (adressed e.g. with 192.168.100.0/24) with no access to the LAN, Internet only. I don't want any new cables, so vlan trunking should be the way to go.

I started with the OpenWRT device which is connected directly to the firewall over lan port 4. On the appliance i created a VLAN (ID 9) on the LAN-nic (Intel 82546GB [has 802.11q vlan support]).

now i am stuck, and very confused - after a lot of reading it has gotten worse, so i decided to ask here for help. What i have to do in OpenWRT, if port 4 is used by both the virtual and the physical network. Which one to tag, and how do i configure this in OpenWRT ?

Thanks a lot !

How are the Openwrt boxes connected to the fire wall and each other?  Even a crude picture would
help. 

All of your devices support multiple tagged VLANs on a single port.  I don’t know if they can support
both tagged and a single untagged VLAN on a port.

The “firewall” must also support VLANs.  My both my Zywall USG50 and Ubiquiti Edgerouter Lite support
VLANs.  Ubiquiti is also shipping the Edgerouter x for $50 that supportd VLANs. 

If your “firewall” doesn’t support VLANs you must replace it to do what you want.

It works best to tag both networks on the trunk cable(s).  You can configure the switches to make the other ports untagged to connect ordinary wired clients to one network or the other.

yes, it works correctly but from CC. If you want use BB or older openwrt you cant mix tagged and untagged frames in one interface.

Thank you for your answers.

I tried to make an easy network diagram (sorry for visio, though ). The firewall-system is a self-built intel atom system with one intel 82546GB dual-port NIC (supports VLAN) for LAN / VoIP-Network, and a Realtek 8168 (WAN-Uplink). Software is monowall (supports VLAN, too).

Each OpenWRT-device should provide a guest-wifi-AP, separated from the "normal" network by using vlans (changes: red font in diagram)

I hope that helps

Your WIFI bridge may be a problem. 
From what I have read WIFI doesn’t support 802.1Q tags.

Hey there.

I have no clue about wifi and 802.1q. Imho that just works, as long a very specific wifi configuration messes with packages. There's a chance wds (or bridges in general) do manipulate packages in a way vlans get corrupted. But as long as a wifi connection acts transparently to every ethernet packages, vlans shouldn't be a problem.

To mixing both, tagged and untagged on the same wire: Well. Could somebody please give me a use case? Usually I would interconnect my wifi aware devices (switches) in a tagged trunk network and create untagged outlets, only one vlan per port.

If you can live with not mixing tagged and untagged packages on the wire: That's really easy with OpenWRT.

Just have a look at the LuCI switch part. Of course setting up vlans in plain config files or console based UCI is easy too. But for starters doing first steps via LuCI is and check what happened to the config file is ok.

Rules of thumb (for me, there are others using different configurations):

• Only tagged or untagged, no mixes on a single port. Others might think different, but to me that's the way to go.

• If untagged, only one untagged per port. Outgoing is pretty easy (the switch remoes the tag), but ingoing traffic has no clue which tag do add. There might be ways around this, but that's magic to me. And magic is to avoid by all meams if it comes to infra structure.

• If tagged, as many tags as you want.

• Keep one port connected to untagged vlan2 in order to not cut your config interface

• Try which hardware port goes to which software port by plugging in and out another devie than your computer. That's something you can find in documentation, but since that's the way bricking devices (if you have no serial interface to reset), I'd better just double check it.

• Mind the "CPU" port. That's the port a router can add its "gateway interace", or, in case of DNS or something, its "serbice interface" to. Switching works perfectly fine without that. Of course you should at least keep vlan2 connected to CPU, otherwise you will not be able to configure. But all other vlans can live without CPU connected. Even adding the CPU to a single vlan doesn't necessarily make it "talk" with that network. You still need to create an "interface" in OpenWRT and bind it to "eth0.$vlan".

Regards,
Stephan.

Hello Stephan,

thank you for your posting and your splendid explanation. Now that i'm back from holidays i decided to take small steps. So i tried to configure the VLANs for the OpenWRT box directly connected to the m0n0wall. i added a VLAN to the m0nowall's eth2 device, with the tag id 9.

The OpenWRT device is TP-Link 1043ND v2, which hardware and software ports are reversed, for example hardware port 4 is port 1 in software. Currently, as there is no WAN interface the switch config looks like this:

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option mirror_source_port '0'
        option mirror_monitor_port '0'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 1 2 3 4 5 6'

According to the devices wiki site port 0 is the cpu, 1-5 are the 4 lan ports + wan, 6 is another cpu port.
to keep things easy i'll refer to the software ports, not the hardware ports.

the m0n0wall is directly connected to port 5, this cable serves all wan traffic. so it has to be trunked, i think - one vlan for common lan traffic from my network, another vlan for guests. my first try was to add the device connected to port 2 to the vlan id 9.

these are the steps i did:

1) create vlan with id 9 on m0n0wall, added the interface eth2.1, add DHCP/DNS server for eth2.1
2) create vlan with id 9 on OpenWRT with all ports off except port 5 tagged, and port 2 untagged
3) modifed default wlan 1: set port 2 to off, and port 5 to tagged.
4) not sure about the (both?) cpu ports, tried both tagged as well untagged in vlan1 and vlan9 parallel
5) added new openwrt interface, covering eth0.9 only, set to dhcp client mode

I think this should work, but the openwrt box is unable to get a ip address from m0n0wall - i can't see any incoming requests in tcpdump or the protocols.

Any ideas ?

(Last edited by markusm on 1 Jul 2015, 13:59)

Avoid any configuration which connects the two CPU ports together in the same VLAN.

I see two ways to go about it:

Tagged traffic on port 5 in two VLANs, one VLAN untagged to each CPU port.

option vlan '1'
option ports '5t 0'

option vlan '9'
option ports '5t 6'

Here one of the networks would be on eth0 and the other on eth1.  There is limited possibility for expansion though.  You could switch either one out to wired users by adding untagged ports to that VLAN, but you couldn't have another internal network come out without using VLANs on a CPU port.

Or, tag both VLANs through to one CPU port.  The other CPU port is unused for now.

option vlan '1'
option ports '5t 6t'

option vlan '9'
option ports '5t 6t'

One network is eth0.1 and the other is eth0.9  You could connect eth1 independently to the other 4 ethernet ports by making another vlan that doesn't include port 5:

option vlan '2'
option ports '0 1 2 3 4'

thank you for your answer.. i tried to setup your second option with tagging both VLANs through one cpu port.

the dhcp client on eth0.9 immediately got an IP from the m0n0wall, and clients to port 2 where able to access the internet, but not the LAN - which is exactly what i want. The rest of the network was offline immediately (no wan access), i suppose because the m0n0wall is not configured for a vlan with vid 1. so i reverted vlan 1 to it's original configuration (everything untagged with exception of port 2 = off) while leaving vlan9 as it is.

to my surprise both the LAN and the VLAN are working now with the following config:

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option mirror_source_port '0'
        option mirror_monitor_port '0'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 1 3 4 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '9'
        option ports '2 5t 6t'

config interface 'vlan9'
        option proto 'dhcp'
        option ifname 'eth0.9'

is this a valid configuration, or are there any issues ?

I would suggest changing your firewall so as to not assign an IP address at all to eth2 and make your LAN interface eth2.2 and tag it with a VLAN. For security reasons it is a bad idea to have traffic flowing on the untagged VLAN on a trunk link. See VLAN hopping attacks, specifically "Q-in-Q" for details.