extend a guest wifi on second access point with OpenWrt using VLANs

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
This is the second episode of a short series  that deals with segmentation of our network.   In the first episode we have defined the firewall  and the Wi-fi networks for our internal LAN,   our guest Wi-fi and for our IOT devices. In this  episode we will extend the three wi-fi networks   to a second access point  by using VLANs. Stay tuned. (intro) Let’s quickly recap what we have on  our main router by logging in to the   web interface (which is called Luci) of our  first OpenWrt router. If we click on network,   then firewall we can see the four firewall zones  for our internal LAN, the Guest and IOT network   as well as the WAN, which is basically  the internet. Under network-wireless   we can see the wireless networks again,  one for LAN, one for Guest and one for IOT.   Under network-interfaces we have  the corresponding interfaces. What we want to achieve in this episode  is that we want a second access point with   the same Wi-fi networks, so LAN, Guest and  IOT. But we do not want to set up the whole   firewall settings twice but rather use the  main router as firewall. IP addresses should be   given away by the primary router for all devices  regardless whether they connect to the Wi-fi on   the primary router or on the Access Point. Also,  if we want to use fast roaming, then the second   access point should be transparent from a layer  3 perspective. It should be in the right subnet   and not act as a router but rather  a so called “dumb” access point. OK, we will hook up the second access point to the  first one with Ethernet cabling. Hence, we need to   add Ethernet interfaces to each of those Firewall  zones. Now unfortunately I only have one Ethernet   interface in this router, so how am I going  to achieve this? My first attempts to do this,   before I knew how to use VLANs, was that I tried  to do this with routing. Knowing that my Firewall   zones and my different WI-Fi’s have different IP  address ranges I tried to use firewall traffic   rules to only allow traffic from one specific IP  address range to a certain interface or zone. But   this concept has two big flaws. First, everybody  could give themselves IP addresses out of a   certain range and hence move from one zone to the  other just by changing their very own IP address.   Second, how am I going to do DHCP ? At the moment  when I request an IP address from the router,   I do of course only have a MAC address. Now –  I could certainly configure fixed IP addresses   for given MAC addresses, in other words give IP  addresses out of the LAN or IOT zone to the well   known MAC addresses of the LAN or IOT devices and  give a guest address to everything else. But this   also has a big flaw – it would mean that a device  with a certain MAC address would always be for   example in the IOT zone, regardless whether it  would be connected to the IOT, LAN or Guest Wi-Fi.   So there is no point in having different SSIDs  really. The problem needs to be solved one layer   deeper, on the MAC or Ethernet layer. Let’s first  solve this with three separate Ethernet cables. First, I need some more Ethernet Interfaces. I  only have one physical interface but in Linux   you can kind of split a physical interface  such as eth0 into many virtual interfaces.   These will be called eth0.1, eth0.2 and so on.  We will effectively create VLANs. In OpenWrt luci   the VLANs are created under Network – then Switch.  For this you want to make sure that the Check box   that says “Enable VLAN functionality” is checked.  Now here we can see that I already have two VLANs.   VLAN 1 is the LAN and VLAN 2 is the WAN.  I need two more of those. One for IOT   and one for guest. So let’s do this.I  need to click on add VLAN twice. That   adds VLAN 3 and VLAN 4. Behind the scenes that  actually creates the virtual interfaces eth0.3   and eth0.4. Now let’s just make sure that each  of those newly created Ethernet interfaces   gets a port on my router’s switch. This  can be done by assigning the VLAN to the   corresponding switch port. I can only assign  one interface to any single given port,   so one port can only be served by one interface.  I set the LAN1 port to be served by eth0.1,   which is VLAN1 which is my LAN. Assigning a port  to an interface is done by setting it to untagged.   In Cisco vocabulary this would be a source port.  Let’s do that with the 3 VLANs. The CPU needs to   be set to tagged on all VLANs. That’s just by  design. Make sure that you don’t assign your   WAN here which in my case is VLAN 2 – that  should only be assigned to the WAN port. Cool, so now I have 4 Ethernet adapters and  each of them has its very own connection at   the back of my router. Next I want  to bridge each single one of those   with the corresponding Wi-Fi. I will later  do the same thing on the second access point.   But let’s first bridge the Ethernet and  Wi-fi interfaces on the main router.   We go to Network- then Interfaces and we go  through all three interfaces and bridge the   Wifi and the Ethernet. Lan with eth0.1,  IOT with eth0.3, and guest with eth0.4.   Save and apply. Once we will do the same thing on the second  access point we could then connect the two   devices like this: three Ethernet cables or three  different LANs for each single Wi-fi or Firewall   zone. One Cable for the LAN that will bridge our  LAN Wifi and our LAN Ethernet on both sides. Same   thing for IOT and Guest. So Guest Wi-Fi with the  Guest Ethernet, the LAN Wifi with the LAN Ethernet   and the IOT Wifi with the  IOT Ethernet on both sides. If a device logs into the guest  network on the Access point,   it will then be bridged over Ethernet to the  guest interface on the router and receive an IP   address from the guest range and automatically be  in the right firewall zone. Same for LAN and IOT. Now – one thing is very annoying here. And  that is the fact that we need three cables.   But I only want to use one single Ethernet cable  between the router and the access point. What we   need to do is use a trick. And that trick  is called tagging. In Cisco terminology   this is called trunking. Think of tagging like  a little post it that Linux puts on each of   the data packets. Hence each packet would be  clearly marked or tagged for a specific LAN   or rather VLAN. A normal network device would  not know what to do with it. It would discard   the packet. A VLAN aware device such as our Access  point can read the tag, remove it and dispatch it   to the corresponding interfaces. So rather than  using 3 cables, each of them being untagged,   we use one single cable and tell the other side  which virtual cable or VLAN the packet belongs to   by tagging it. So let’s go to our Switch  configuration and assign a port to all three   VLANs. But this time tagged. In the next step we  will do this on the Access point on the other side   and connect the two using the tagged ports. When  a packet comes in here on the access point let’s   say to the guest Wi-fi it will then be delivered  to the untagged Guest VLAN port on that side,   but it will also be tagged, then be transferred  over the cable to the router, where the tag   will be read and removed and then the packet  will be dispatched to the right interfaces. So having a tagged port is as good as having  many untagged ports. We have just put three   cables into one by using tags. Very much like  IP routing on layer three but one layer below. Awesome, now let’s set up our Access point  the same way but without Firewall and routing,   just bridging. In other words, it will  be a dumb access point. In essence   what I did here is that I created  the same interfaces on this side   but I set the interfaces’ protocols to DHCP  client. Also I disabled DNS and Firewall.   If you want a detailed walk through then  please watch my video on fast roaming. So on our Access point we have the  Wi-Fi interfaces which are bridged   to the Ethernet interfaces which are then  mapped tagged to one port on the switch.   This is the port where we connect  the cable between the two routers. If you wonder how to configure the Wifis  please check my video on fast roaming as well. Now let’s go and test this. I want to  quickly switch off the wifi on my main router   in order to make sure that I only  connect to the second AP here.  First let me connect to the LAN Wi-fi.  I check the IP address. It’s in the LAN range.  I can surf the internet. And I can connect to the router.  Then connect to the Guest Wifi –   check the address. It’s in the guest range.  I can surf the Internet. But I can’t connect to the router.  Next let me connect to the IOT Wi-fi. Here we go. Address in the IOT range.  I can not browse the internet. I can however access the router. Awesome, all working as expected. So – are we done  ? Not quite. We have one little cosmetic failure   in the concept. Let’s assume the following:  The two OpenWrt Systems are most probably   not connected directly with a  cable but rather over a switch.   And all your other network devices are connected  to that switch as well. Now – the connection from   the router and AP to the switch is tagged. And  that means that if you use a managed switch then   you need to define the ports where the OpenWrt  devices are on to tagged on VLANs 1,3 and 4.   And also set all other ports of your switch to  untagged on the VLANs that you want to serve.   Most probably the majority of  us have an unmanaged switch.   And that means that all of a sudden your router  has become invisible on the Ethernet network   because it only sends tagged packets.  Now here again we may use a trick.   And that does not necessarily work with all  hardware. Remember that we can only set one VLAN   to untagged on an interface ? In fact, OpenWrt  allows you to mix tagged and untagged. So what   we do is that we set the VLAN 1 to untagged and  the other VLANs to tagged. This way we can still   transfer all 3 VLANs over one cable, just the  difference is that everything that is not tagged   will be interpreted as VLAN 1. On a managed  switch that would be the PVID of that port. That’s it. Save and apply on  both sides and we are done. Perfect, we have successfully segmented our  network into three firewall zones. We have   three Wi-fi SSIDs for Guests, for the LAN and for  our IOT devices with adapted policies. We have   added a second access point and mapped the Wifi  connections over one single cable using VLANs.   Guys, that concludes today’s episode. If you are  having trouble with this then let me know in the   comments or join my discord server where I am  available for Text, voice and video chat. Voice   and video every sunday at 9AM and 6PM Berlin time.  You may also contact me on Reddit or on facebook.   Until then, many thanks for watching, liking and  subscribing. Stay safe, stay healthy, bye for now.
Info
Channel: OneMarcFifty
Views: 16,944
Rating: undefined out of 5
Keywords: extend guest wi-fi, guest wifi, guest wi-fi, guest wifi second access point, second access point, access point OpenWrt, OpenWrt VLAN, guest wifi VLAN, multiple SSIDs, multiple Access points, OpenWrt, tagged VLAN, untagged VLAN, home network, openwrt tutorial, openwrt guest lan, openwrt guest wifi, openwrt guest network, multiple access points vlan, access point, how to
Id: 4t_S2oWsBpE
Channel Id: undefined
Length: 13min 55sec (835 seconds)
Published: Mon Mar 01 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.