Posted: Fri Apr 28, 2023 12:06 Post subject: [SOLVED] DD-WRT dumb AP with tagged VLANs and multiple SSIDs
I woud like to configure my home network as follows:
DD-WRT router as dumb AP with multiple SSID-s and 802.1q tagged VLANs.
OpenWrt router as main router managing everything (routing, firewall, zones, guests, etc).
How to configure DD-WRT to act as dumb AP with multiple SSID-s and 802.1q tagged VLANs?
VLAN3 on port 1
Created SSID by adding Virtual Interface wl0.2
Created bridge br1 and assigned vlan3 and wl0.2 to it
Problem is if I connect to newly created SSID it does not get DHCP. Also in Setup -> Netwokring under br1 Configuration there is "IP Address" field but IP addresses should be managed on OpenWrt.
A secondary router connected wired LAN<>LAN on the same subnet as the primary router.
Setup:
• On Basic Setup page:
o WAN disabled
o DHCP server Disabled (=off and NOT set as Forwarder!)
o Local IP address in subnet of primary router but outside DHCP scope, make sure the used IP address is unique on your network you cannot have duplicates.
o Gateway and Local DNS pointing to primary router
Example:
If your primary router is 192.168.1.1 then set the Local IP address of the WAP to 192.168.1.2 (make sure that is not used).
The Gateway and Local DNS are set to point to the primary router e.g.: 192.168.1.1
• Keep DNSMasq enabled (both on Basic Setup page and Services page)
• On Setup > Advanced Routing, keep Operating mode in the default Gateway (the wiki says Router mode but do not do that, either it does not matter (this case) or break things)
• On Security > Firewall keep the SPI Firewall enabled, although you do not want a firewall it will be automatically disabled as there is no WAN so no need to change this setting from default.
• Connect LAN <> LAN (do not use the WAN port unless you really need that extra port, for most routers traffic still must use the CPU so performance is lacklustre and there are some routers where the WAN port is not added to br0 so the WAN port could be non-functional on some routers).
Note: For Broadcom routers for best throughput enable CTF on Basic Setup Page
If you have unbridged interfaces on the WAP (Virtual Access Point (VAP), bridge etc.), you have to add the following rule to the firewall in order to get internet access.
In the web-interface of the router (the WAP): Administration > Commands save Firewall:
#Always necessary (alternatively set static route on main router and NAT traffic from VAP/Bridge out via WAN):
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
As you want everything done by the main router you do not need the POSTROUTING rule but it does not hurt
Basically you are doing the right thing, create a VAP, create a bridge br1 and add VLAN3 on the switch page, as port 1 is your trunk port enable VLAN1 and VLAN3 on port 1 which you can do if you tag that port.
Tag the CPU port for everything.
Assign the VAP and VLAN3 to br1
You trunk port, port 1 now caries both VLAN 1 and VLAN 3, your open WRT router has to handle that.
Screenshots below. I had to change to vlan2 (did update OpenWrt configuration also) because vlan3 did not appear in the assign to bridge list.
Are my settings correct?
There is no DHCP, internet, or access to local network right now.
I got guest network running according to your instructions.
Although main wifi (wl0) does not have internet or local network access. Neither can I access 192.168.1.2 (DD-WRT router) from OpenWrt's wired network.
Quote:
The VAP wl0.1 should be left at its default bridged.
Because its is bridged to br1
My main wifi is wl0 and wl1 (2.4 and 5 GHz respectively) - looks like I can not assign them to a bridge and they're not shown in the bridging table as well.
I am not sure whether it's DD-WRT or OpenWrt misconfiguration.
Btw I had to set br1 Net Isolation disabled because it somehow limited my main (OpenWrt wired) local network acess between devices.
You are still configuring nonsense.
Otherwise VLAN0 and VLAN4 would not be in the bridging table and VLAN2 (the WAN port) should not be bridged either.
See again exactly what I have posted for settings
and as sir egc has already pointed out the "vlan tagging" is completely wrong
Yes, then you have to set VLAN2 to unbridged.
Or you can disable VLAN2 completely and add the WAN port to the LAN. (but no one has asked for this here)
should work as shown in the screenshot...
egc wrote:
I think that there are routers with a 4 port switch and separate WAN port and in that case you cannot just set the WAN port to VLAN1
Don't know which routers these should be, as far as I know the R7000P has 6 used switch ports (1x CPU, 1x WAN, 4xLAN).
Delete the vlan tagging that is already being done on the switch config tab.
Done
Quote:
If you disabled the wan according to the instructions I have send then the firewall is disabled and Net isolation should not do anything.
WAN disabled according to dumb AP configuration instructions
Quote:
Otherwise VLAN0 and VLAN4 would not be in the bridging table and VLAN2 (the WAN port) should not be bridged either.
See again exactly what I have posted for settings and as sir egc has already pointed out the "vlan tagging" is completely wrong
Removed all vlan2 ticks from vlan conf. table and added WAN to vlan1 as on ho1Aetoo's last screenshot. Port1 connected by cable to OpenWrt eth2.
I got it all working now. I had to create device eth2.1 (vlan tag 1) and add it to br-lan on OpenWrt to grant access to AP wl0 connected devices to the lan and wan.