extend a guest wifi on second access point with OpenWrt using VLANs 

Hey Mirek, many thanks ! Glad you found what you were looking for finally ;-)

Awesome - let us know how things go !

Brilliant, many thanks for your nice feedback!

Hi, I am glad you could use it - thanks for the feedback.

Hi, many thanks for the feedback. I will put it on the list ;-)

Many thanks again - glad that it helped!

Hi Gabriel - no, I am not a guru at all :-) Just some guy from Germany who loves to share his learnings ;-) And - I don't have to read anyone's minds - it's totally sufficient to read the comments under my videos ;-)

@@OneMarcFifty help! Would you mind sharing (here, or somewhere else) the content of the two /etc/config/network files in the router and access point? On some devices (namely those with IPQxxxx SoC) the only way to set tagged and untagged is with SSH, as there are bugs with DSA and VLANs. It should be viable to connect with only one cable, but I have to be super scrupolous the way I do it. Hope I'm not bothering you too much.

Awesome - many thanks for your feedback !

Awesome - many thanks for the feedback!

Many thanks for the feedback ;-) Yes, DSA / Bridge VLAN filtering etc. will be covered in one of the next videos (planning it before end of december actually)

@@OneMarcFifty Looking forward to it.

if possible mention also a mix of system: I have all version 21.02 but one uses switch and the oter uses DSA! (one is a netgrear and the other is a Linksys WRT1900AC v1). thanks

Awesome feedback- many thanks!

@@OneMarcFifty OpenWRT guidance with the voice of a soothing, reassuring eastern European therapist. This channel has it all.

Hi Morten, many thanks for the feedback ;-)

Awesome, many thanks for sharing, let me know how things go!

Awesome - glad you like them ;-)

Hi Igor, thank you very much - glad you liked them ;-)

Hi, great suggestion many thanks - I'll have a look into that

Hi Andrew, this is awesome feed-back, many thanks ! The OpenWrt 21 video is in the making - should come out in December.

Thank you very much ;-)

Awesome - looking forward to it ;-)

Many thanks Henning, this is great feedback (again) and I am glad that you can use it!

@@OneMarcFifty What is the desired solution to make communication work between IoT devices and the services (mqtt, homegear, nextcloud, postres, webdav,.. ) running on my single machine server? Since the IoT devices are in another subnet now, they can't reach some services (MQTT & Homegear) anymore. Should I drill holes into the firewall, so an IoT device can send a message to MQTT? Should I spend the server an additional (virtual) Interface, that is able to communicate with devices in VLAN 3? Do I have to change my server to a virtual environment like XCP-NG? Please give me a hint 1. best solution 2. good solution 3. worth solution

I am running mqtt with mosquitto on the router.

@@OneMarcFifty Ok, mosquitto may be ok. But for homegear there is no OpenWrt package. And homegear is using MQTT to control heating devices (MAX!) via an LAN based 866MHz radio gateway on one side and stores log informations in the postgresql database on the other side. So I will need both networks for homeautomation. Remote access to all devices in my lan is done via OpenVPN only. I plan to replace it by wireguard. But I definitely don't want a internet based cloud solution.

But can‘t you send messages to mqtt on the iot side (172.xxx) and subscribe to the mqtt server on the lan side (192.xxx), i.e. use the mqtt server as a kind of gateway? The 866 Mhz should work independently of the ip network

Haha - yeah ;-) I thought the same before I discovered VLANs, Proxies, VPN, LTE, SQM and policy based routing ;-)

Thank you

Thanks a lot for the feedback and sharing! That's interesting - I have however seen different behavior with different hardware w/r to encrytpion algorithms. Never had issues with the iphone though. What IOS version is it on ?

Awesome, glad you got it working - yes, the way VLANs are handled has changed in OpenErt 21 or rather in Linux Kernel 5 - we are now talking about Distributed Switch Architecture /DSA - I'll see if I can make a video on that.

Peter B, thank you so much for your suggestion, you saved me a great deal of time and frustration. I'm sharing the steps I took, as it may help out someone else. To get things working with OpenWrt 21.x I performed the same procedure on both my router (Linksys WRT3200ACM) and my access point (D-LInk DIR-2660) as follows: The first step is to setup the guest vlan: - On the top menu, navigate to "Network"/"Interfaces" and click the "Devices" tab. - Click the "Add device configuration..." button. - Change "Device Type" to "VLAN (802.1q)". - Enter "VLAN ID" (in my case 10) - Select "Base device". In my case I wanted to use ethernet port 1, so I chose lan1 on my router, it may differ on yours. - The "Device Name" will auto populate to be "Base device"."VLAN ID". So in my case lan1.10 - Click "Save" and then click "Save & Apply". - For the lan and iot vlans, repeat the same steps with a different "VLAN ID" for each. The next step is to setup a guest bridge and link the guest vlan to it: - On the top menu, navigate to "Network"/"Interfaces" and click the "Devices" tab. - Click the "Add device configuration..." button. - Enter "Device name" (say "br-guest"). - For "Bridge ports" select the "VLAN ID" you created for your guest vlan above (lan1.10 in my case) - Click "Save" and then click "Save & Apply". - For the iot bridge, repeat the same steps selecting the iot "VLAN ID" in the "Bridge ports" step and a different "Device name". - The lan bridge previously existed by default, so you just have to start with the "Bridge ports" step and select the lan "VLAN ID". In addition, I deselected the "lan1" port in the "Bridge ports" step, as I did not want untagged traffic on this ethernet port. The final step is to link the guest bridge to the guest interface. - On the top menu, navigate to "Network"/"Interfaces" and stay on the "Interfaces" tab. - Click "Edit" for the guest interface. - Change "Device" to the guest bridge name you created earlier (br-guest in my case). - Click "Save" and then click "Save & Apply". - Do the same for the iot interface using the iot bridge name. - The lan interface should already be linked to br-lan by default, so no need to change anything there. One final reboot and I was able to successfully connect the two devices with an ethernet cable on the lan1 port. I hope that helps someone else.

@@Andrew-by5yo Hey can you help me out?

Hey, you're welcome - let me know how it goes ;-)

Thank you

I am working on it - it should come out in December ! Next episode Xiaomi 4A, then OpenWrt 21 / DSA etc.

No - there is nothing special about the wan port - you can use it like any other port - you could even give them other names like "Fritz" or "Hans" - it doesn't matter.

Oh - fair point! Actually, if you wanted to get around this then you would presumably have to do a couple of things. Of course you need one interface with an IP address in order to access luci, but you could set all other interfaces to "unmanaged". If you wanted to secure this further, then you could spawn up a separate out of band (OOB) Management VLAN and disable IPV4 forwarding on the access point in order to prevent rogue access by people who change their default gateway to the AP's address.

@@OneMarcFifty Hi Marc Like everyone else I've got to say your video explanations are brilliant. I'm just getting into networking with OpenWrt and there's no way I could do it without your input. Regards the DHCP client vs unmanaged interface, I'm not sure if it's because I've done anything else wrong, but when I had all of my VLANs (LAN, Guest and IoT) on the AP set as DHCP client, the main router kept failing and it appeared to be something to do with it constantly updating the lease to the AP. I've changed it now so that Guest and IoT are both unmanaged, and the issue seems to have disappeared which is great. Thanks and keep up the good work.

Hi Michal, you would first set up the 4 zones LAN1, LAN2, WAN1, WAN2 and then setup zone forwarding LAN1->WAN1 and LAN2 ->WAN2

Oh yea. While fiddling with it, DO NOT let it put both your hardware VLAN interfaces into it's default br-lan. This literally bridges the VLANs, so all traffic from each goes out both and hardware switches and STP will put ports into blocked state. Not that easy to recover from.

have you figured out how to do this in openwrt 21? i stuck

@@alwanosuarez9022 Did you get the original router working with the 3 networks/firewall?

Next video will show this on OpenWrt 21 - before the end of this year

Hi NiLo - I have no experience with it so far, but I still have the idea to make a video on real Wi-Fi mesh with 802.11s or the like - I might actually dig into it as it seams to be quite easy (as you say, if you have more than one or two it really eases configuration). Many thanks for the hint!

Hi Heiko. Many thanks for your comment. You could set up firewall rules based on IP addresses - that's perfectly possible. Alternatively based on MAC addresses which is a bit better security-wise. You would however set up rules for each known client. Furthermore, using DHCP will be a challenge as clients would not have an IP address at the moment that they request an address. Also, if a guest changed his/her IP address manually then they would get access to everything..... VLANs is really the way to go here .... UNLESS your clients would connect via Wi-Fi only - then you would only have firewall zones and allow WAN access to the zone. In a nutshell, set up a guest and LAN interface and bridge the LAN/Guest Wifi to them.

Hmmm... I haven't experienced that really. But I would need to trace it - presumably has to do with "deauth on low Ack" setting as well ? Might be safer to disable that...

Hi Rich, you could use this line. You would not need an additional cable.

Hi, many thanks for your feedback - yes, you could use any port really. It doesn't matter. I just had to pick one.

Hi Paul, the next video will cover that - people keep asking about OpenWrt 21 update ;-)

Hi Peter, is your x86 router an OpenWrt Router or a Linux machine ? Maybe - because this discussion can get longer - it would be best to hop on the discord server for discussion discord.com/invite/DXnfBUG

Thank you for your suggestion, it saved me a great deal of timefrustration. I'm sharing the steps I took, as it may help out someone else. To get things working with OpenWrt 21.x I performed the same procedure on both my router (Linksys WRT3200ACM) and my access point (D-LInk DIR-2660) as follows: The first step is to setup the guest vlan: - On the top menu, navigate to "Network"/"Interfaces" and click the "Devices" tab. - Click the "Add device configuration..." button. - Change "Device Type" to "VLAN (802.1q)". - Enter "VLAN ID" (in my case 10) - Select "Base device". In my case I wanted to use ethernet port 1, so I chose lan1 on my router, it may differ on yours. - The "Device Name" will auto populate to be "Base device"."VLAN ID". So in my case lan1.10 - Click "Save" and then click "Save & Apply". - For the lan and iot vlans, repeat the same steps with a different "VLAN ID" for each. The next step is to setup a guest bridge and link the guest vlan to it: - On the top menu, navigate to "Network"/"Interfaces" and click the "Devices" tab. - Click the "Add device configuration..." button. - Enter "Device name" (say "br-guest"). - For "Bridge ports" select the "VLAN ID" you created for your guest vlan above (lan1.10 in my case) - Click "Save" and then click "Save & Apply". - For the iot bridge, repeat the same steps selecting the iot "VLAN ID" in the "Bridge ports" step and a different "Device name". - The lan bridge previously existed by default, so you just have to start with the "Bridge ports" step and select the lan "VLAN ID". In addition, I deselected the "lan1" port in the "Bridge ports" step, as I did not want untagged traffic on this ethernet port. The final step is to link the guest bridge to the guest interface. - On the top menu, navigate to "Network"/"Interfaces" and stay on the "Interfaces" tab. - Click "Edit" for the guest interface. - Change "Device" to the guest bridge name you created earlier (br-guest in my case). - Click "Save" and then click "Save & Apply". - Do the same for the iot interface using the iot bridge name. - The lan interface should already be linked to br-lan by default, so no need to change anything there. One final reboot and I was able to successfully connect the two devices with an ethernet cable on the lan1 port. I hope that helps.

Hi John, you would just have to bridge an available Ethernet port to any of the devices (IOT, Guest etc.) on the access point and then plug the device into that port. The port would need to be untagged ("Port VLAN")

I have connected eth1 to an HP2530 managed switch and setup VLAN there

@@bambaclart4592 Hi, your Pi doesn't have a switch. You might be able to use Distributed Switch Architecture (DSA) with OpenWRT 21 (Kernel 5.4) though.

Thanks for the fast reply! I am using the CM4 with the “IOT router” io board from dfrobot, I’ve seen people on RU-vid using the single Ethernet port on a normal pi with vlans so I thought it would work

@@OneMarcFifty also, I will have a look into your recommendation, I just managed to upgrade my kernel today, thanks

You can use vlans by defining eth0.xxx devices (xxx being the id of your vlan). Just the switch page is not there.

Yes, the distributed switch architecture DSA has different interfaces. I might pick that subject up in a future video

Hi Peter, yes you could have the AP route locally. The reason why I configured it centrally was that I did not want to repeat firewall rules on every single device.

That's new in OpenWrt 21 - video to follow in December 2021!

Two update videos will come very soon. One about OpenWrt 21 and the DSA (Distributed Switch architecture) and possibly another one about devices without switch at all (e.g. Raspberry Pi or VM) - what type of device do you have ?

@@OneMarcFifty Im running it on an dell sff pc with an intel 4 port gigabit pcie card, therefore each port is an interface itself. I’ve skimmed around a bit and think there might be something to putting a . in the interface number creates a VL on that interface, for example: ETH0.2 would be VL 2 on ETH0, I really haven’t had the time to really dive into this yet though.

Oh I see - that‘s a scenario I would have to look at.

There is a way of achieving this with relayd openwrt.org/docs/guide-user/network/wifi/relay_configuration but I could never get this to work - I'd rather go for 802.11s mesh in this case...

Yes - if the CPU can handle it. The total bandwidth of the one wire will be the hard limit. But also CPU of the device is a limiting factor.

Hi Ruud, on a trunk port (i.e. a port with tagged VLANs e.g. 3,4,99) you can and should set the PVID to something else, e.g. 55. On a VLAN untagged port you need to set PVID=VLAN ID

@@OneMarcFifty thank you for the clarification

You don’t necessarily need a 2nd router. The solution is made so that you can extend the coverage of the Wifi. The port is not needed. It’s just to show how VLAN tagging works.

@@OneMarcFifty I currently use 192.168.2.x for my LAN. Considering my IOT devices are both wired and wireless, is it OK to convert them use 192.168.3.x and will that require 2 VLANS?

Hi again, yes - in Cisco terms Tagging is called Trunking - and the promoted use case is to link a router/switch to another one. Unmanaged switches do not necessarily drop tagged packets. The ones I have tested just forward them.

OpenWrt 21 uses distributed switch architecture (DSA) - video to follow soon ;-)

@@OneMarcFifty Thanks Marc - DSA. Following your video still works, it's not hard to extrapolate. But the real reason I am replying again is to tell you sir, you have the best tutorial's on all of youtube, in fact all of the Internet for that matter. Another thumb's UP!!!

Video is in the making - it will come this month.

Hi Dan, it's in the making. I am currently cutting the next episode which is about the Xiaomi Mi 4A Gigabit Edition. The following episode will be about OpenWrt 21 VLANs and DSA / Bridge VLAN filtering. If nothing goes wron then it should be published this year.

Hi Cattivello, please see the latest video - that should clear things up ;-)

@@OneMarcFifty it appear that the Netgear Nighthawk X4S R7800 that I am use, runs version 21.02.1 but is not DSA router enabled. From forum, still has Switch and therefore not DSA. If it happen you can spare a video for how to manage VLANs on 21.02.x but still switched, would be great. Thanks

@@OneMarcFifty Can you provide the URL here :S

Yes. If your main router can do VLANs then it should not be a problem

Hi Ariovaldo, that question has come up a couple of times already - I might do that in the foreseeable future.

Hi Andrea, I will have to thoroughly investigate on the first point - and I will do so in the lights of migrating my Archer C7's to Version V21 - so please be patient on this one - w/r to your second question - If you set up same SSIDs and passwords, then roaming will work - it might not be fast but should work. You might need to change the power settings and positioning of the APs (actually avoid overlaps of the served Wifi zones) for this to work better. If the other hardware can do 802.11r (which most non-open software doesn't expose) then it would presumably not give you fast roaming capabilities unless you could read out the mobility domain from the 1st router.

I guess it is working with a static address as well

So - when you say you can't change it - is that because the menu option doesn't show or does it not apply the changes ? for the later try reconnecting to the new address within 90 seconds in order to commit or alternatively use uci set network.lan.proto='dhcp' && uci commit && reboot from the commandline (ssh)

@@OneMarcFifty well that is pretty embarrassing. This time it worked right out of the box. One thing I changed is... I had already set a static address for my "dumb" AP on my "controllling" router.

The reply will not be routed by the access point as it has no ip routes other than the main router. That’s basically the trick. Adding one AP with two VLANs is as if you added two APs - the routing will be perfectly symmetrical as the AP only acts on layer2

@@OneMarcFifty ok I think I finally understand what "bridging WiFI and Ethernet" means and now everything makes perfect sense - with AP's Wi-FI and Ethernet ports bridged, IoT device talks directly to the main router as they are essentially both connected to the same L2 switch 😅Thank you!

Either set the protocol of the guest interface to „unmanaged“ - it then does not get an IP address at all - or bind the relevant processes such as dropbear and uhttpd to a specific ip so that they don’t listen on all interfaces

I believe i figure it out. Is under devices lan configuration. There you can set VLANs I have not yet put it live but the all tagging and untagging is ready. Will soon test live. I also run a VPN client to commercial provider. I hope it will not break things. Tip: if you enable software and hardware offload, you loose the ability to work out iptable that are set (in my case) from the VPNbypass service . Hance, dont turn that on if you need iptables.

Thanksss

Many thanks for sharing ;-)

Thanks Geoff, just need to be aware that this opens port 80 from the WAN zone - if you are clear of the implications, then go for it ;-) In a test environment this is definitely an easy way to get around 192.168.1.1 setup and limitations ;-)

@@OneMarcFifty Thanks for your reply. I agree port 80 isn't ideal, but as it's the bridged IP of the container, known only to the local to the machine it's running on, it's fairly safe. It's a bit like running it with Host-Only Networking in Virtualbox, but it's much lighter on resources than a full VM. If I find a better more secure way I'll let you know.

Hi Cheney - things have changed in OpenWrt 21 - I am currently working on a follow up video.

@@OneMarcFifty Good to hear, Looking forward to it, Tks.

Yes, absolutely. There is no guarantee that it works with all switches, but the ones I have tested worked well. Let us know how it goes.

Check this video ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-qeuZqRqH-ug.html

You'd add an interface just like any other and just use PPPOE as the protocol.

@@OneMarcFifty so you wouldn't edit WAN?

Bro i was looking for this

It will come this month !

Presumably the config in OpenWrt 21 is wrong - next video will cover DSA and Bridge VLAN filtering!

@@OneMarcFifty interested

It will always end on the same VLAN and firewall, regardless which AP you connect to

I’m here - and so are you. That’s all that counts ;-)

Many thanks for the feedback! I am adding the .guest so that the different interfaces have different.names, i.e. I can ping them separately with different names.

@@OneMarcFifty Thanks that makes sense, I found it didn't work for me with using a period (.) so I used hyphen. I also discovered a bug with my homehub5a, I'm using for a dumb AP with openwrt flashed on it and seems it cannot handle multiple 5ghz networks, as soon as I add more than one it errors and disables the adaptor, I'm going to look into this more but for now have my LAN WiFi on 5 and 2.4ghz with fast roaming and vlans for LAN, IOT and GUEST working beautify- seems the homehub5a is happy with multiple 2.4ghz so for now my faster WiFi is only for LAN :-) which is not necessarily a bad thing. My tplink Archer C7 v5 running openwrt has no problems handling multiple 5ghz networks. I've also had ISP issues recently and configured mwan3 on the tplink, I have a 4g mifi unit which I couldn't (yet) get to work on USB so it's connected via wireless to it (I named it WWAN) the mwan3 is configured for failover to both WAN and WWAN it pings google and if that fails for a defined number of attempts it knows my ISP is down it and swaps to the 4g mifi, as soon as the ISP is back up it switches back. Your videos are a great help and OpenWrt is so configurable with some help I don't need to buy mesh as a monthly cost nor 4g backup, and can upcycle my old routers (Homehub5a) which I have another to flash now :-) I like the tplink it was cheap and flashable to openwrt through the stock firmware upload page I can see me wanting to buy another in future

@@damianthomson6402 Many many thanks for your comprehensive feedback! I do love the Archer C7 too - it was - or rather is - a great device ;-)

@@OneMarcFifty I've now fixed my issue on the 5ghz, system log showed an error on one of the WiFi logs so I deleted my older wireless networks and started again - solved the issue, I checked and both the homehub5a and TpLink Archer c7 were using the same Qualcomm software / driver - slight variant on chipset but made me think ok must be a corrupt config. The TP Link Archer C7 can still be picked up at cheap price in the U.K., I am wondering what's a good new device to go for perhaps you've covered in another video ?

Actually, currently I am looking into the D-Link DIR-2660 - looks quite promising - but still waiting for OpenWrt 21 here to see if hte switch part shows up correctly ;-)

Hi Luiz, I am sure there is a way, but I just don't know if and how ASUS maps it out to ports (VLAN etc.) - and I don't have any ASUS device here to test - sorry ;-(

Thanks for your kind feedback! In this scenario the traffic should not go to the router unless it's broadcast packets as the local switch has the MAC address of both devices. OpenWrt has an Option to isolate clients on the Wifi though.

@@OneMarcFifty thank you

I'd be curious to hear what you base that observation (lag) on. Have you seen this using Software VLAN or driver/ hardware level VLAN ? Also - you can't assume that everyone has the possibility to put in as many wires as they like plus just buy more expensive hardware. I do entirely agree that putting in more cables and juicy hardware increases the performance - still you need to encounter a performance bottleneck before you try to fix it. The targeted audience is most likely not people who run network parties with 10+ people over wifi ;-)

@@OneMarcFifty My base are routers people by on "7-eleven", they are not fit for the task, the processos is too weak for that. In today world people call over more than 10 people that you share the wifi with. Using a regular router already causes the bandwidth to drop (you can test yourself, no need to believe me), using this complex configuration, makes things worse. You can do this with true routers and switches, however, is really a bad idea to do the same with a "7-eleven" router.

@@coisasnatv OK but then the issue is rather with Wi-Fi performance on weak CPUs than with trunking being a bad option. In my experience, trunking/tagging uses roughly 1% of CPU. On offloading configurations there is no CPU impact at all. If you have issues with the number of people on one Wi-fi then there are multiple solutions, such as adding more APs or use powerful hardware with MU/MIMO.

@@OneMarcFifty Again, trunking is a bad option when you use a cheap hardware with 10+ clients *with intense tasks.* For a regular use it might not cause any impact at all, however, if people start to share files or stream videos (uploading or downloading) you'll see the performance of your network drop drastically, a few disconnections, etc.

Presumably the easiest would be to either put home assistant into the IOT and allow firewall rules for web access etc. Alternatively give the home assistant device two network interfaces, one in LAN, one in IOT

You got it working?

Sure-I‘ll try ;-) first off, how do you determine ‚lost packets‘? Also, did you put the wifis on different channels, i.e. one channel on the router, another one on the access point? They do have different bssids right? What hardware?

@@OneMarcFifty Thanks , and sorry for my English.So, openwrt has wan eth1( wan usb to lan adapter) and eth0(lan) and 2 vlans home eth0.30(10.0.30.1) and iot eth0.20(192.168.0.1) , lan port eth0 is conected to managed switch port 1 vlan 1 untagged , vlan 20 port 2,3,4 untagged and port 1 tagged, vlan 30 port 6,7,8 untagged port 1 tagged.In this situation if i connect a pc in port 2,3 or 4 i receive ip from dhcp 192.168.0.x , if i connect in 6,7,or 8 i receive ip from dhcp 10.0.30.x.Internet is ok on both networks and with the help of firewall zones i can stop iot devices to acces home devices.My problem is that i need that separation on wirelless, so i have an ap that can manage 4 ssid's with vlan tagging.If i set port 5 from switch tagged on both vlans (20,30) and untagged on vlan 1 ,on ap ssid 1 named "home' vlan 30 and ssid named 'iot' vlan 20, devices connected to wirelless receives coresponding ip adress and can ping devices from same vlan without loss of packets , but if i ping to internet i have lots of "request time out".

@@IoanMariusRedean Why do you set VLAN 1 to untagged in your config ? It looks like you only need VLAN 20 and 30. The VLAN1 untagged solution is really for people who have an unmanaged switch. You have a managed switch, hence I would NOT set vlan 1 to untagged. All you want really is bridge either to home or to IOT, so VLAN 20 or 30. Routeing and firewall will be done on the router. So - on the access point you only bridge ethx.30 to home Wifi and ethx.20 to iot wifi, then on the switch part VLAN 20 and 30 tagged, nothing else, all others to off or do you have more stuff going on on other VLANs ?

@@OneMarcFifty Thanks again for your answer.Belive me that i am struggling with this for more than 2 weeks.So on ap i set ssid 'Iot' to vlan 20 and ssid "home" to vlan 30.On the switch vlan 1(default) zero members, on vlan 20 port 1 (from router) tagged and port 2(from ap) tagged(vlan 20 -> port 1,2 tagged) .in this moment if i connect to ssid iot i receive the coresponding ip (192.168.0.xxx) and ping to the internet is flawless.The problem comes now.If i set port 1 and 2 tagged on vlan 30(vlan 30-> port 1,2 tagged) , i receive coresponding ip on both ssid's ,but ping to the internet has lots of 'request time out' no matter what ssid i selet.My concern is that something is wrong on the router, or i need to do some setting.

@@IoanMariusRedean First step to troubleshoot this would be to eliminate the switch, i.e. connect the two routers with a cable. If problem persists, then switch is not the problem. Second step would be to check arp cache on the second AP (arp -a) and look for irregularities with/without Wifi. Then try traceroute -n to e.g. 8.8.8.8 to see where the route gets confused. Maybe you still got routing congifured somewhere on the AP ?

Hi, many thanks for the feedback - there's newer videos on OpenWrt 21 on my channel https:/ru-vid.com

Hi, the reason is that I only have one wire going from the Router to the Access Point (AP) but I want to connect three LANs (Guest, IOT, LAN). The chosen way to do this is to tag each one of these as a VLAN over one wire. I could of course let one of those be untagged (e.g. the LAN). Just a design choice really.

First off - many thanks for your comment and feedback. I am glad you got it working with the help of the video. With regards to your question, you could in fact run a watchdog script that scans for the other SSID and then switch Wifi on / off. However - I would not really advise doing so - it might be helpful to have two APs if one goes down etc... what is the main reason why you would want to disable the Guest Wifi at all ?

Hey, I am really sorry but I don't own a Xiaomi 4A... sorry.

Hi, yes it's all OpenWrt here ;-)

I wouldn’t bother - I mean - you could set up two different IP ranges and give your well-known devices an IP address in a “trusted” IP range (i.e. have two interfaces on the same wire and then have two DHCP ranges, one primary/authoritative with static leases and the LAN range and one with untrusted range dynamically for everyone else). The two SSIDs would hence connect you to the same network, but give you a different IP range. A guest could however give themselves an IP in that range manually. It’s definitely better to separate in OSI layer 2.

@@OneMarcFifty 1. client can communicate to router/other-clients over layer 2 if blocked by layer 3 (IP) when using this method ? 2. Isn't is true for devices on same subnet/zone, How to block communication over layer 2 ? 3. How to IP-MAC bind ie only give x IP to y mac Address or have some captive portal to authenticate the client ?

I am afraid that I can't tell you - I don't know - I mean, VLAN is VLAN - it is defined in IEEE 802.1Q ("Dot1q") - if Ubiquity follows that standard then it should. Unfortunately I don't have any Ubiquity hardware here to check or test...

Yes. No Problem. I have replaced an EdgeRouterX with a NanoPi R2S running OpenWrt, because I needed much more CPU power to support Wirguard with more than 200Mbit. All acesspoints are working as before :)

@@henning7801 So how do you set openWRT VLANs on Unifi AP?

@@user-zr7kz4vs7c On OpenWrt setting VLAN id's depends on the device. On the R2S the id's had to be set in the interfaces section. On i.e. a Archer C7 or WDR4900 it has to be set in the switch section. You can use LuCi, UCI or editing config files directly to configure. On Ubiquiti devices it has to be set in the configuration software. Just use the correspondig id's. Did not have Ubiquity devices/software @home. So I can't have a look. But it's pretty the same thing ....

@@henning7801🙏🏻 thanks for your help

I'll think it over ;-)

@@OneMarcFifty Judging by the fast answer, I might check that situation before you. And I am a (THE) lazy person... I tried that set-up a month ago, and lost the will (to live and try), when the Wi-Fi didn't untag. The ethernet VLANs worked just fine.

Hi, what exactly do you mean by "browsing" - wht software / protocol are you using to do this ?

Hi Marek, Version 22.03 can do VLAN filtering on bridges, but you don't have to. You can still create bridges with interface VLANs. However it is true that the representation of DSA (Distributed Switch Architecture) changes how the VLANs are mapped to the interfaces. The basic idea however of mapping VLANs to SSIDs remains the same. Many thanks for your feedback !

It depends on your hardware. Certain hardware retains the switch in later (and current) versions. Although these devices also have options for vlan stuff on the bridge which really shouldn't also need there and make it really confusing at first.