Hi,
I need some help getting my guest WiFi to work. I have a Buffalo router running DD-WRT connected to my RB750GL which is handling the Internet connection and routing. The Buffalo router acts as an AP and switch only.
I setup two SSIDs on the Buffalo, one for the private network and one for guests. Now I want to separate the guest WiFi from the rest using a tagged VLAN (802.1q).
Unfortunately there is a lot of information on the net regarding trunking and VLAN and it got me totally confused. I don’t get it to work.
The Buffalo is connected to ether5. I created a bridge ‘bridge-trunk’ and a VLAN ‘vlan-guest’. I assigned the VLAN to the bridge. But as soon as I assign ether5 to the bridge as well, I loose connection to the Buffalo router (ping).
What do I need to do so that ether5 accepts tagged (from/to the guest WiFi) and untagged (from/to the private network) pakets and handles them accordingly?
Thanks!
Kind reagrds,
iBlueDragon
If your LAN ports are configured as master/slave to each other, then use the master port in stead of ether5 in these instructions:
Create guest bridge
Create VLAN interface on ether5 with the vlan-id you’ve chosen for the guest VLAN to use
Put IP/DHCP/Firewall rules on the guest bridge interface.
In Ports tab of the bridge configuration, add the guest VLAN interface to the guest bridge.
If you need this VLAN on any other physical ports, and your switch ports are not master/slave with each other, then create additional VLAN interfaces on the other interfaces, and add them to the bridge ports.
Thanks, ZeroByte! I didn’t know that having a master/slave setup makes a difference.
After wasting a lot of time with my Buffalo WZR-HP-AG300H on DD-WRT and OpenWRT without getting it to work I finally got some progress today with an old Linksys WRT54G2 running DD-WRT.
Following a tutorial I found I set up the VLAN tagging for VLANs 0, 1 (only 0 did not work as well) and 10 on port 1 under Setup/VLAN (not VLAN tagging under Setup/Networking) and a bridge bridging VLAN 10 and my guest Wifi.
Now I have the following situiation:
If I connect the Linksys (port 1) to the Mikrotik I can connect to my guest WiFi, get a correct IP address and access the internet! But I loose connection to the Linksys via the private LAN, so also the private WiFi (also set up on the Linksys) does not work anymore. Using port 2 (not tagged) brings back the private LAN but of course does not seperate the guest WiFi anymore.
What am I missing? Do I need to add another VLAN to the Mikrotik to handle the private LAN packets form/to the Linksys properly? Or must there still be something wrong on the Linksys?
Another questions: I saw that in Winbox under ‘Switch’ VLAN mode is disabled. Is that correct?
Kind regards,
iBlueDragon
Somehow I missed your update to this thread - sorry about that…
Basically, I assumed that private LAN was not tagged and that guest lan was tagged.
If private LAN is also tagged, then you’ll need to make another bridge for private LAN, and put vlan sub-interfaces on the physical ports (e.g. ether5) and connect those vlan sub-interfaces to the private LAN bridge.
I would suggest the private vlan be untagged, because this lets you use the switch chip for your LAN more easily.
vlan mode = disabled means to just pass everything though as tagged/untagged without altering anything or blocking anything.
Thanks again, ZeroByte!
Yes, I wanted to have the private LAN untagged, but it seems the old Linksys cannot do that. The respective Wiki page on dd-wrt.com says, it’s only possible on some models to have an untagged default VLAN with dd-wrt (but don’t know how up to date it is).
Anyways, yesterday I figured it out myself and got more progress the way you described it. I configured the Linksys to also tag the private WLAN (VLAN 1) and set up the Mikrotik the way you mentioned. Now I get an IP address from the correct range on both WLANs and can connect to the internet.
Only one problem left: The private WiFi can connect to the internet but not to other network resources in the private LAN (and I cannot connect to the Linksys config interface via LAN, only via WiFi). So, how do I bridge VLAN 1 to the untagged rest on the Mikrotik? Do I just need to add ether2-master-local to the bridge? (It was too late yesterday evening to keep trying…) Or is it still a problem on the Linksys?
Kind regards,
iBlueDragon