Newbie here.
I am running OPNsense Version 25.1-amd64 connected to a Cable Modem and 3 Netgear R7000 running DD-WRT v3.0-r59468 std (02/02/25). I have successfully implemented a Wireguard/ProtonVPN connection. I followed the instructions to setup a Guest Network (https://docs.opnsense.org/manual/how-tos/guestnet.html). I was able to create and implement VLAN (tagged #3) on the R7000 serving a Guest WiFi which works as expected (i.e., OPNsense DHCP assigns an IP in the Guest Network which is separate from LAN).
However, I also want to connect to WiFi like I did prior to the Guest WiFi was implemented. I only have 1 ethernet cable connected to a single physical Port running from the OPNsense to each R7000. Whenever I tag the VLAN (#3) and assign it to that physical port, I lose the ability to connect the Trusted WiFi (untagged VLAN #1) to the LAN and getting an IP within my LAN.
Can I have both a tagged VLAN (#3) and an untagged VLAN (#1) running over a single physical port?
Thoughts?
Thanks in advance.
You can on OPNsense. Some will tell you that this is a horrible thing to do, and the sky will fall if you even think about it, though ;)
Whether or not you can do it on DD-WRT, I don't know....
What if I create another tagged VLAN (#4) for Trusted WiFi. Can I specify in OPNsense that Tagged #4 use the same IP range as my LAN, just a different subnet?
You'd have to bridge the VLAN to your LAN.
Speaking of bridging ... you say that you have three of these APs, and a physical connection from OPNsense to each of them? If those are all on the same LAN, you'd have to be bridging those three ports? Or are they three separate WiFi LANs or something? You can't bridge the untagged VLAN and also have tagged VLANs on the same NIC device....
I'm a newbie and I'm starting to get confused.
My original set-up was OPNsesne connected to 3 R7000's running in dumb AP mode. The OPNsense provided the DHCP to each on my LAN (everything has the same IP range). It's works fine. I just want to create a Guest WiFi that is separate is all I am trying to do.
You need to change your present LAN to a tagged VLAN interface, too.
Assuming your OPNsense interfaces are e.g. em1 for WAN, em0 for wired LAN and em2, em3, and em4 running to your APs, you need to:
- create VLAN 2 for your LAN on each of em2, em3, em4, e.g. vlan0202, vlan0302, vlan0402 - parent em2, em3, em4, respectively, tag 2
- create VLAN 3 for your guests on each em2, em3, em4, e.g. vlan0203, vlan0303, vlan0403 - parent em2, em3, em4, respectively, tag 3
- create a bridge interface with em0, vlan0202, vlan0302, vlan0402 as members
- assign LAN to that bridge interface
- create another bridge with vlan0203, vlan0303, vlan0403 as members
- assign GuestWifi to that bridge interface
- configure all your APs to run the SSID for your trusted network as tagged VLAN 2
- configure all your APs to run the SSID for your guest network as tagged VLAN 3
That's quite a task and not trivial not to lock yourself out. Way easier and better in terms of performance: get a small managed switch.
HTH,
Patrick
Here are my interfaces...
I edited my post to match your interfaces.
"Assuming your OPNsense interfaces are e.g. em1 for WAN, em0 for wired LAN and em2, em3, and em4 running to your APs, you need to:"
em2, em3, and em4 are empty ports on the OPNsense. I run em0 to a TP-Link 24 port Gigabit Switch (TL-SG1024S) that then runs individual wires to each AP. I use each AP for both wired and wireless connections. Each AP is running DD-WRT with br0 connecting eth0 and eth1 and vlan1, which is not tagged.
Then you need to set up LAN and GuestWifi tagged on OPNsense without a bridge interface, configure VLANs 2 and 3 on the port connecting your switch to OPNsense by using the management interface of the switch, similarly configure VLANs 2 and 3 on the ports connecting the APs, and map the SSIDs to the VLANs.
Unfortunately, it is an unmanaged switch. I will look for a managed switch.
"Then you need to set up LAN and GuestWifi tagged on OPNsense without a bridge interface, configure VLANs 2 and 3 on the port connecting your switch to OPNsense by using the management interface of the switch, similarly configure VLANs 2 and 3 on the ports connecting the APs, and map the SSIDs to the VLANs."
In the above set-up, what setting do I use in R7000 DD-WRT? Right now, it's set as Router (which I believe is bridge mode).
I don't know WRT. "Router" sounds like the opposite of what you want. You need "bridge" or "AP" mode.
Quote from: Patrick M. Hausen on February 12, 2025, 07:42:30 PMThen you need to set up LAN and GuestWifi tagged on OPNsense without a bridge interface, configure VLANs 2 and 3 on the port connecting your switch to OPNsense by using the management interface of the switch, similarly configure VLANs 2 and 3 on the ports connecting the APs, and map the SSIDs to the VLANs.
I now have a managed switch. I want to try to tackle this. Can you point me to any relevant resources to accomplish what you wrote above? I have a Netgear GS308E switch.
Thanks in advance.
I cannot get OPNsense to provide IP address to VLAN3.
Here is the current setup.
[OPNsense 25.1-amd64] LAN em4 <---> port 1 [Netgear GS308 Switch] port 7 <---> port 4 [Netgear R7000 Access Point running DD-WRT]
On the Netgear GS308 Switch,
VLAN3 is Tagged on Port 1 and Tagged on Port 7
VLAN1 is Untagged on Port 1 and Tagged on Port 7
On the R7000 Access Point running DD-WRT,
VLAN3 is Tagged on Port 4
VLAN1 is Tagged on Port 4
OPNSense Interface Assignments
(https://i.postimg.cc/gxJ8GJm3/Interface-Assignments.jpg) (https://postimg.cc/gxJ8GJm3)
VLAN3 Interface
(https://i.postimg.cc/67svNh3G/VLAN3-Interface.jpg) (https://postimg.cc/67svNh3G)
VLAN3 DHCP Enabled
(https://i.postimg.cc/tsnxfcXj/VLAN3-DHCP.jpg) (https://postimg.cc/tsnxfcXj)
Netgear GS308 VLAN1 Settings
(https://i.postimg.cc/wRLFcB71/GS308-VLAN1.jpg) (https://postimg.cc/wRLFcB71)
Netgear GS308 VLAN3 Settings
(https://i.postimg.cc/TLZCDbY8/GS308-VLAN3.jpg) (https://postimg.cc/TLZCDbY8)
R7000 VLAN settings
(https://i.postimg.cc/t7xrHB29/R7000-VLANs.jpg) (https://postimg.cc/t7xrHB29)
I just switched the virtual wireless interface from 2.4GHz to 5.0 GHz and everything works!