Guest network on one ethernet port using vlan

I have TP-Link TL-WDR3600 v1. I was using another AC router as access point and built-in radio for guest network. It seems that the guest radio is dying now.

I am thinking of creating a vlan on one of the open switch ports and connecting another cheap router (that I already own) as an access point. Is it possible? if yes, can somebody please guide me?

I found this article on the openwrt site. Is this relevant?

https://wiki.openwrt.org/doc/recipes/guest-wlan

Yes, it is possible; I have done exactly that using a similar router (WDR4300). You just need to configure the switch to segregate one of the ethernet ports (you are already segregating the WAN port from the LAN ports), and configure a network on that interface. If you post your network, dhcp, and firewall files here, I can point the changes; it is a five minute job.

2 Likes

Thanks @eduperez

Here are the files.

BTW The problem went away after I rebooted the router once and when I rebooted the cable modem second time. I can understand the rebooting of router did something to the network hardware but not rebooting the modem. It had nothing to do with the network config inside the router. All this time, LAN has been working fine. Using external access point will certainly help me to debug.

Network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf6:5df9:2a1a::/48'
	
config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option broadcast '1'
	option peerdns '0'
	option dns '208.67.222.222 208.67.220.220'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	option dns '2620:0:ccc::2 2620:0:ccd::2'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option dns '208.67.220.220 208.67.222.222'
	option type 'bridge'

DHCP

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf6:5df9:2a1a::/48'
	
config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option broadcast '1'
	option peerdns '0'
	option dns '208.67.222.222 208.67.220.220'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	option dns '2620:0:ccc::2 2620:0:ccd::2'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option dns '208.67.220.220 208.67.222.222'
	option type 'bridge'

Firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	option input 'DROP'
	option forward 'DROP'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'guest'
	option network 'guest'

config forwarding
	option dest 'wan'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Guest DNS'
	option src 'guest'
	option family 'ipv4'

config rule
	option target 'ACCEPT'
	option dest_port '67-68'
	option name 'Guest DHCP'
	option src 'guest'
	option proto 'udp'

config rule
	option dest 'wan'
	option name 'Block iPad'
	option src '*'
	option src_mac 'B8:C7:5D:EA:25:49'
	option target 'DROP'
	option weekdays 'Sun Mon Tue Wed Thu'
	option start_time '22:36:00'
	option stop_time '23:59:00'
	option enabled '0'

You posted your "network" file twice, instead of you "dhcp" file.

@eduperez, Sorry, here is the DHCP file.

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option limit '20'
	option ra_management '1'
	option start '10'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'guest'
	option leasetime '12h'
	option interface 'guest'
	option limit '10'
	option force '1'
	option start '11'

You do not indicate if your other device can run LEDE or not, but I used this link to configure a LEDE (Dumb) AP that has it's own self contained Guest LAN. This means the AP has a DHCP server for the guest LAN (only) on it and firewall rules that, as best I can tell (test) do not allow access to the LAN or the web GUIs for either device. No VLANs required.
https://blog.doenselmann.com/gaeste-wlan-auf-openwrt-access-point/
Unless you speak German you will need to translate this page.

First, separate the LAN1 port out of the LAN network; change:

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

to

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '2 0t'

Now, configure the guest network on that interface; change:

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option dns '208.67.220.220 208.67.222.222'
	option type 'bridge'

to

config interface 'guest'
	option ifname 'eth0.3'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

You should now be able to plug a computer into port LAN1, get an IP address in the 192.168.2.x range, and connect to the internet (both dhcp and firewall files seem ok).

Thanks @eduparez

The config worked. But it stopped my wifi. Although that is the end goal, I wanted to keep both running at the same time for testing. BTW After I reverted back to the original configuration, wifi radio on the tp-link router started working again. Anyway, now I know how to do it if and when it fails.

There is no reason why you cannot have wifi running; in fact, you just need to add back the option type 'bridge' line to the config interface 'guest' section, but I cannot be sure unless you show us your wireless config file.

I am so close to having this work on an Archer C7 v2 (running LEDE) though my setup is a little different.

I want to use Apple Airports as the APs. They will work for the main wifi network and the guest network. The Airports tag all of the guest network traffic with VLAN 1003. So I need one port on the router that will accept traffic from both networks and the guest traffic needs to be firewalled from the rest of the LAN. I have this working on a smart switch where the ports that the wireless traffic passes through are untagged for VLAN 1 and tagged for VLAN 1003.

Article here: https://www.thegeekpub.com/5191/use-airport-extreme-guest-network-bridge-mode/

I believe I have LAN1 port out of the network. Not sure that I have the interface setup correctly or the VLANs setup properly. I made an attempt to create a new interface called GuestAP but I couldn't get that working.

Network

 
                                                                                                                                                                                                                                                                 
config interface 'loopback'                                                                                                    
        option ifname 'lo'                                                                                                     
        option proto 'static'                                                                                                  
        option ipaddr '127.0.0.1'                                                                                              
        option netmask '255.0.0.0'                                                                                             
                                                                                                                               
config globals 'globals'                                                                                                       
        option ula_prefix 'fdfc:e39f:a38c::/48'                                                                                
                                                                                                                               
config interface 'lan'                                                                                                         
        option ifname 'eth1'                                                                                                   
        option force_link '1'                                                                                                  
        option type 'bridge'                                                                                                   
        option proto 'static'                                                                                                  
        option netmask '255.255.255.0'                                                                                         
        option ip6assign '60'                                                                                                  
        option mtu '1500'                                                                                                      
        option dns '208.67.222.222 208.67.220.220'                                                                             
        option ipaddr '10.0.1.1'                                                                                               
                                                                                                                               
config interface 'wan'                                                                                                         
        option ifname 'eth0'                                                                                                   
        option _orig_ifname 'eth0'                                                                                             
        option _orig_bridge 'false'                                                                                            
        option proto 'dhcp'                                                                                                    
                                                                                                                               
config interface 'wan6'                                                                                                        
        option ifname '@wan'                                                                                                   
        option proto 'dhcpv6'                                                                                                  
                                                                                                                               
config switch                                                                                                                  
        option name 'switch0'                                                                                                  
        option reset '1'                                                                                                       
        option enable_vlan '1'                                                                                                 
                                                                                                                               
config switch_vlan                                                                                                             
        option device 'switch0'                                                                                                
        option vlan '1'                                                                                                        
        option ports '0 3 4 5'                                                                                                 
                                                                                                                               
config switch_vlan                                                                                                             
        option device 'switch0'                                                                                                
        option vlan '1003'                                                                                                     
        option ports '2t 0'                                                                                                    
                                                                                                                               
config switch_vlan                                                                                                             
        option device 'switch0'                                                                                                
        option vlan '2'                                                                                                        
        option ports '1 6'                                                                                                     
                                                                                                                               
config interface 'guest'                                                                                                       
        option _orig_ifname 'wlan1-1'                                                                                          
        option _orig_bridge 'false'                                                                                            
        option proto 'static'                                                                                                  
        option ipaddr '192.168.3.1'                                                                                            
        option netmask '255.255.255.0'                                                                                         
        option type 'bridge'                                                                                                   
                                                                                                                               
config interface 'modem'                                                                                                       
        option proto 'static'                                                                                                  
        option ifname 'eth0'                                                                                                   
        option ipaddr '192.168.100.2'                                                                                          
        option gateway '192.168.100.1'                                                                                         
        option netmask '255.255.255.0'                                                                                         
                                                                                                                               
config interface 'guestAP'                                                                                                     
        option proto 'static'                                                                                                  
        option ipaddr '192.168.4.1'                                                                                            
        option netmask '255.255.255.0'                                                                                         
        option type 'bridge'                                                                                                   
        option dns '208.67.222.222'                                                                                            
        option _orig_ifname 'eth0.1003'                                                                                        
        option _orig_bridge 'true'                                                                                             
        option ifname 'eth0.1003'       
               

DHCP

 

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option cachesize '500'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'guest'
        option interface 'guest'
        option start '20'
        option limit '230'
        option leasetime '2h'

config dhcp 'guestAP'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'guestAP'

Firewall


config defaults                        
        option syn_flood '1'           
        option input 'ACCEPT'           
        option output 'ACCEPT'          
        option forward 'REJECT'         
                                        
config zone                             
        option name 'lan'                       
        option input 'ACCEPT'                   
        option output 'ACCEPT'                  
        option forward 'ACCEPT'                 
        option mtu_fix '1'                      
        option network 'lan'                
                                               
config zone                                     
        option name 'wan'                       
        option input 'REJECT'                   
        option output 'ACCEPT'                  
        option forward 'REJECT'                 
        option masq '1'                         
        option mtu_fix '1'                      
        option network 'wan wan6'               
                                                
config forwarding                               
        option src 'lan'                        
        option dest 'wan'                       
                                                
config rule                                     
        option name 'Allow-DHCP-Renew'          
        option src 'wan'                        
        option proto 'udp'                      
        option dest_port '68'                   
        option target 'ACCEPT'                  
        option family 'ipv4'                    
                                                
config rule                                     
        option name 'Allow-Ping'                
        option src 'wan'                        
        option proto 'icmp'                     
        option icmp_type 'echo-request'         
        option family 'ipv4'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-IGMP'                
        option src 'wan'                        
        option proto 'igmp'                     
        option family 'ipv4'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-DHCPv6'              
        option src 'wan'                        
        option proto 'udp'                      
        option src_ip 'fc00::/6'                
        option dest_ip 'fc00::/6'               
        option dest_port '546'                  
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-MLD'                 
        option src 'wan'                        
        option proto 'icmp'                     
        option src_ip 'fe80::/10'               
        list icmp_type '130/0'                  
        list icmp_type '131/0'                  
        list icmp_type '132/0'                  
        list icmp_type '143/0'                  
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                               
config rule                            
        option name 'Allow-ICMPv6-Input'
        option src 'wan'                
        option proto 'icmp'             
        list icmp_type 'echo-request'   
        list icmp_type 'echo-reply'     
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        list icmp_type 'router-solicitation'    
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'   
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-ICMPv6-Forward'      
        option src 'wan'                        
        option dest '*'                         
        option proto 'icmp'                     
        list icmp_type 'echo-request'           
        list icmp_type 'echo-reply'             
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config include                                  
        option path '/etc/firewall.user'        
                                                
config rule                                     
        option src 'wan'                        
        option dest 'lan'                       
        option proto 'esp'                      
        option target 'ACCEPT'                  
                                                
config rule                                     
        option src 'wan'                        
        option dest 'lan'                       
        option dest_port '500'                  
        option proto 'udp'                      
        option target 'ACCEPT'                  
                                                
config zone                                     
        option name 'guest'                     
        option forward 'REJECT'                 
        option output 'ACCEPT'                  
        option input 'REJECT'                   
        option mtu_fix '1'                      
        option network 'guest LAN1 guestAP'     
                                                
config forwarding                               
        option dest 'wan'                       
        option src 'guest'                      
                                                
config rule                                     
        option target 'ACCEPT'                  
        option src 'guest'                      
        option name 'GuestDNS'                  
        option proto 'all'                      
        option dest_port '53'                   
                                                
config rule                                     
        option enabled '1'                      
        option target 'ACCEPT'                  
        option src 'guest'                      
        option name 'GuestDHCP'                 
        option proto 'udp'                      
        option dest_port '67-68'                
                                                
config include 'miniupnpd'                      
        option type 'script'                    
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'                                
        option reload '1'                                  




In general, mixing tagged and untagged on the same interface does not work. Perhaps it works for your device, but I would try to change the setup around that limitation, and see if that works.

Ah ha. So if all traffic runs through the switch, I should have two lines between the switch and the router:

  1. general traffic (untagged)
  2. VLAN 1003 (tagged)

At that point I would plug in the VLAN 1003 line to LAN1 on the router and the general traffic line can go into any of the other three LAN ports on the router.

This thread may also be helpful: Separate subnet on physical port #4

@roryking - what was working and what was having issues?

I disagree with @eduperez WRT the mixing of tagged and untagged networks on the same interface -- also known as creating a trunk. I have successfully done this with LEDE and other routers/OS's. It should work properly and reliably provided that the switch is VLAN aware (on the C7, the switch is indeed VLAN capable). Sometimes there can be issues that have more to do with the interface to the CPU than the assignment to the ports. The CPU interface must be tagged in most cases so that it can keep track of the associated VLANs.

What is working: LAN 2, 3, and 4 are working as expected for untagged traffic. The router hands out IP addresses correctly and clients can see each other on the network. LAN 1 is separate from them from what I can tell.

What is not working: the C7 is not passing through any of the VLAN 1003 traffic on either LAN 1 or LAN 4. It is also not handing out IP addresses on LAN 1.

The current router is an Apple Airport Extreme that handles mixed tagged and untagged over the same interface. It does occur to me that maybe I'm overthinking this: if I can mix tagged and untagged on the same interface then I can simplify things. I don't plan to rate limit the guest network so maybe I don't need a dedicated router port for it.

Obviously there are problems with the DHCP and firewall rules. Maybe I need to tag the CPU as well? I think that would be port 0?

@roryking -

Let's back up a few steps and determine what it is that you want to achieve. At the high level, describe your ideal network config. For example, a trusted LAN + guest network (guest has internet access, but no LAN access).

How are things connected (physical connections). For example Modem > LEDE C7 > Airport.

Do you need both wired and wireless access for guests, or only wireless?

Are there any special requirements for your network beyond the segregation of LAN and guest clients?

FWIW, the Airport products are reasonable routers if you don't have any advanced requirements (they handle normal routing, port forwarding, wired/wireless LAN, and guest wireless quite well). LEDE obviously offers a lot more in terms of custom config options and hardware selections, but keep in mind that you might be making more complexity by adding the LEDE router in the first place.

My hope is that the LEDE router will be faster and more capable of handling things like buffer bloat and IPv6 than the Airport can. I know it adds some complexity but it definitely feels snappier when the C7 is inline. Also: I think that the Airports may be EOL for Apple soon so I want to plan ahead.

Network plan:
Modem > LEDE C7 > L2 Switch > Airports (2 total)

I need the LEDE router to handle the VLAN 1003 traffic that it will receive over the LAN. The VLAN 1003 traffic will be from the guest wifi network and needs to be kept separate from the main network traffic for security. The Airports automatically add the 1003 tag to the guest wifi traffic.

Guests only need wireless access. Wireless will be provided by the Airports with ethernet backhaul to the switch.

No other special segregation.

The L2 Switch is currently sending the VLAN 1003 traffic to the router so I've gotten that far. (Current working router is an Airport; switch is a Dell 5424.)

1 Like

This is pretty straight forward on the LEDE side. I used a Linksys E3000 to mock this up, so the config files presented here may not be drop-in ready, but should give you the templates for what you need to do. Ask questions if anything is unclear.

I'd recommend that you directly connect one of your Airport devices to the trunk port on the LEDE router so that you can verify proper functionality of the VLANs without having to troubleshoot potential issues involving the switch. Once that is confirmed working, connect the trunk to the switch and the airport(s) to the switch as well.

I've also uploaded a screenshot of the LuCI switch page so you can see how the VLANs on the switch ports map out (at least for the E3000).

What you'll see below is a configuration with the following characteristics:

  1. main LAN on 192.168.1.0/24 with normal access to the router
  2. guest LAN on VLAN1003 at 192.168.2.0/24
  3. Guest LAN has firewall rules allowing DHCP and DNS requests to the router but forbidding any other access to the router or the main LAN.
  4. Both LANs can access the internet normally.
  5. main LAN on ports 1, 2, 4 (all untagged).
  6. Guest LAN on ports 3 (untagged) and 4 (tagged)

I did not explicitly test to see if the main LAN has access to the guest LAN, but the guest network should be unable to access the main LAN.

Network
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd93:c9ee:e277::/48'

config interface 'wan'
	option ifname 'eth0.1'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.1'
	option proto 'dhcpv6'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.2'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 8t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 3 4 8t'

config switch_vlan
	option device 'switch0'
	option ports '1t 2 8t'
	option vlan '1003'

config interface 'Guest'
	option proto 'static'
	option ifname 'eth0.1003'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option gateway '192.168.2.1'
DHCP
config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'Guest'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'Guest'
Firewall
config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'Guest'
	option input 'REJECT'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'Allow-GuestDHCP'
	option src 'guest'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Allow-GuestDNS'
	option src 'guest'

config forwarding
	option dest 'wan'
	option src 'guest'

06 PM

A few followup thoughts:

  • Remember that what I have done is a template for the conceptual frameworks you'll be implementing. I think that the firewall and DHCP files should be okay to drop in, but the specific details for the network config are not the same between the E3000 and the C7. This means that things like the CPU port and the numbering of the physical ports vs logical assignments will not be the same. Use my file as guidance, but not verbatim (it could mess up your config causing major headaches).

  • I am assuming that your Airport devices will serve both the main LAN and the Guest wifi networks. Make sure your Airports are configured as bridge devices (i.e. DHCP server and NAT turned off -- it is one of the preset configs you can select). IIRC, your LEDE trunk port (i.e. the one carrying both the LAN (untagged) and Guest (tagged) networks on a single port) will connect to the physical port usually used for the WAN on the Airport.

Thanks for that. It will take me some time to test out; I'll let you know when I make some progress (or get completely stuck).