openWRT on two GL.Inet MT6000s
Note: Pictures forthcoming
This tutorial reviews the unique manner in which I was able to get public and private interfaces/subnets/vlans set up on two GL.Inet MT6000s. One device is used as the router and has WiFi setup for emergencies, an openvpn server for external access, and public and private lan interfaces/subnets/vlans. The other device is in AP-only mode and only has the public and private lan interfaces/subnets/vlans. I'll call the first device the router and the second device the AP. The AP is centrally located in the house and has a cat6 that is fed to it from across the house where the primary wiring distribution is. The router has incoming DOCSIS cable internet from an Arris SB33 at 1200 Gbps and feeds into a 2.5Gbps WAN port on the router. The router then feeds a cat6 cable out of its 2.5Gbps LAN port into a 2.5Gbps switch, and from there to all remaining hardwired servers, devices, including into the AP device's 2.5Gbps LAN port. Fun ASCII drawing below.
Only the router has a dhcp server. The AP is just a radio and serves two different public SSIDs and two different private SSIDs. Each is attached to the matching VLAN as entered on the AP. Alright, so now that I've provided the overview, let's review how to do this step by step. It might help others as its different than the way I'm used to doing this (1) and it will help me document and remember what I did so I can replicate in production for Haack's Networking clients (2). The first step is to create VLAN filtering on the default br-lan device.
To get here, go to Interfaces > Devices > Bridge VLAN filtering. Enable the option and add as many VLANs as you desire. In my case, I want the ports tagged as I have above but you will likely need a different arrangement so make sure to alter or adjust these instructions for your use case.
NOTE: You must not Save and Apply the settings above.
Instead, you need to go to Interfaces > Interfaces > lan Edit > Device. Change the device from the default br-lan to the Software VLAN called br-lan.1 that you just created.
Once you've attached the lan interface to the newly created Software VLAN br-lan.1, you can safely Save and Apply the changes and your router will remain reachable. After this, you need to create a public interface, firewall zone, and two separate radios/SSIDs for each frequency that are attached to the public interface (not private). To do this, go to Interfaces > Interfaces > Add new interface. Enter something like pub for the name, switch the protocol to static address, and for device, you would select the other Software VLAN you created in the step above, or something like br-lan.192. The last three digits would be whatever you chose for the VLAN ID in the VLAN filtering step above. Once you complete these steps, your main Interfaces page and the public break down tab should look like the assets below.
As you can see on the Interface overview page, the lan is connected to br-lan.1 and the VLAN is connected to br-lan.192 (for example). These are the two Software VLANs we created off the primary bridge device above. In short, we forked the physical hardware bridge into two separate VLANs and separated subnets. After creating the public interface on the router, make sure to also create an appropriate firewall zone. Yours might look something similar to this:
My router has an openvpn server as well, but that's not the focus of this tutorial. If you are interested in that, you can look over my openvpn server on openWRT wiki notes. For now, what's important to note is that you need to click on the pub zone, click Edit, then under “Allow forward to destination zones” make sure to specify the wan zone or your public interface won't be able to route out. More than likely, you will want to set input/output to accept, while forwards are typically set to reject. Once your firewall zone is setup for the newly added public interface on your router, you can now optionally setup backup SSIDs on the router. That is, in this design, we intend for the AP device (only) to handle WiFi and we will be setting that up soon. But/and, if the AP fails some point in the future, it's still a good idea to have public/private WiFi functioning on the router in case you need to fix or pull the AP out of production. Otherwise, the router SSIDs/radios remain disabled. Here's what the router SSIDs look like from the overview page, and also within each radio.
As you can see above, each frequency has both a public and private SSID setup.
Under the private radio/SSID, you can see that it is attached to the lan interface/subnet/VLAN.
As you can see here, the public SSID is attached to the pub interface/subnet/VLAN.
The most important thing to note in the assets above is that the private SSID is attached to the lan network, while the public SSID is attached to the pub network. This is essential so that the router's dhcp server will provide devices connected on each interface different address schemes, for example, 10.0.0.X on the private subnet and 192.168.1.X on the public subnet. The VLAN IDs usually are named after the chosen subnets in some fashion, but that's optional of course. If you did not remember to establish differing subnets above for the lan and pub interfaces, do so now. Also, make sure that the dhcp tab under Interfaces > Interfaces > lan/pub Edit > DHCP Server is enabled and set up (on the router only). Once that's done and once you've tested the radios and vlan/subnets for both private and public networks (on the router) and confirmed they work … you can finally disable the radios and set up the AP. The AP device should be connected to the other device through its 2.5Gbps LAN port. The AP interfaces are set up identically except for two primary differences:
You do not set up dhcp on either lan or pub interfaces on the AP
Remove the WAN and WAN6 interfaces as this device is in AP-only mode
Other than these key differences, you repeat the same steps as indicated above:
Create the two VLAN IDs under VLAN filtering option on br-lan (on the AP) in Interfaces > Devices > br-lan Configure; make sure not to apply changes
Change the Device in Interfaces > Interfaces > lan Edit to use br-lan.1 instead of br-lan
After this you save and apply the changes, create your public interface, add the associated firewall zone to the public interface and attach the public interface to br-lan.192 (for example), or what would be the other Software VLAN you created for the public network. Here are example assets of those configurations:
The first thing you should notice is that there are no WAN or WAN6 interfaces present since this is the AP. Each interface on the AP is attached is to the same / matching name Software VLANs as were created on the router. Just like the router, those Software VLANs were created on the AP under Interfaces > Devices > br-lan Configure > Add VLAN Filtering; see the steps above for how to do this.
If you click Edit on the lan interface and look under the DHCP Server tab, make sure that Ignore interface is selected. The reason this information is populated is because the lan interface comes with DHCP Server enabled by default on the AP; one must disable it by selecting the box above.
When you create a new interfaces, as you will do on the AP for the public network, openWRT does not automatically create a DHCP Server and so there will be no information populated under the tab. This is what you want, as you don't want the AP doing DHCP, only the router.
The AP's firewall setup is also simpler because there's notably no vpn server on the AP. Otherwise, the zone settings are identical to the router. The last step on the AP is configuring the private and public SSIDs/radios, and attaching them to the lan and pub interfaces. This will also look very similar to the router.
Just as with the router, the SSIDs marked “priv” in the picture above are attached to the lan Network under Edit, while the SSIDs marked pub in the picture above are attached to the pub Network under Edit. Once all of this setup, make sure to reboot both devices. Attempt connecting to both the private and public SSIDs/subnets/VLANs, make sure that you get assigned addresses on each network, can route out, and so on. If you can't, install tcpdump on the router and AP and begin problem solving. You can also use tools like ip link on your workstations to monitor dhcp solicitations and behavior. The workstations in this home and home office now all regularly get 800 - 1200 down, while most WiFi clients can reach 500-800 regularly now. As noted earlier, I keep WiFi off on the router, only using it if/when I need to take the AP down. Everything is just purring!
Thanks, oemb1905
Happy Hacking
— oemb1905 2024/09/28 21:24