Posted: Sun May 26, 2019 19:47 Post subject: R7000 tagged VLAN for Guest WiFi
since I did not have any luck with Guest-WiFi on the same LAN as private WiFi just with firewall rules, and did not get any answers on the German part of this forum I'll try it again here:
I'm trying to set up a guest-WiFi on wl0.1 of my Netgear R7000 running r37015 kongac and routing its traffic to tagged VLAN3 on the same network-port as my normal WiFi, which should be on VLAN1.
The R7000 is only an access point, my gateway is a opnsense firewall which hosts a dhcp-server on VLAN3, so this is not needed on the R7000. The R7000s only connected network port is the WAN-port (because I cannot switch off the annoying LAN-LEDs with the startup script).
What I did so far is create the wl0.1 as bridged network and setup the encryption. Then on setup > vlans I ticked "tagged" for the WAN-Port and "VLAN 3". Finally I created a new network bridge br1 under setup > networks, assigned an appropriate IP address and added wl0.1 and vlan3 to it.
When connected to the R7000 via ssh i can ping the firewall on its VLAN3-IP and vice versa. But if I try to connect a WiFi-client to the guest wifi it fails. Windows for example simply says "Connection not possible". Also with static IP configuration on the client side it won't connect, so there is no DHCP issue here. Also if i enter an incorrect password on purpose the error message is different, so the encryption/password shouldn't be the issue here as well.
Does anybody know what I have to configure exactly to get this to work? I'll attach my current settings here, mind that they are in German.
thanks in advance!
Last edited by RockNLol on Sun May 26, 2019 19:53; edited 1 time in total
I tried to redo everything and test it step by step. When I create the vap it works fine until I reassign wl0.1 from the default br0 to br1. It then immediately stops working.
Do I have to do something with the mac-addresses?
Then create a VAP and unbridge that and put a DHCP server on wl0.1 you do not need a br1.
When you setup a VAP on a WAP you need a special firewall rule to NAT the traffic on the LAN see my attached notes (or set a static route)
If you want to have one wired port on the guest network only then you have to create a bridge and set the wired port on its own vlan and attach it to the bridge and keep the VAP bridged and attach it to br1.
Do not have the wired ports on more than one vlan (I know you can have a trunk and tagging etcetera but for this setup it seems overly complicated)