Help with kea switch over with access point

[Fkhan6601]

Hi, all.

I am switching over to kea dhcp from isc v4. I have a router set up as an access point connected to the lan interface. I have all devices connected to the ap.

Currently, i am using just the lan interface with statis addresses for all devices defined on the lan section of isc dhcp v4. I am looking to segragate the network based to have fine control to devices, like local devices do not connect to Wan or only certain ports accisble for my server from specific vlans, but i seem to have an issue.

I set my access point in a vlan, but i think this may have been the issue since the ap is currently in lan and everything works with isc. When i switch to kea, the ap, though dhcp on opnsense, is not able to provide an ip to wifi devices. I had placed the aps and the switches in a vlan that has a rule to allow out to any. This did not seem to work.

Since opnsense is deployed as a promox vm, if I mess it up to the point where i cant reach the ui or ssh port, i have connect via a separate lan to access proxmox and go through the console, with ssh turned on, or restore from a vm back up. Both are tedious.

Can someone please advise on how they would set up the following:
Opnsens kia dhcp
AP on lan
All devices connect to lan
All devices connected to AP have static address in vlan via the specificed subnet/static ip in kea dhcp

I dont need firewall rules for the specific devices, just for the dhcp request to make it from device to AP to Opnsense. Have tje rest covered.

Note- not interested in not using the AP. I just want to connect to the AP and use vlans for all devices. I cant do a bunch of trial and error since it takes a long time.

Thanks in advance.

[EricPerl]

It's not clear that you have appropriate HW to make this work.
Is your AP VLAN aware? This typically manifests itself by exposing one SSID per VLAN (the tagging happens in the AP on the basis of the SSID used, all traffic on the Ethernet port of the AP is tagged accordingly).

[Fkhan6601]

I have an asus rt-16000 that supports vlans and trunking, but i think it is only in router mode and not AP mode.I think know the answer, but is it somehow possible to use it in router mode and still have devices appear in opnsense. Im pretty sure in router mode it will not work that way,  but I'm willing to try radius, but i have IOT devices that might be an issue. Im not sure if opnsense supports mac based bypass for radius or some other way to support iot devices that might not have radius support.

On the opnsense hardware, i have plenty of headroom with 27GB of ram and 7 cores/14 hyperthreads and 500 gb drive.

[Fkhan6601]

I wanted to add that i have 2 managed switches that i use for vlan trunking to support two networks going through existing cat5e run through the house and a second asus rt-11000 that i use as an extender/mesh.

I dont think my routers support open source router firmware due to incompatible chips. I do like and need the wifi 6e.

[Fkhan6601]

I also wanted to add information. I have my work laptops on a vlan and they are assigned the correct ip in opnsense. I have most devices running on lan, but my work mac and windows laptops both use the vlan instead.

[EricPerl]

So OPN - Asus-RT-16000 - devices?

If the Asus is in router mode, all OPN is going to see is NATted traffic originating from the Asus. No individual device, no VLAN.
Nothing comes up directly from this model number. I'm not spending time guessing.

[Fkhan6601]

It's not clear that you have appropriate HW to make this work.
Is your AP VLAN aware? This typically manifests itself by exposing one SSID per VLAN (the tagging happens in the AP on the basis of the SSID used, all traffic on the Ethernet port of the AP is tagged accordingly).

https://rog.asus.com/networking/rog-rapture-gt-axe16000-model/

It is vlan aware, but only in router mode. In AP mode, asus routers turn off nat, firewall, dhcp, etc.

I am currently using a vlan for my work laptops with the same setup and it does appear in the correct vlan with the correct ip for the device. It does not create a new vlan based ssid, though. It uses the same ssid, but traffic is routed to the vlan and in the same subnet as my work vlan. The rules for zen armor also dont apply since that vlan is excluded.

[Fkhan6601]

So OPN - Asus-RT-16000 - devices?

If the Asus is in router mode, all OPN is going to see is NATted traffic originating from the Asus. No individual device, no VLAN.
Nothing comes up directly from this model number. I'm not spending time guessing.

https://rog.asus.com/networking/rog-rapture-gt-axe16000-model/

I was naming it off the top of my head since most asus routers are called rt-*. The rog routers are called gt-*.

I looked this up on the asus router dedicated forums and it does support vlan, vlan trunking, etc. The caveat is that asus routers in AP mode turn off all nat, firewall, etc., and rely on the wan connection. I am pretty sure it passes the vlan tag, but it does not add the vlan tag. I have computers on a vlan currently and they have the correct ip, so it seems to work. It is also possible to linux network tools, like ip, in a script since it is basically running linux. Technically, the support can be created with persistent scripts that are supported (different router model, but same open source firmware base called merlin):
https://www.snbforums.com/threads/rt-ac68u-guest-wifi-via-vlan-in-ap-mode.72244/

The above is not used by me, but if that is needed, i can script it. To me, it seemed to be working without it, but i guess it is not isolated at the AP.

[Fkhan6601]

So OPN - Asus-RT-16000 - devices?

If the Asus is in router mode, all OPN is going to see is NATted traffic originating from the Asus. No individual device, no VLAN.
Nothing comes up directly from this model number. I'm not spending time guessing.

The router also supports 6 guest wifi that can be isolated. If i set them and have devices defined as static routes in each vlan subnet, like i do now, it would isolate them at the ap and then send them to the lan port where opnsense can tag them. Since i know opnsense can assign the vlan tag and set the ip based on mac filtering, that should work, correct?

[Patrick M. Hausen]

it would isolate them at the ap and then send them to the lan port where opnsense can tag them.

The AP needs to tag them. VLANs need to cover all your layer 2 infrastructure. Think of them as separate interfaces on the OPNsense side and separate switches/APs in the rest of the network. They are virtual LANs.

You cannot tag frames based on IP address. Two different layers.

HTH,
Patrick

[EricPerl]

Whatever you're doing on the Asus with regards to VLAN is going to be lost as soon as traffic crosses over to its WAN port (in router mode), on top of being NATted.

You want to do all the VLAN management on the OPN side, DHCP too.
All you need to do in the Asus is WLAN & VLAN_ID association (tagging on the basis of WLAN, similar to tagging based on access ports on a managed switch).

[OPNenthu]

I don't know if it's any different with recent Asus routers, but at least on my old RT-N66U I required 3rd party firmware in order to do this WLAN & VLAN ID association.  Asus did not provide VLAN configuration options in the stock AsusWRT firmware for that generation of routers.  If they do now then that is a positive development, but in case not then you'll have to investigate which (if any) 3rd party firmware options you have for the AXE-16000.

Note that Asus have taken active measures in recent years to prevent users from being able to modify their device firmware.  Also, flashing carries a risk of bricking the device.

The basic steps I followed:

1. Set a static DHCP reservation by MAC address for the Asus in OPNsense (either Kea or ISC, doesn't matter).  This is so that you can access the Asus on an IP address of your choosing after you flash it, otherwise it will try to take 192.168.1.1 and may cause conflicts.

2. Flash FreshTomato (not available for AXE-16000).  You will need to connect a PC/laptop directly to the Asus via one of its LAN ports to do this or you will be disconnected mid-process.  Do not go over your network/switch when flashing.

3. Set up a trunk port on the switch for the new access point.  It at least needs the default/native VLAN (usually VID 1) to be untagged.  You can add additional VLANs (tagged) up to however many bridges your Asus has internally.  This is usually tied to the number of LAN ports.  4 ports == 4 VLANs, including the native untagged one.

4. Connect the Asus to the trunk port and boot it.  Bring up the management UI on whatever address you configured e.g. http://192.168.1.2

5. Go through your firmware's settings.  You'll want to:

- Enable Access Point mode, which will disable routing, NAT, etc.  This may also disable the WAN port on some models.  You won't be using it anymore.
- Disable the built-in DHCP server on the Asus, in case the AP mode setting didn't do that.  OPNsense will handle this.
- Disable any IGMP proxy, STP, etc.  Your switch will handle these.
- Set the Gateway, NTP, and DNS IPs to the OPNsense IP.  These are not given out to clients, they are for your AP itself.
- Configure bridge interface br0 with VLAN ID 1, or whatever your untagged VLAN ID is.  Mark this as 'default'.  Assign this bridge an IP address on the VLAN.
- Configure bridge interface br1 with another VLAN ID if you need it.  Mark this one as 'tagged'.  Repeat for however many VLANs/bridges you want to set up.
- Configure a wireless SSID for each of the bridges/VLANs you added.

In the end it looks something like this:

You cannot view this attachment.

You cannot view this attachment.

You don't need to assign any SSID to the Management VLAN if you don't want to (just leave it off) and you can optionally break out some of your SSIDs into separate 2.4 and 5 GHz bands as I've done for my IoT network.  I have some legacy devices which only support 2.4 GHz.

Hope this is helpful as a rough guide, though there may be errors in my setup.  I won't be offended if the networking gurus here point out any flaws.

[Fkhan6601]

it would isolate them at the ap and then send them to the lan port where opnsense can tag them.

The AP needs to tag them. VLANs need to cover all your layer 2 infrastructure. Think of them as separate interfaces on the OPNsense side and separate switches/APs in the rest of the network. They are virtual LANs.

You cannot tag frames based on IP address. Two different layers.

HTH,
Patrick

Thanks for the explaination. Im going to see is this is possible with the current Merlin 3rd party firmware i use. I know it's possible with scripts run on the router, but it would be nice to not use them as i disable those scripts for security purposes.

[Fkhan6601]

I don't know if it's any different with recent Asus routers, but at least on my old RT-N66U I required 3rd party firmware in order to do this WLAN & VLAN ID association.  Asus did not provide VLAN configuration options in the stock AsusWRT firmware for that generation of routers.  If they do now then that is a positive development, but in case not then you'll have to investigate which (if any) 3rd party firmware options you have for the AXE-16000.

Note that Asus have taken active measures in recent years to prevent users from being able to modify their device firmware.  Also, flashing carries a risk of bricking the device.

The basic steps I followed:

1. Set a static DHCP reservation by MAC address for the Asus in OPNsense (either Kea or ISC, doesn't matter).  This is so that you can access the Asus on an IP address of your choosing after you flash it, otherwise it will try to take 192.168.1.1 and may cause conflicts.

2. Flash FreshTomato (not available for AXE-16000).  You will need to connect a PC/laptop directly to the Asus via one of its LAN ports to do this or you will be disconnected mid-process.  Do not go over your network/switch when flashing.

3. Set up a trunk port on the switch for the new access point.  It at least needs the default/native VLAN (usually VID 1) to be untagged.  You can add additional VLANs (tagged) up to however many bridges your Asus has internally.  This is usually tied to the number of LAN ports.  4 ports == 4 VLANs, including the native untagged one.

4. Connect the Asus to the trunk port and boot it.  Bring up the management UI on whatever address you configured e.g. http://192.168.1.2

5. Go through your firmware's settings.  You'll want to:

- Enable Access Point mode, which will disable routing, NAT, etc.  This may also disable the WAN port on some models.  You won't be using it anymore.
- Disable the built-in DHCP server on the Asus, in case the AP mode setting didn't do that.  OPNsense will handle this.
- Disable any IGMP proxy, STP, etc.  Your switch will handle these.
- Set the Gateway, NTP, and DNS IPs to the OPNsense IP.  These are not given out to clients, they are for your AP itself.
- Configure bridge interface br0 with VLAN ID 1, or whatever your untagged VLAN ID is.  Mark this as 'default'.  Assign this bridge an IP address on the VLAN.
- Configure bridge interface br1 with another VLAN ID if you need it.  Mark this one as 'tagged'.  Repeat for however many VLANs/bridges you want to set up.
- Configure a wireless SSID for each of the bridges/VLANs you added.

In the end it looks something like this:

You cannot view this attachment.

You cannot view this attachment.

You don't need to assign any SSID to the Management VLAN if you don't want to (just leave it off) and you can optionally break out some of your SSIDs into separate 2.4 and 5 GHz bands as I've done for my IoT network.  I have some legacy devices which only support 2.4 GHz.

Hope this is helpful as a rough guide, though there may be errors in my setup.  I won't be offended if the networking gurus here point out any flaws.

Based on the options i have on Merlin firmware, i dont think vlan tagging is possible for AP mode and only offered on router mode. There is a way to use scripts to do exactly what you are saying, but is rather avoid scripts because that could introduce more security issues. Im not sure which open source firmware supports my routers, but i really like the range and speed they offer. I can get 500mbs everywhere in the house with 6e for better reliability in my congested area. Thanks for your detailed response. I'll see if the 3 major 3rd party firmwares support my router. They were pretty expensive,  so i don't want to retire them.