[SOLVED] DD-WRT dumb AP with tagged VLANs and multiple SSIDs

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
hasselmuf
DD-WRT Novice


Joined: 30 Jun 2017
Posts: 7

PostPosted: Fri Apr 28, 2023 12:06    Post subject: [SOLVED] DD-WRT dumb AP with tagged VLANs and multiple SSIDs Reply with quote
I woud like to configure my home network as follows:

DD-WRT router as dumb AP with multiple SSID-s and 802.1q tagged VLANs.
OpenWrt router as main router managing everything (routing, firewall, zones, guests, etc).

How to configure DD-WRT to act as dumb AP with multiple SSID-s and 802.1q tagged VLANs?

So far I've configured on OpenWrt: interfaces, dhcp and firewall

On DD-WRT tried:
    VLAN3 on port 1
    Created SSID by adding Virtual Interface wl0.2
    Created bridge br1 and assigned vlan3 and wl0.2 to it


Problem is if I connect to newly created SSID it does not get DHCP. Also in Setup -> Netwokring under br1 Configuration there is "IP Address" field but IP addresses should be managed on OpenWrt.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Fri Apr 28, 2023 12:29    Post subject: Reply with quote
What router and what build are you using?
Vlans have seen a big update recently.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
hasselmuf
DD-WRT Novice


Joined: 30 Jun 2017
Posts: 7

PostPosted: Fri Apr 28, 2023 12:33    Post subject: Reply with quote
I'm using Netgear R7000P with DD-WRT v3.0-r49212 std on it
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Fri Apr 28, 2023 13:11    Post subject: Reply with quote
In that case just upgrade to latest build 52369:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=334411

Downloads: https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2023/04-20-2023-r52369/

Basic setup for a dumb AP (WAP):

Quote:
A secondary router connected wired LAN<>LAN on the same subnet as the primary router.
Setup:
• On Basic Setup page:
o WAN disabled
o DHCP server Disabled (=off and NOT set as Forwarder!)
o Local IP address in subnet of primary router but outside DHCP scope, make sure the used IP address is unique on your network you cannot have duplicates.
o Gateway and Local DNS pointing to primary router
Example:
If your primary router is 192.168.1.1 then set the Local IP address of the WAP to 192.168.1.2 (make sure that is not used).
The Gateway and Local DNS are set to point to the primary router e.g.: 192.168.1.1

• Keep DNSMasq enabled (both on Basic Setup page and Services page)

• On Setup > Advanced Routing, keep Operating mode in the default Gateway (the wiki says Router mode but do not do that, either it does not matter (this case) or break things)

• On Security > Firewall keep the SPI Firewall enabled, although you do not want a firewall it will be automatically disabled as there is no WAN so no need to change this setting from default.

• Connect LAN <> LAN (do not use the WAN port unless you really need that extra port, for most routers traffic still must use the CPU so performance is lacklustre and there are some routers where the WAN port is not added to br0 so the WAN port could be non-functional on some routers).

Note: For Broadcom routers for best throughput enable CTF on Basic Setup Page

If you have unbridged interfaces on the WAP (Virtual Access Point (VAP), bridge etc.), you have to add the following rule to the firewall in order to get internet access.
In the web-interface of the router (the WAP): Administration > Commands save Firewall:
#Always necessary (alternatively set static route on main router and NAT traffic from VAP/Bridge out via WAN):
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)


As you want everything done by the main router you do not need the POSTROUTING rule but it does not hurt

Basically you are doing the right thing, create a VAP, create a bridge br1 and add VLAN3 on the switch page, as port 1 is your trunk port enable VLAN1 and VLAN3 on port 1 which you can do if you tag that port.
Tag the CPU port for everything.
Assign the VAP and VLAN3 to br1

You trunk port, port 1 now caries both VLAN 1 and VLAN 3, your open WRT router has to handle that.

Post screenshots of switch config tab and Networking tab

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
hasselmuf
DD-WRT Novice


Joined: 30 Jun 2017
Posts: 7

PostPosted: Fri Apr 28, 2023 14:24    Post subject: Reply with quote
Screenshots below. I had to change to vlan2 (did update OpenWrt configuration also) because vlan3 did not appear in the assign to bridge list.
Are my settings correct?
There is no DHCP, internet, or access to local network right now.



egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Fri Apr 28, 2023 15:16    Post subject: Reply with quote
The VAP wl0.1 should be left at its default bridged.

Because its is bridged to br1

Do not use vlan2 but use vlan1 and vlan3.

Note on the other side, the openwrt router, you have to use the same vlans.

As you have multiple vlans on the same port you have to tag the ports, both cpu port and port1.

You give br1 an ip address that is OK but make sure it is in the openwrt dhcp subnet of vlan3.

Reboot the router after you changed the settings.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Fri Apr 28, 2023 15:22    Post subject: Reply with quote
Quote:
Are my settings correct?


No they are not.
If you tag the ports properly then VLAN3 also appears in the list.
hasselmuf
DD-WRT Novice


Joined: 30 Jun 2017
Posts: 7

PostPosted: Fri Apr 28, 2023 20:22    Post subject: Reply with quote
I got guest network running according to your instructions.

Although main wifi (wl0) does not have internet or local network access. Neither can I access 192.168.1.2 (DD-WRT router) from OpenWrt's wired network.

Quote:
The VAP wl0.1 should be left at its default bridged.
Because its is bridged to br1

My main wifi is wl0 and wl1 (2.4 and 5 GHz respectively) - looks like I can not assign them to a bridge and they're not shown in the bridging table as well.

I am not sure whether it's DD-WRT or OpenWrt misconfiguration.



Btw I had to set br1 Net Isolation disabled because it somehow limited my main (OpenWrt wired) local network acess between devices.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Fri Apr 28, 2023 21:05    Post subject: Reply with quote
Delete the vlan tagging that is already being done on the switch config tab. See the example of @ho1Aetoo

Everything else looks ok.
eth1=wl0, eth2=wl1 Smile

If you disabled the wan according to the instructions I have send then the firewall is disabled and Net isolation should not do anything.
But in your case the net isolation is done by the vlan at layer 2.
So you should be good.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Sat Apr 29, 2023 6:26    Post subject: Reply with quote
@hasselmuf

You are still configuring nonsense.
Otherwise VLAN0 and VLAN4 would not be in the bridging table and VLAN2 (the WAN port) should not be bridged either.

See again exactly what I have posted for settings

and as sir egc has already pointed out the "vlan tagging" is completely wrong
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sat Apr 29, 2023 7:51    Post subject: Reply with quote
The bridged vlan2 could be because this is a WAP (WAN disabled) and vlan2 is then assigned to br0?

I think that there are routers with a 4 port switch and separate WAN port and in that case you cannot just set the WAN port to VLAN1

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Sat Apr 29, 2023 8:08    Post subject: Reply with quote
Yes, then you have to set VLAN2 to unbridged.
Or you can disable VLAN2 completely and add the WAN port to the LAN. (but no one has asked for this here)

should work as shown in the screenshot...

egc wrote:
I think that there are routers with a 4 port switch and separate WAN port and in that case you cannot just set the WAN port to VLAN1


Don't know which routers these should be, as far as I know the R7000P has 6 used switch ports (1x CPU, 1x WAN, 4xLAN).
hasselmuf
DD-WRT Novice


Joined: 30 Jun 2017
Posts: 7

PostPosted: Sat Apr 29, 2023 13:02    Post subject: Reply with quote
Quote:
Delete the vlan tagging that is already being done on the switch config tab.

Done

Quote:
If you disabled the wan according to the instructions I have send then the firewall is disabled and Net isolation should not do anything.

WAN disabled according to dumb AP configuration instructions

Quote:
Otherwise VLAN0 and VLAN4 would not be in the bridging table and VLAN2 (the WAN port) should not be bridged either.
See again exactly what I have posted for settings and as sir egc has already pointed out the "vlan tagging" is completely wrong

Removed all vlan2 ticks from vlan conf. table and added WAN to vlan1 as on ho1Aetoo's last screenshot. Port1 connected by cable to OpenWrt eth2.

I got it all working now. I had to create device eth2.1 (vlan tag 1) and add it to br-lan on OpenWrt to grant access to AP wl0 connected devices to the lan and wan.

Thank you egc and ho1Aetoo a lot!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sat Apr 29, 2023 14:28    Post subject: Reply with quote
Great to hear it is working.

Indeed you also have to tag the other side (openwrt) for both vlans Smile

You can mark the thread as solved on OpenWRT yourself.

Will do this also on this side.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum