Hello, I'm trying to setup an OpenWRT (dumb) access point onto Opnsense, and then assign the different SSIDs to different interfaces on Opnsense (like 2 SSIDs for my LAN, 2 SSIDs for my family's LAN2, and an SSID for a Guest network) and am completely lost and searching has been no help or just added to my confusion. I'm a bit new to networking, and this is something I have never done before. I'm coming from OpenWRT on an embedded consumer router, so I'm just reusing that device. So I've never dealt with an external access point being added to a firewall before.
I'll try to be as detailed, and clear with my setup, and my goals as possible. I would appreciate help. Thank you!
My setup is as follows:
Opnsense Firewall (10.0.10.1 - LAN)
OpenWRT (Dumb) Access Point
LAN Interface on OpenWRT set to 10.0.10.2. Gateway and DNS points to the Opnsense firewall 10.0.10.1
I used this to configure OpenWRT: https://openwrt.org/docs/guide-user/network/wifi/dumbap
I have a handful of ports on my Opnsense router.
I have a family network (LAN2) and my network (LAN). For ethernet, both are on unmanaged switches (all my family devices on one unmanaged switch, this goes into one interface on Opnsense ix1; Labeled "LAN2").
My network is the same, but goes to ix2; Labeled "LAN".
WAN on ix0
The firewall rules are setup so LAN and LAN2 are isolated, except for a few ports to crossover (DNS/DHCP to the firewall, media server ports, etc.)
Both these have working internet and seem to be configured properly at this point.
My next step which is why I am posting here is because I am completely lost and confused as to how to plug in, and setup my OpenWRT access point.
First my goals with the access point/network:
I want to have 5 SSIDs, 2 will be assigned to LAN (and be isolated from LAN2)
Another 2 will be assigned to LAN2 (isolated from LAN).
And 1 as a Guest Network (isolated from LAN and LAN2. NOTE as shown above, there is no ethernet interface for Guest. Only for LAN/LAN2/WAN. Guest network will ONLY be wireless and will need to be separated virtually).
See question 1 for how the Access Point will plug in (the interface and label).
Now onto my questions, in order:
1. How exactly do I plug in the access point? I want it directly into the back of the router, not into my unmanaged switch on LAN.
Part of the setup notes, In Opnsense, IF I am plugging in the access point it will be on interface ix3, labeled WLAN. I'm not sure if this is how it should be done though, which is my question.
The reason I am confused here, is because I can't figure out how to use the IP for OpenWRT of 10.0.10.2, to reach 10.0.10.1, while being plugged into a different interface (ix3). F 10.0.10.x is the net for LAN, so it would need to be merged somehow to be a part of ix2?
Furthermore what to put as the "IPv4 Static Ip" in interface configuration for the access point in Opnsense? Not sure I'm very confused, because as stated in setup, the OpenWRT is set to 10.0.10.2 and points to the gateway. Do I even have to give
2. After question 1 is solved, my following question is how exactly do I go about isolating the networks? Because these aren't 3 different physical access points that would plug in and be added to LAN, LAN2, Guest.. how exactly do I do this virtually?
I already have all 5 wireless SSIDs made on OpenWRT. There is only one interface on OpenWRT labeled LAN and that was the one that is at 10.0.10.2 and points to 10.0.10.1.
So now I just don't understand how I'm supposed to point these SSIDs to LAN, LAN2, and where I would even make the "Guest" because again there's no physical interface for Guest on Opnsense.
These access point SSIDs don't need separate firewall rules (besides Guest), they will just follow whatever LAN and LAN2 has set already because as I've said I want to merge 2 to LAN, 2 to LAN2, and I have 1 stray one for "Guest".
I would highly appreciate the help, I am newer to all this, and I've been messing with it the past two days and can not figure it out. I've tried searching for a guide, but they are either too simple for my setup, or are just confusing to me. I'm not seeing anything in the Opnsense docs explaining how to add on an access point and/or have it link the SSIDs to the different interfaces. I'm really just completely lost, and really need to finish setting up this network as I have no wireless as of the time being.
Thank you very much. If you have any questions about my setup, or need more information please let me know.
IMO you need VLANs and a managed switch to achieve what you need.
So eg:
- LAN on ix2 on OPNsense (configured as direct interface on physical NIC, and so will be treated as native/untagged, ie effectively VLAN 1)
- VLAN 10 (eg) for LAN2 on ix1
- VLAN 20 (eg) for Guest on ix1
- no direct interface on ix1
- ix1 and ix2 connected to managed switch ports. Switch port that ix1 connects to configured for VLAN 10 and 20, and switch port that ix2 connects to configured for VLAN 1
- third switch port connected to AP, and configured to be a trunk port (ie so that it accepts traffic for all VLAN tags)
- SSIDs configured on AP to match VLAN tags as required
- configured fw rules on OPNsense to manage traffic between LAN, LAN2 and Guest as required
Who do you need 2 SSIDs for each of LAN and LAN2? Are these just for separate 2.4Ghz and 5GHz frequencies, but same subnet?
Thank you for your reply!
Now I don't entirely think I need a managed switch at this point in time, that seems like it would over-complicate things. I already have separate un-managed switches for each interface (Private/LAN, Family/LAN2) and those handle the devices. As for the tagging, I think I can utilize OpenWRT's switch and VLANs. See below.
QuoteWho do you need 2 SSIDs for each of LAN and LAN2? Are these just for separate 2.4Ghz and 5GHz frequencies, but same subnet?
Also yes the 2 SSIDs are for 2.4/5ghz freq in the same subnet. The seperation is nice because I can setup devices that don't really need the 5ghz to just use 2.4ghz.
I was talking with someone, and your post seems to be similar to what they suggested, but I think their's works more around my setup, utilizing OpenWRT's switch/VLANs. Also I wouldn't need to swap over all my Opnsense interfaces to VLANs because it'd be a PITA and they're all already setup.
They suggested the following if I understood them correctly Opinions?:
Essentially they suggested using the managed switch in OpenWRT, and making 3 VLANs on OpenWRT.
So they said, to create a VLAN for LAN (Private), LAN2 (Family), LAN3 (Guest). Then under the switch settings for OpenWRT, I would set it up like this: https://i.imgur.com/AqWkhTA.png
Then under interfaces on OpenWRT, I would point 1 to the gateway IP of LAN on Opnsense (10.0.10.1), another to LAN2 (10.0.10.1), and a third for Guest (10.0.30.10 - which would be added on Opnsense as a VLAN? I'm not sure he didn't state that).
Would that work?
It makes sense to me. Or am I missing something?
The only thing I am still confused upon is how exactly to plug in the AP to Opnsense, because again it would be plugging into a new interface. I wanted the AP accessible via 10.0.10.2 (where the Opnsense firewall is 10.0.10.1).
The issue is I don't know how to merge ix3 (for the access point) and ix2 (for my LAN) to make sure they're under that same 10.0.10.x subnet.
I had tried bridging ix3 and ix2 in Opnsense and it had broken the WebGUI, but maybe I was on the right track? Idk. Maybe I don't even need to bridge it, and instead just set the ix3 to have "none" under Static IPV4 on Opnsense, and because on OpenWRT I pointed it to 10.0.10.2, it will be under that? But won't that mean it's also under 10.0.20.2, 10.0.30.2 because I have those virtual interfaces setup, pointing over too? I'd ideally like to not have OpenWRT management accessible from the LAN2 and Guest networks, but maybe that's just a matter of a simple firewall rule?
Thank you.