Tutorial Adding custom SSID and specific VLAN (for IOT for example)

[HELLO_wORLD]

Hello,

I will describe here my experience regarding the creation of an additional SSID (on top of the main and guest ones) on a R7800 in AP mode, with @Voxel's firmware, and having it in its own VLAN.

So I have my main router (no wifi) under OpenWrt.
The router is connected with ethernet to the port WAN of the R7800 that is in AP mode.
The R7800 has the latest Voxel's firmware (V1.0.2.106SF at the time), with an ssh access set up, an external drive connected through USB.

The R7800 is able to handle up to 16 simultaneous SSIDs (see here under valid interface combinations), but the Netgear GUI only allows 4 (2&5 GHz main + 2&5 GHz guest).

The goal was to isolate the IOT devices that are using wifi from the LAN and the WAN, by putting them on a specific VLAN. This means:

• an ethernet subinterface with the right VLAN tag needs to be created to send VLAN tagged frames to the router (that of course is setup on its side to read such tagged frames),
• a new WLAN SSID has to be created,
• Both the ethernet VLAN sub interface and the new WLAN interface have to be on their own bridge, isolated from the main one.

Creating the VLAN tagged ethernet subinterface

First, it is important to understand that the R7800 ethernet ports are connected through an internal hardware switch.
The switch can be configured using swconfig, and by default is setup this way:

PORT	0	1	2	3	4	5	6
NAME	CPU (linked to kernel)	LAN	LAN	LAN	LAN	WAN	? (linked to kernel)
VLAN 1	not member	untagged	untagged	untagged	untagged	not member	untagged
VLAN 2	untagged	not member	not member	not member	not member	untagged	not member

That means that the physical LAN ports and the one WAN port of the R7800 are on the same internal switch, but are isolated using internal VLANS.
Port 0 (CPU) is connected to the WAN port, and is seen as ethwan from the OS/kernel.
Ports 6 is connected to the LAN ports, and is seen as ethlan from the OS/kernel.

On the OS side, in AP mode, ethwan and ethlan are bridged together and with the standard WLAN wifi devices (ath.) under the bridge br0.

To be able to send tagged VLAN frames from the R7800 OS, the internal switch needs to be setup to forward these frames.
The internal switch only accepts VLAN id from 0 to 127, so I picked in the example VLAN id 10.

Now, we setup the internal switch:
swconfig dev switch0 vlan 10 set ports "0t 5t"
swconfig dev switch0 set apply

Now, the switch looks like this:

PORT	0	1	2	3	4	5	6
NAME	CPU (linked to kernel)	LAN	LAN	LAN	LAN	WAN	? (linked to kernel)
VLAN 1	not member	untagged	untagged	untagged	untagged	not member	untagged
VLAN 2	untagged	not member	not member	not member	not member	untagged	not member
VLAN 10	tagged	not member	not member	not member	not member	tagged	not member

Now, any frame with the VLAN id tag 10 that enters from the OS will be forwarded to the WAN port and leave the switch with its tag (and the other way as well).

On the OS side, we need to create a subinterface for ethwan with VLAN id 10:
ip link add link ethwan name ethwan.10 type vlan id 10

Now, we create the dedicated bridge and add the new subinterface:
brctl addbr briot
brctl stp briot on
brctl addif briot ethwan.10

We need to give it an IP and a subnet, then bring all of this up:
ip addr add 192.168.2.2/24 dev briot
ip link set ethwan.10 up
ip link set briot up

Here I picked the subnet 192.168.2.0/24 for the IOT devices.
The router and gateway has the address 192.168.2.1 on its VLAN10 interface.
The R7800 AP has the address 192.168.2.2.
It is up to the router to deal with DHCP requests if so, and up to the router to deal with any routing/firewall between LAN and IOT zones, as well as IOT and WAN zones if needed.
The router settings are not mentioned here are they are dependent on the router and specific to one's setup.


Creating the additional WLAN wifi SSID

This part is tricky, as we need to deal with all the dni/netgear custom scripts. The device and OS are fully capable of dealing with additional SSID, but it was not taken into account when dni developed their scripts.
The idea is to insert the additional SSID configuration into /etc/config/wireless before it is used, but this file is generated by /sbin/update-wifi and some dni awk script (/etc/wifi_config_comp.awk), so changing /etc/config/wireless would not be enough.

Here is the code needing to be inserted to /etc/config/wireless:

config wifi-iface 'wlg_iot'
        option device 'wifi1'
        option network 'lan'
        option bridge 'briot'
        option mode 'ap'
        option ssid 'my_iot_ssid'
        option encryption 'psk2'
        option key 'my_password'
        option hidden '1'
        option rts '2347'
        option frag '2346'
        option wmm '1'
        option countryie '0'
        option short_preamble '1'
        option bintval '300'
        option dtim_period '2'
        option doth '0'

In this example the SSID is my_iot_ssid, with the password my_password and is hidden.

To insert it at the right time, and be sure the interfaces and bridge are set up, the best way I found to do this is by modifying the script /sbin/update-wifi that is called by /sbin/wlan, and also the awk script. The next post on this thread is explaining that part.

Once /sbin/update-wifi and /etc/wifi_config_comp.awk are modified accordingly, all you need to to is
sh -c "wlan down; wlan up"
Please note that this command will interrupt the Wifi for a few seconds.
Also, it should stay after reboots. Only a firmware upgrade would reset these files, but with the automount script on a USB drive, you could automate the two files to be modified after an upgrade.

Now, any device connecting to the SSID my_iot_ssid will be in the VLAN 10 and forwarded to the router under that VLAN, separated from the other SSID and LAN devices.


Again, I use my R7800 as an AP, but this could be adapted for router mode. There would be no need to deal with the internal switch config or the ethwan.10 subinterface; briot would only have the new wlan interface, unless you plan to use one or several of the ethernet ports to have IOT devices.

 

[HELLO_wORLD]

I found a way to have this working better and automatically with reboots.
I confirm also that this way, having the guest wifi enabled is not mandatory.

inserting this to /sbin/update-wifi near the end:

…
uci commit wireless
sync

######## BOLEMO ADDED ------>
swconfig dev switch0 vlan 10 show | grep -q 'ports: 0t 5t $' || swconfig dev switch0 vlan 10 set ports "0t 5t"
swconfig dev switch0 set apply
ip l sh ethwan.iot >/dev/null 2>&1 || ip l a link ethwan name ethwan.iot type vlan id 10
brctl show briot >/dev/null 2>&1 || brctl addbr briot
brctl stp briot on
brctl show briot | grep -qF 'ethwan.iot' || brctl addif briot ethwan.iot
ip a add 192.168.2.2/24 dev briot
ip l set ethwan.iot up
ip l set briot up
cat <<'EOF' >>/etc/config/wireless
config wifi-iface 'wlg_iot'
        option device 'wifi1'
        option network 'lan'
        option bridge 'briot'
        option mode 'ap'
        option ssid 'my_ssid'
        option encryption 'psk2'
        option key 'my_password'
        option hidden '1'
        option rts '2347'
        option frag '2346'
        option wmm '1'
        option countryie '0'
        option short_preamble '1'
        option bintval '300'
        option dtim_period '2'
        option doth '0'
EOF
sync
######## <------ BOLEMO ADDED

generate_lbd "lbd"
uci commit lbd
sync

Also, the file /etc/wifi_config_comp.awk needs to be slightly changed as It produces an error otherwise:

root@R7800:~$ diff /etc/wifi_config_comp.awk.orig /etc/wifi_config_comp.awk
178c178
<                 system("uci set wireless."i".module_reload=1")
---
>                 system("uci set wireless.'qcawifi'.module_reload=1")
180c180
<                 system("uci set wireless."i".module_reload=0")
---
>                 system("uci set wireless.'qcawifi'.module_reload=0")
214c214
<     system("uci commit")
---
>     system("uci commit wireless")

For people not familiar with diff, this means that a line starting with < need to be replaced by the following one with > (lines that need to be changed: 178, 180 and 214)

 

[alexnev]

Great thing! Do you know if same will work for Orbi RBR50?

 

[HELLO_wORLD]

Great thing! Do you know if same will work for Orbi RBR50?

I suppose in theory it would work, the Wifi chip is QCA9984.
After, I don't know about the hardware switch in Orbis, so you would need to check (swconfig) and experiment.

 

[alexnev]

I suppose in theory it would work, the Wifi chip is QCA9984.
After, I don't know about the hardware switch in Orbis, so you would need to check (swconfig) and experiment.

Thank you for the response! Would you mind to take a look if I pm you copy of swconfig? Not very deep knowledge here on my end unfortunately. I’m very happy with my current rbr50 with voxel setup, only thing I was missing were isolated network for IoT. I was thinking to upgrade to rbr80 “pro” units - I even bought couple of them to be used in AP mode with my new Mikrotik router. But if old Orbi potentially capable - that’ll be very good. A lot of units of older system are available here for cheap. And many users are fine with ac wireless speeds

 

[alexnev]

Switch0 reported to be AR8327 and AR8337

 

[alexnev]

Looks like same setup:

config interface '0'
        option ifname 'eth1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ieee1905managed '1'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'

config switch_ext
        option device 'switch0'
        option name 'QosPtMode'
        option port_id '1'
        option mode 'dscp'
        option status 'enable'

config switch_ext

 

[HELLO_wORLD]

Looks like same setup:

config interface '0'
        option ifname 'eth1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ieee1905managed '1'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'

config switch_ext
        option device 'switch0'
        option name 'QosPtMode'
        option port_id '1'
        option mode 'dscp'
        option status 'enable'

config switch_ext

Good, seems you have something like that:

PORT	0	1	2	3	4	5
NAME	CPU (linked to kernel)	WAN	LAN	LAN	LAN	?
VLAN 1	tagged	not member	untagged	untagged	untagged	untagged
VLAN 2	tagged	untagged	not member	not member	not member	not member

So you definitely could try

You would have to adjust with the right switch ports (looks like WAN is port 1 in your case, instead of 5 on R7800).

swconfig dev switch0 show could give you more info to confirm the setup.

 

[alexnev]

I readjusted things and about to try

 

[alexnev]

@HELLO_wORLD you are genius! Just tried and it is freaking working!
Now with 129$ Mikrotik router i can do great setup with my existing orbis!

The only thing i have to keep all modded files in overlay folder on USB stick - orbis use RAM and its gets erased every reboot

 

[kamoj]

I found a way to have this working better and automatically with reboots.
...

Thank you @HELLO_wORLD, an amazing functionality increase!

I have a question:
Can this simplified way be used with the router in Router mode? If so - how?

 

[HELLO_wORLD]

Thank you @HELLO_wORLD, an amazing functionality increase!

I have a question:
Can this simplified way be used with the router in Router mode? If so - how?

I am sure it can.
Look what I wrote at the end of the first post.
The simplified way described in post #2 would need to be stripped of what is not necessary in router mode.
Then the routing rules and firewall would have to be setup to do what you want (for example prevent IoT to reach internet but be visible to LAN or only specific devices in LAN, etc…)

Remember there is two elements here :
– adding extra SSID
– creating VLANs

In AP, you have to deal with the internal switch to isolate the traffic on the AP itself and to send it on its own VLAN to the router via ethernet that then deals with it.

 

[kamoj]

I am sure it can.
Look what I wrote at the end of the first post.
The simplified way described in post #2 would need to be stripped of what is not necessary in router mode.
Then the routing rules and firewall would have to be setup to do what you want (for example prevent IoT to reach internet but be visible to LAN or only specific devices in LAN, etc…)

Remember there is two elements here :
– adding extra SSID
– creating VLANs

In AP, you have to deal with the internal switch to isolate the traffic on the AP itself and to send it on its own VLAN to the router via ethernet that then deals with it.

Thank you for the fast reply!
I was just hoping there was an easy way to add an SSID with just same functionality/limitations as a guest wifi.

 

[HELLO_wORLD]

Thank you for the fast reply!
I was just hoping there was an easy way to add an SSID with just same functionality/limitations as a guest wifi.

Well, it can be quite easy indeed.

Just enable the guest wifi and observe how it is set up by netgear (check interfaces/bridges, routes, rules, vlans and firewall, internal switch is likely not involved at all).
Then just reproduce it by adapting my code in post #2.

 

[alexnev]

Hi all, changes made to the unit of course are local - only active on the device it applied to. Any wisdom how to force main unit to pass it to the connected satellites? This is of course orbi specific so maybe @Voxel will know?