the Vimoire

recent

See 87 more →

Creating a trunk from OpenWrt WAP to Cisco switch

Jul 12, 20255 min read

Previously, when trying to set up multiple WLANs in different subnets/VLANs on my OpenWrt dummy WAP, I had just used multiple cables running from the WAP to the switch. But I really wasn’t happy with this. The questions that were eating at me: 1) What if I wanted to have more than 4 WLANs running on the WAP? (Probably not going to need that many without first upgrading to better and multiple WAPs, but the question remains.) 2) What if I need more ports on my switch?

It wouldn’t have bothered me too much, except I knew I could get it done with one cable. I punted the project down the road, though, because the answers to those questions were I need 3 WiFi networks, and I have plenty of ports on my switch currently.

But these are the kinds of things that keep me up at night. So I dug around and theorycrafted and tried to wrap my head around how tagged and untagged traffic works, and how I would set that up for my config specifically. Eventually figured it out.

The gist

A recap of my config:

  • OPNsense router/firewall with one WAN port and one LAN port that is trunked with VLANs to…
  • Cisco 16-port switch with the same VLANs
  • OpenWrt dummy WAP (firewall and all routing neutered, it’s just a radio) with 3 cables running to the switch and VLANs set as untagged on the associated ports running to the switch

What I figured out was this: simply treat the OpenWrt as another switch in a switch stack. Set up the VLANs, set up VLAN interfaces, and assign an IP to those VLANs. Make sure there’s a trunk port between the WAP and the switch, and make sure ALL traffic is tagged over this trunk.

The config

Prerequisite

Reset the WAP because you are (I am) a dunce who didn’t leave a management VLAN in place to have configuration access before setting all traffic as tagged.

(This just meant I got another practice run at setting up a dummy WAP from scratch - spaced repetition amirite?)

Connect to the newly wiped WAP

  • Set static IP on your machine to 192.168.1.X
  • Navigate to 192.168.1.1 in your browser
  • Set a password

Neuter unnecessary functionality

  • Network Firewall
    • Set Input, Output, and Forward all to Accept
    • Remove all zone forwardings
  • Network DNS and DHCP
    • Delete button

Set up VLANs

  • Network Switch
    • Delete VLAN 1 (LAN)
    • Delete VLAN 2 (WAN)
    • Add VLAN 99
      • Description MGMT
      • Tagged on eth1 and lan1
      • Untagged on lan2 (this is important!)
      • Off on all others
    • Add VLAN 10
      • Description USER
      • Tagged on eth1 and lan1
      • Off on all others
    • Add VLAN 40
      • Description IOT
      • Tagged on eth1 and lan1
      • Off on all others
    • Add VLAN 90
      • Description GUEST
      • Tagged on eth1 and lan1
      • Off on all others

Once you save this configuration, you’ll need to 1) change your static IP to be in the same subnet as the untagged VLAN 99 2) move your port to lan2 and 3) access the web GUI via its new management IP.

Add IPs to VLANs

  • Network Interfaces
    • Remove lan, wan, and wan6 interfaces
  • Network Interfaces Devices
    • Add a bridge for VLAN 99, name br-mgmt
    • Do the same for VLANs 10, 40, and 90
    • Remove br-lan and br-wan bridges
  • Network Interfaces
    • Add a static address for each bridge
      • IPv4 address: 10.0.XX.254 (XX = VLAN id)
      • IPv4 netmask: 255.255.255.0
      • IPv4 gateway: 10.0.XX.1
      • IPv4 broadcast: 10.0.XX.255

Add WAPs for each VLAN

  • Network Wireless (delete + replace or repurpose the existing disabled APs)
    • For each VLAN interface (except MGMT)
      • ESSID: whatever your heart desires
      • Network: associated VLAN interface
      • Wireless security: WPA2-PSK, set a password
      • For good measure, you can also tick isolate clients in the Advanced Settings tab

Connect it to the switch

Connect port lan1 on the WAP to the associated port on your switch. You should set this switchport to be in general mode: untagged VLAN 99 and PVID 99, tagged VLANs 10, 40, and 90.

Lock down the HTTP GUI

SSH into the router via its management interface (10.0.99.254). Edit /etc/config/uhttpd - replace 0.0.0.0 with 10.0.99.254 in both places (port 80 and port 443).

Lock down SSH access

ssh-copy-id root@10.0.99.254

  • System Administration SSH Access tab
  • Select the mgmt interface as the listen interface
  • Disallow password authentication

Some notes

It might be advisable to do this configuration in stages, all the while leaving a default VLAN (+ untagged port, as well as the bridge and static address) so that you always have access if you’re like me and inevitably fuck shit up.

In my actual config, I added one VLAN (99) and tested that I had connection on a separate port over the static IP that I just created, to sanity check my configuration. (So that I didn’t have to reset a FOURTH time.)

Another thing that I just now figured out (writing this the day after) - I had the switchport as a trunk port, and so VLAN 99 could either be tagged or native. I haven’t set the native VLAN to anything, it’s unused. I couldn’t access it via its 99 (MGMT) address. I figured out what general mode was for - it allows tagged and untagged traffic on the same port. I can now access it via its 10.0.99.254 address!

I also figured out the web GUI lockdown and SSH lockdown the day after, and added it to the configuration.

So now I can only access the web GUI and SSH via its MGMT address, another thing that’s been bothering me for quite a while.

EOF

Backlinks