Assistance setting up a both Guest WiFi and Trusted WiFi

Started by mlenje, February 12, 2025, 06:05:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 12, 2025, 06:05:08 PM
Newbie here.

I am running OPNsense Version 25.1-amd64 connected to a Cable Modem and 3 Netgear R7000 running DD-WRT v3.0-r59468 std (02/02/25).  I have successfully implemented a Wireguard/ProtonVPN connection.  I followed the instructions to setup a Guest Network (https://docs.opnsense.org/manual/how-tos/guestnet.html).  I was able to create and implement VLAN (tagged #3) on the R7000 serving a Guest WiFi which works as expected (i.e., OPNsense DHCP assigns an IP in the Guest Network which is separate from LAN).

However, I also want to connect to WiFi like I did prior to the Guest WiFi was implemented.  I only have 1 ethernet cable connected to a single physical Port running from the OPNsense to each R7000.  Whenever I tag the VLAN (#3) and assign it to that physical port, I lose the ability to connect the Trusted WiFi (untagged VLAN #1) to the LAN and getting an IP within my LAN.

Can I have both a tagged VLAN (#3) and an untagged VLAN (#1) running over a single physical port?

Thoughts?

Thanks in advance.
February 12, 2025, 06:30:50 PM #1
You can on OPNsense. Some will tell you that this is a horrible thing to do, and the sky will fall if you even think about it, though ;)

Whether or not you can do it on DD-WRT, I don't know....
February 12, 2025, 06:35:35 PM #2
What if I create another tagged VLAN (#4) for Trusted WiFi.  Can I specify in OPNsense that Tagged #4 use the same IP range as my LAN, just a different subnet?
February 12, 2025, 06:45:31 PM #3
You'd have to bridge the VLAN to your LAN.

Speaking of bridging ... you say that you have three of these APs, and a physical connection from OPNsense to each of them? If those are all on the same LAN, you'd have to be bridging those three ports? Or are they three separate WiFi LANs or something? You can't bridge the untagged VLAN and also have tagged VLANs on the same NIC device....
February 12, 2025, 06:51:39 PM #4
I'm a newbie and I'm starting to get confused.

My original set-up was OPNsesne connected to 3 R7000's running in dumb AP mode. The OPNsense provided the DHCP to each on my LAN (everything has the same IP range).  It's works fine.  I just want to create a Guest WiFi that is separate is all I am trying to do.
February 12, 2025, 06:58:51 PM #5 Last Edit: February 12, 2025, 07:14:27 PM by Patrick M. Hausen
You need to change your present LAN to a tagged VLAN interface, too.

Assuming your OPNsense interfaces are e.g. em1 for WAN, em0 for wired LAN and em2, em3, and em4 running to your APs, you need to:

- create VLAN 2 for your LAN on each of em2, em3, em4, e.g. vlan0202, vlan0302, vlan0402 - parent em2, em3, em4, respectively, tag 2
- create VLAN 3 for your guests on each em2, em3, em4, e.g. vlan0203, vlan0303, vlan0403 - parent em2, em3, em4, respectively, tag 3
- create a bridge interface with em0, vlan0202, vlan0302, vlan0402 as members
- assign LAN to that bridge interface
- create another bridge with vlan0203, vlan0303, vlan0403 as members
- assign GuestWifi to that bridge interface

- configure all your APs to run the SSID for your trusted network as tagged VLAN 2
- configure all your APs to run the SSID for your guest network as tagged VLAN 3

That's quite a task and not trivial not to lock yourself out. Way easier and better in terms of performance: get a small managed switch.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 12, 2025, 07:07:59 PM #6
Here are my interfaces...
February 12, 2025, 07:14:40 PM #7
I edited my post to match your interfaces.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 12, 2025, 07:36:31 PM #8
"Assuming your OPNsense interfaces are e.g. em1 for WAN, em0 for wired LAN and em2, em3, and em4 running to your APs, you need to:"

em2, em3, and em4 are empty ports on the OPNsense.  I run em0 to a TP-Link 24 port Gigabit Switch (TL-SG1024S) that then runs individual wires to each AP.  I use each AP for both wired and wireless connections.  Each AP is running DD-WRT with br0 connecting eth0 and eth1 and vlan1, which is not tagged.
February 12, 2025, 07:42:30 PM #9
Then you need to set up LAN and GuestWifi tagged on OPNsense without a bridge interface, configure VLANs 2 and 3 on the port connecting your switch to OPNsense by using the management interface of the switch, similarly configure VLANs 2 and 3 on the ports connecting the APs, and map the SSIDs to the VLANs.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 12, 2025, 08:36:14 PM #10
Unfortunately, it is an unmanaged switch.  I will look for a managed switch.
February 12, 2025, 09:10:08 PM #11
"Then you need to set up LAN and GuestWifi tagged on OPNsense without a bridge interface, configure VLANs 2 and 3 on the port connecting your switch to OPNsense by using the management interface of the switch, similarly configure VLANs 2 and 3 on the ports connecting the APs, and map the SSIDs to the VLANs."

In the above set-up, what setting do I use in R7000 DD-WRT?  Right now, it's set as Router (which I believe is bridge mode).
February 12, 2025, 09:11:39 PM #12
I don't know WRT. "Router" sounds like the opposite of what you want. You need "bridge" or "AP" mode.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions