Guest/IoT WiFi with VLANs (multple APs)

Time to revisit the Guest WiFi setup.
I'm planning an additional AP for guests and IoT devices.

So let's see if we can get VLANs setup...

 config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6'

This is confusing: ports 5 and 6 are setup as part of VLAN2 - but aren't used/connected ?
(could be an internal connection for the wifi - but let's go boldly etc.)

add a VLAN3 under switch config
note: I have the CPUport AND port2 tagged. in both VLAN1 and the new VLAN3.
I will be connecting my additional AP on port2. (/etc/config/network)

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0t 2t'

then define a new interface 'guest'


attach it to eth0.3 with STATIC IP  (/etc/config/network)

config interface 'guest'
        option proto 'static'
        option ifname 'eth0.3'
        option ipaddr '10.0.3.1'
        option netmask '255.255.255.0'

and a new wifi attached to 'guest' (/etc/config/wireless)

config wifi-iface
        option device 'radio1'
        option mode 'ap'
        option ssid 'guest'
        option network 'guest'
        option encryption 'psk2'
        option key '<secret>'

add DHCP for the guest interace (/etc/config/dhcp)

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '1h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

!note: I had a dhcp/dns fail when doing this all via LUCI, hence the conf files.

almost there, add a firewall zone, and a allow forwarding to WAN.(/etc/config/firewall)
config zone
        option input 'REJECT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'guest'
        option network 'guest'

 config forwarding
        option dest 'wan'
        option src 'guest'

finally, give them access to dnsmasq for dhcp and dns (/etc/config/firewall)

restart all the services and that's it.

Comments

Post a Comment

Popular posts from this blog

Traffic accounting

Got this from here: http://www.catonmat.net/blog/traffic-accounting-with-iptables/ All i'm interested in is my monthly bandwidth consumption, not the individual devices, there are plenty of forum threads/tools to do that. But why bring in additional tools when iptables has it all? iptables -N TRAFFIC_ACCT iptables -I FORWARD -j TRAFFIC_ACCT iptables -A TRAFFIC_ACCT and to just get the number: iptables -L TRAFFIC_ACCT -v | sed -n 3p | cut -d' ' -f2 to reset the counters /usr/sbin/iptables -L TRAFFIC_ACCT -Z the cron job to reset at the begining of the month, and a daily telegram msg 1 0 1 * * /usr/sbin/iptables -L TRAFFIC_ACCT -Z  0 8 * * * /usr/bin/curl -s -X POST https://api.telegram.org/<BOTID>/sendMessage -d chat_id=<CHATID> -d text="$(/usr/sbin/iptables -L TRAFFIC_ACCT -v | /bin/sed -n 3p | /usr/bin/cut -d' ' -f3)" >/dev/null 2>&1 (you'll need to opkg install ca-bundle for the https to work)
Read more

QoS with SQM (and something about bufferbloat)

another feature that came with stock zyxel fw is their 'optimized' (the one with the 400mbps nag) QoS packages. As far as i can tell the standard SQM package should come pretty close. install uci-app-sqm a Network>SQM QoS menu item will appear check enable, double check your interface name is really your wan port(eth1), and set your down/up speeds to what you measured with e.g. dslreports . under linklayer adaptation set to Ethernet (for VDSL) with 8 bytes overhead. i reran the test, and it seems my up/down throughput dropped about 10%,  but my bufferbloat report went from D to B.... whatever that means in reality I'll have to find out :)
Read more

Ath10k alternative driver firmware - CC15.05.1 wireless unstable

I'm still experiencing trouble with the 5Ghz, maybe even WRT in general, up to the point I'm considering going back to the original Zyzel AA release. One last effort to see if this helps: I'm currently running an alternative driver firmware for the  QCA988X get it from github i'm running the last of the 4 series 10.2.4.48 (not sure if running the 5 series is possible, something for later) rename the file to firmware-4.bin and replace the one that's already there in /lib/firmware/ath10k/QCA988X/hw2.0 There's probably a way to force WRT to reload the driver, but hey I rebooted. First look seems fine, let's see if it's more stable. -- update -- leaving channel selection on 'auto' didn't work - 5G did not come up. (no mesgs as to why) manually selecting a channel did seem to work, at least when also selecting a 20Mhz bandwidth, 40Mhz seemed to work but I had some devices not connecting properly. -- update2 -- 5G was mostly s...
Read more