Hello,
I have original TO configuration with 2 VLANS bridged together (https://doc.turris.cz/doc/en/howto/vlan_settings_omnia), on LAN0-LAN3 (vlan 1) are connected devices, switch etc, on LAN4 (vlan 2) is connected wifi access point.
My idea was to create 3rd VLAN 3, so on LAN 4 will be vlan 2 and vlan 3. Vlan 3 will be then restricted by firewall (it will be kind of guest wifi), vlan 1 and vlan 2 will work like now, devices in vlan1 will be able to communicate with devices in vlan2 and opposite.
If I understand they must be tagged, so config will be something like:
Can you paste the matrix from LuCI? This is hard to navigate.
You must also put the CPU port to the VLAN 3 if you’re planning to use bridging/firewall. VLANs are Layer 2 feature, you need to have an interface on your VLAN also.
Yes, that’s what you would do, but I think you meant “eth2.3” under “lan-2”.
May I ask why you have eth0 and eth2.2 bridged via software rather than the switch hardware? Unless you’re doing some firewalling between them, that just puts load on the CPU unnecessarily.
If there are any other better options I will be glad. My goal is to have on eth2 (LAN4 port) two vlans so I can on WiFi AP connected to it configure guest network with limited access to internal network.
I don’t understand your configuration. There is no reason to bridge like that between port 4 and port 6. You’re also not sending your frames to the CPU.
Are the frames coming into your Port 4 and Port 6 really tagged? Why are you not letting them in to the CPU? If you have “untrusted” devices on your port 4, then you can just turn that port off for VLAN 1 and choose untagged in higher VLAN. Then you pick the tagged option on the same VLAN for the CPU port because you’re creating a virtual and tagged eth device in the router OS.
The processor of the router Turris Omnia (SoC, Armada 385) has 3 network interfaces. In the system they are eth0 , eth1 and eth2 . Interface eth1 is connected directly to WAN on the back side of the router, the interfaces eth0 and eth2 are connected to the switch-chip, specifically to ports 5 and 6, and their assignment to the connectors LAN0 – LAN4 can be configured.
The router is by default configured so that the LAN4 connector is assigned to the eth2 interface. The rest of the connectors ( LAN0 – LAN3 ) are connected via the interface eth0 .
LAN0-LAN3 are local trusted devices.
On LAN4 is connected wifi access point, currently with one wifi network - trusted. My plan is to add second wifi for untrusted devices. (my AP is able to do it, i just need another vlan there).
So my idea was not change original setup, just add to LAN4 another vlan.
It’s honestly up to you to describe the problem in a clear way so that someone trying to help you can understand it.
The proposed VLAN configuration looks good in this case. Would this change to your lan-2 from the original config work? Can you ping this router interface from a client on your guest wifi?