DD-WRT AP & VLANs

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
inxsible
DD-WRT Novice


Joined: 03 Sep 2020
Posts: 23

PostPosted: Thu Sep 03, 2020 4:32    Post subject: DD-WRT AP & VLANs Reply with quote
I used DD-WRT for a long time and then I switched to using pfSense as my router and since then I have been using my Netgear WNR3500L with DD-WRT as an AP. I followed this guide to disable the routing features in DD-WRT and use it solely as an AP. I also set the WAN port as a switch port as per the guide.

I have the DD-WRT v24-sp2 (03/25/13) vpn - build 21061 firmware installed on it.

I currently use the AP for all my wireless devices. I wanted to now add some VLANs for Cameras, IOT and Guest networks. All these VLANs will also have atleast 1 wireless device. 2 wireless doorbell cameras on the Camera VLAN, Roku, Chromecast & TV on the IOT VLAN and of course Guest Wifi for visiting guests.

I have already created these VLANs in my pfSense router and my Cisco 3750X managed switch.

My DD-WRT AP is connected to the switch via switch port 7
  1. Does my port 7 on the Cisco switch have to be a trunk port -- in order to transfer traffic from all VLANs to the AP?
  2. Or can I keep the VLANs on physically separate ports by connecting AP ports 1-4 to 4 different switch ports?
  3. Does DD-WRT only support 15 VLANs as I only see 15 rows on the Setup--> VLANs page
  4. How would I set up VLAN10 (Camera), VLAN11 (IOT) & VLAN15 (Guest) on DD-WRT such that the VLANs cannot talk to each other but they can communicate with some servers on my main LAN? See below requirements for VLANs
  5. should I create a separate wireless SSID for every VLAN? Or can the same SSID differentiate between traffic from the various VLANs?
  6. How would it know to assign the correct IP address to the devices based on which VLAN they should belong to, when they connect to the AP?


Camera VLAN should only be able to save videos to NVR on main LAN and no access to any other network including the internet.
IOT VLAN should be able to access my media server on the main LAN and access the internet for Netflix etc.
Guest network should not be able to access any other network/VLAN except the internet.

Thanks in advance for your help.

Edit: I found this article -- https://wiki.dd-wrt.com/wiki/index.php/VLAN_Detached_Networks_(Separate_Networks_With_Internet) -- which explains the creation of the VLANs but it doesn't explain the other questions that I have.
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8416

PostPosted: Thu Sep 03, 2020 7:08    Post subject: Reply with quote
Understand that dealing w/ vlans (and vlan tagging) can get complicated, depending on just how complex a scenario you intend to create. And vlans are hardware specific, which makes compatibility between different hardware sometimes an issue. So rather than get too deep into the specifics, let me answer your questions w/ the understanding that I'm providing a high level, conceptual view rather than offering specific details.

Quote:
Dooes my port 7 on the Cisco switch have to be a trunk port -- in order to transfer traffic from all VLANs to the AP?


Doesn't matter which port you use as the trunk port on either side, you just have to make sure that whichever port you use, you tag the port w/ all the vlan tags (IDs). That's what makes it a trunk port.

Quote:
Or can I keep the VLANs on physically separate ports by connecting AP ports 1-4 to 4 different switch ports?


I think what you meant to ask is if you can assign each vlan to its own port. Yes, but the point of using vlan tagging is to avoid this. Otherwise, you end up running multiple ethernet cables between the AP and the upstream switch. But yes, it can be done. And if vlan tagging doesn't work for some reason (e.g., hardware incompatibility), that may be your only option.

Quote:
How would I set up VLAN10 (Camera), VLAN11 (IOT) & VLAN15 (Guest) on DD-WRT such that the VLANs cannot talk to each other but they can communicate with some servers on my main LAN? See below requirements for VLANs


Remember, the underlying assumption here when the dd-wrt router is only acting as an AP, is that the upstream router and its switch are managing access between these vlans, NOT the AP! IOW, that's the responsibility of pfSense. All the AP is doing is ensuring separation from the point of the AP until it gets to pfSense. And that separation can be achieved in two ways; using vlan tagging, or associating each vlan w/ its own port and running multiple ethernet cables to the pfSense router, which also has the same vlans associated w/ their own ports (again, not usually desirable, but will work).

Quote:
should I create a separate wireless SSID for every VLAN? Or can the same SSID differentiate between traffic from the various VLANs?[


Wireless is a completely separate issue. Remember, vlans are *only* about wired connections and ports. If you also want wireless to be associated w/ these vlans, then you need to create a bridge for each vlan (br1, br2, br3, etc.), create a virtual wireless adapter for each vlan, and assign each vlan and its associated wireless network adapter (SSID) to its respective bridge.

Quote:
How would it know to assign the correct IP address to the devices based on which VLAN they should belong to, when they connect to the AP?


Because each bridge and its assigned pair of vlan and wireless adapters is configured w/ its own IP network, DHCP server, firewall, DNS servers, etc. But NOT by dd-wrt; by pfSense!

Again, because the dd-wrt router is only acting as an AP, it's only responsibility is to act as a "highway" that gets different "classes" of users (differentiated by their respective bridges) up to the pfSense. That's achieved either via vlan tagging, or running multiple ethernet cables between the switches. Your choice.

But again, I can't stress this enough; it's *pfSense* that's responsible for providing services like DHCP, a firewall, DNS servers, etc. The AP in this configuration is a relatively dumb device that's *only* providing separation for the purposes of reaching pfSense in an orderly and predictable fashion.
inxsible
DD-WRT Novice


Joined: 03 Sep 2020
Posts: 23

PostPosted: Thu Sep 03, 2020 15:04    Post subject: Reply with quote
@eibgrad Thank you for your detailed response.

eibgrad wrote:
Doesn't matter which port you use as the trunk port on either side, you just have to make sure that whichever port you use, you tag the port w/ all the vlan tags (IDs). That's what makes it a trunk port.
I was going to make the port 7 as trunk in the switch. Currently, port 7 from switch connects to WAN port of the AP
eibgrad wrote:
I think what you meant to ask is if you can assign each vlan to its own port. Yes, but the point of using vlan tagging is to avoid this. Otherwise, you end up running multiple ethernet cables between the AP and the upstream switch. But yes, it can be done. And if vlan tagging doesn't work for some reason (e.g., hardware incompatibility), that may be your only option.
Yes, that is what I meant -- assign each vlan to its own port. Is there any advantage to either way other than less cables for the trunk method?
eibgrad wrote:
IOW, that's the responsibility of pfSense.
Yes, I understand that. I want the AP to simply forward on the VLAN packets as is and not do any type of routing/management. IOW, a dumb appliance that simply "knows" about the vlans.
eibgrad wrote:
If you also want wireless to be associated w/ these vlans,...
Yes I do. The whole point of the AP knowing about the vlans is so I can use the wireless capabilities and attach multiple devices across different VLANs using the same AP -- but still keep them on separate networks.
eibgrad wrote:
...then you need to create a bridge for each vlan (br1, br2, br3, etc.), create a virtual wireless adapter for each vlan, and assign each vlan and its associated wireless network adapter (SSID) to its respective bridge.
I will need to read up on this in a bit more detail as to how to create the said VLANs and also the associated bridge. Would you be able to point me to some articles that explain how to do this on DD-WRT?
eibgrad wrote:
That's achieved either via vlan tagging, or running multiple ethernet cables between the switches. Your choice.
Any pros and cons of either choice -- other than having more cables connected for individual vlans on each port?
eibgrad wrote:
But again, I can't stress this enough; it's *pfSense* that's responsible for providing services like DHCP, a firewall, DNS servers, etc.
Yes, I have already setup the VLANs on the pfSense router, assigned them to interfaces and enabled the DHCP on each interface. I have also created the firewall rules based on what I want that particular network to be able to do. I also have created the same VLANs on the Cisco 3750X switch.

I am at a point where I want to know how to make the AP aware of those VLANs and be able to allow devices across all 3 of those networks to connect to the WiFi AP and work seamlessly.

Thank you again.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum