Motivation

In my home network, I use a separate VLAN for guest access, i.e. devices that are allowed to connect to the internet but should not have access to local devices. Of course, the guest network should be available via a separate WiFi SSID as well. However, configuring this took me quite a while in LuCi and the reForis interface on my new Turris Omnia NG routers. While I am quite familiar with Linux networking on the command line, OpenWRT configuration is quite new to me. And although most configurations translate well from plain Linux networking to OpenWRT, there are some trivialities I still need to wrap my head around.

Setup

• A Zyxel XGS1250-12 provides fiber uplink to turris-1.content/posts/openwrtguestnetwork/guestpng
• turris-1 has fiber uplink on eth4 and an ethernet downlink to turris-2 on eth1.
• turris-2 has ethernet uplink to turris-1 on eth1 as well.
• On both Turris devices, all wired interfaces eth1 to eth5 are bridged as br-lan.
• Both Turris devices broadcast the regular and the guest SSID.

Major takeaways

Here are three major takeaways that confused me the most during this configuration:

Don’t do DHCP on bridge members!

I don’t even know if this is a peculiarity of the OpenWRT configuration, or if it would have happened to me in plain Linux networking as well and just never did because I did it in different ways. But what took me the most time to find out is the fact that VLAN packages are not forwarded to other interfaces of a bridge if there is a DHCP client directly on the upstream interface of the bridge. I.e., if the VLAN interface eth0.250 is part of a bridge, and has also a DHCP client configured on it, it will silently absorb network packages directed to other members of the bridge. That includes both WiFi interfaces as well as ethernet interfaces. As my two Turris Omnia NG are chained behind one another, that also means that no DHCP replies will reach the second Turris, if the first one has a DHCP client on the bridge member. That also happens if the VLAN interface is already on a bridge, e.g. br-lan.250 instead of eth0.250.

Therefore, it is important to configure DHCP clients only on the bridge interface, not on one of its members. All members need to remain unconfigured for this setup to work. I spent a considerable amount of time figuring that out, although it sounds so simple.

Mind VLAN filtering on bridges!

Another thing that held me up quite a while was “VLAN filtering”. OpenWRT supports “VLAN filtering” on bridge devices (third tab in the device configuration in LuCi). Apparently, this allows to define which VLANs are passed to what devices of a bridge, and it was enabled (by default?) on my OpenWRT Zyxel fiber uplink switch. I only found this by accident when trying to fix my configuration issues in LuCi. That means, I either had to disable VLAN filtering on the bridge, or allow the tagged guest VLAN to pass through on the required ports.

Ignore the reForis guest network configuration

While it is most certainly possible to achieve this with the existing Turris guest network configuration, I decided it will be easier to ditch that one for now and understand how to get this to work in plain OpenWRT first. Maybe, I will re-integrate the configuration with the existing Turris guest network in the future. But for now, I wanted to avoid existing firewall setups and reForis assistants interfering with my configuration.

tl;dr: Resulting Configuration

Long story short, here’s the how-to:

On both Turris devices:

1. create a VLAN 802.11q device on top of the LAN bridge device: br-lan.250:
2. create a bridge device for the guest network br-guest and add the br-lan.250 as a member:
3. create a network interface guest using DHCP on the br-guest bridge device:
4. in the LuCi WiFi settings, configure the guest SSID(s) to use guest as a network connection:

The resulting device list:

And the resulting interface list: