This is the second episode of a short series
that deals with segmentation of our network. In the first episode we have defined the firewall
and the Wi-fi networks for our internal LAN, our guest Wi-fi and for our IOT devices. In this
episode we will extend the three wi-fi networks to a second access point
by using VLANs. Stay tuned. (intro) Let’s quickly recap what we have on
our main router by logging in to the web interface (which is called Luci) of our
first OpenWrt router. If we click on network, then firewall we can see the four firewall zones
for our internal LAN, the Guest and IOT network as well as the WAN, which is basically
the internet. Under network-wireless we can see the wireless networks again,
one for LAN, one for Guest and one for IOT. Under network-interfaces we have
the corresponding interfaces. What we want to achieve in this episode
is that we want a second access point with the same Wi-fi networks, so LAN, Guest and
IOT. But we do not want to set up the whole firewall settings twice but rather use the
main router as firewall. IP addresses should be given away by the primary router for all devices
regardless whether they connect to the Wi-fi on the primary router or on the Access Point. Also,
if we want to use fast roaming, then the second access point should be transparent from a layer
3 perspective. It should be in the right subnet and not act as a router but rather
a so called “dumb” access point. OK, we will hook up the second access point to the
first one with Ethernet cabling. Hence, we need to add Ethernet interfaces to each of those Firewall
zones. Now unfortunately I only have one Ethernet interface in this router, so how am I going
to achieve this? My first attempts to do this, before I knew how to use VLANs, was that I tried
to do this with routing. Knowing that my Firewall zones and my different WI-Fi’s have different IP
address ranges I tried to use firewall traffic rules to only allow traffic from one specific IP
address range to a certain interface or zone. But this concept has two big flaws. First, everybody
could give themselves IP addresses out of a certain range and hence move from one zone to the
other just by changing their very own IP address. Second, how am I going to do DHCP ? At the moment
when I request an IP address from the router, I do of course only have a MAC address. Now –
I could certainly configure fixed IP addresses for given MAC addresses, in other words give IP
addresses out of the LAN or IOT zone to the well known MAC addresses of the LAN or IOT devices and
give a guest address to everything else. But this also has a big flaw – it would mean that a device
with a certain MAC address would always be for example in the IOT zone, regardless whether it
would be connected to the IOT, LAN or Guest Wi-Fi. So there is no point in having different SSIDs
really. The problem needs to be solved one layer deeper, on the MAC or Ethernet layer. Let’s first
solve this with three separate Ethernet cables. First, I need some more Ethernet Interfaces. I
only have one physical interface but in Linux you can kind of split a physical interface
such as eth0 into many virtual interfaces. These will be called eth0.1, eth0.2 and so on.
We will effectively create VLANs. In OpenWrt luci the VLANs are created under Network – then Switch.
For this you want to make sure that the Check box that says “Enable VLAN functionality” is checked.
Now here we can see that I already have two VLANs. VLAN 1 is the LAN and VLAN 2 is the WAN.
I need two more of those. One for IOT and one for guest. So let’s do this.I
need to click on add VLAN twice. That adds VLAN 3 and VLAN 4. Behind the scenes that
actually creates the virtual interfaces eth0.3 and eth0.4. Now let’s just make sure that each
of those newly created Ethernet interfaces gets a port on my router’s switch. This
can be done by assigning the VLAN to the corresponding switch port. I can only assign
one interface to any single given port, so one port can only be served by one interface.
I set the LAN1 port to be served by eth0.1, which is VLAN1 which is my LAN. Assigning a port
to an interface is done by setting it to untagged. In Cisco vocabulary this would be a source port.
Let’s do that with the 3 VLANs. The CPU needs to be set to tagged on all VLANs. That’s just by
design. Make sure that you don’t assign your WAN here which in my case is VLAN 2 – that
should only be assigned to the WAN port. Cool, so now I have 4 Ethernet adapters and
each of them has its very own connection at the back of my router. Next I want
to bridge each single one of those with the corresponding Wi-Fi. I will later
do the same thing on the second access point. But let’s first bridge the Ethernet and
Wi-fi interfaces on the main router. We go to Network- then Interfaces and we go
through all three interfaces and bridge the Wifi and the Ethernet. Lan with eth0.1,
IOT with eth0.3, and guest with eth0.4. Save and apply. Once we will do the same thing on the second
access point we could then connect the two devices like this: three Ethernet cables or three
different LANs for each single Wi-fi or Firewall zone. One Cable for the LAN that will bridge our
LAN Wifi and our LAN Ethernet on both sides. Same thing for IOT and Guest. So Guest Wi-Fi with the
Guest Ethernet, the LAN Wifi with the LAN Ethernet and the IOT Wifi with the
IOT Ethernet on both sides. If a device logs into the guest
network on the Access point, it will then be bridged over Ethernet to the
guest interface on the router and receive an IP address from the guest range and automatically be
in the right firewall zone. Same for LAN and IOT. Now – one thing is very annoying here. And
that is the fact that we need three cables. But I only want to use one single Ethernet cable
between the router and the access point. What we need to do is use a trick. And that trick
is called tagging. In Cisco terminology this is called trunking. Think of tagging like
a little post it that Linux puts on each of the data packets. Hence each packet would be
clearly marked or tagged for a specific LAN or rather VLAN. A normal network device would
not know what to do with it. It would discard the packet. A VLAN aware device such as our Access
point can read the tag, remove it and dispatch it to the corresponding interfaces. So rather than
using 3 cables, each of them being untagged, we use one single cable and tell the other side
which virtual cable or VLAN the packet belongs to by tagging it. So let’s go to our Switch
configuration and assign a port to all three VLANs. But this time tagged. In the next step we
will do this on the Access point on the other side and connect the two using the tagged ports. When
a packet comes in here on the access point let’s say to the guest Wi-fi it will then be delivered
to the untagged Guest VLAN port on that side, but it will also be tagged, then be transferred
over the cable to the router, where the tag will be read and removed and then the packet
will be dispatched to the right interfaces. So having a tagged port is as good as having
many untagged ports. We have just put three cables into one by using tags. Very much like
IP routing on layer three but one layer below. Awesome, now let’s set up our Access point
the same way but without Firewall and routing, just bridging. In other words, it will
be a dumb access point. In essence what I did here is that I created
the same interfaces on this side but I set the interfaces’ protocols to DHCP
client. Also I disabled DNS and Firewall. If you want a detailed walk through then
please watch my video on fast roaming. So on our Access point we have the
Wi-Fi interfaces which are bridged to the Ethernet interfaces which are then
mapped tagged to one port on the switch. This is the port where we connect
the cable between the two routers. If you wonder how to configure the Wifis
please check my video on fast roaming as well. Now let’s go and test this. I want to
quickly switch off the wifi on my main router in order to make sure that I only
connect to the second AP here. First let me connect to the LAN Wi-fi. I check the IP address.
It’s in the LAN range. I can surf the internet.
And I can connect to the router. Then connect to the Guest Wifi
– check the address.
It’s in the guest range. I can surf the Internet.
But I can’t connect to the router. Next let me connect to the IOT Wi-fi.
Here we go. Address in the IOT range. I can not browse the internet.
I can however access the router. Awesome, all working as expected. So – are we done
? Not quite. We have one little cosmetic failure in the concept. Let’s assume the following:
The two OpenWrt Systems are most probably not connected directly with a
cable but rather over a switch. And all your other network devices are connected
to that switch as well. Now – the connection from the router and AP to the switch is tagged. And
that means that if you use a managed switch then you need to define the ports where the OpenWrt
devices are on to tagged on VLANs 1,3 and 4. And also set all other ports of your switch to
untagged on the VLANs that you want to serve. Most probably the majority of
us have an unmanaged switch. And that means that all of a sudden your router
has become invisible on the Ethernet network because it only sends tagged packets.
Now here again we may use a trick. And that does not necessarily work with all
hardware. Remember that we can only set one VLAN to untagged on an interface ? In fact, OpenWrt
allows you to mix tagged and untagged. So what we do is that we set the VLAN 1 to untagged and
the other VLANs to tagged. This way we can still transfer all 3 VLANs over one cable, just the
difference is that everything that is not tagged will be interpreted as VLAN 1. On a managed
switch that would be the PVID of that port. That’s it. Save and apply on
both sides and we are done. Perfect, we have successfully segmented our
network into three firewall zones. We have three Wi-fi SSIDs for Guests, for the LAN and for
our IOT devices with adapted policies. We have added a second access point and mapped the Wifi
connections over one single cable using VLANs. Guys, that concludes today’s episode. If you are
having trouble with this then let me know in the comments or join my discord server where I am
available for Text, voice and video chat. Voice and video every sunday at 9AM and 6PM Berlin time.
You may also contact me on Reddit or on facebook. Until then, many thanks for watching, liking and
subscribing. Stay safe, stay healthy, bye for now.
