Multiple Access Points With 802.1Q using OpenWRT(part2)

Welcome back!

In the last part, part 1, we configured our OpenWRT device, got it to emit two(2) Access Point SSIDs (insecureWiFi & secureWiFi), created two(2) VLANs to separate traffic frames, and created a trunk to our PoweConnect switch! Wow!
For this part, part 2, we will be creating another VLAN Trunk from our Dell PowerConnect switch to our Linux router, designing and configuring some Firewall rules.

Now, back to our topology….


Creating the 802.1Q Trunk Link

  1. Installing and Configuring VLANs on Linux

    I am using a home based Linux router, running Ubuntu 12.04 server. Here is where I run my IPTABLES and firwall rules. Look back at our topology diagram. Do you see the Trunk between the Dell PowerConnect switch and the IPTABLES firewall? Great, we need to prepare each side of the Trunk link. Let’s start with the Linux IPTABLES side.

    NOTICE: eth1 is the physical interface of the Trunk link.

    Load the 802.1Q module

    Have the module automatically load on startup by adding “8021q” at the end of the /etc/modules file:

  2. Adding VLANs to our eth0 interface

    The next step will add the VLAN tags to the eth1 interface, so we must specify 100 and 110. Once we add the first VLAN tag the interface will be converted into a Trunk interface.

    You should see two(2) new interfaces called eth1.100 and eth1.110. Seem familar? It’s because back when we did it under OpenWRT, it was linux too!

  3. Adding IPs to each VLAN interface

    I am picking the first host address in each subnet, remember our subnets are and

    Let’s also add these address to the /etc/network/interfaces config, so they will remain permanant.
    In your /etc/network/interfaces add:

    NOTICE: vlan_raw_device, denotes the physical interface to bind/attach itself to.

  4. Creating Trunk Link on PowerConenct

    We did this in part 1, so quickly create a Trunk link on port g21. g21 is connected to eth1 on our Linux router.


    We now have to give both networks Internet access, but deny the insecure network( to our secure network ( Assume for this tutorial that on our Linux Router, the eth0 interface is a public interface.

    On the Linux Router…

  1. Allow Secure to Insecure Network

  2. Deny Insecure to Secure Network

  3. Masquerade Internet bound traffic

    NOTICE: This will allow full Internet access for both networks. You may want to filter your Insecure network to only HTTP and HTTPS.

Verifying It All Works

  1. Set OpenWRT IPs

    Log back onto the OpenWRT Web Configuration page. Browse to the Insecure Interface and make sure it has an IP address set on the network, next do the same thing for the Secure Interface. For my example OpenWRT has an IP address of on the Secure network and on the Insecure network.

  2. Try to Ping each IP

    Try to ping each IP and from an end user device on the Secure network. My laptop has an IP of I get a 100% echo response from both OpenWRT IPs. This will verify that our new Trunk and our routing is working, since the Linux router needs to route from to networks.

  3. Connecting Wirelessly

    Go ahead and set a static IP address or use OpenWRTs DHCP feature, to assign an insecure network IP. Such as Try to ping a computer on the Secure network. Does it reply? If so, recheck your IPTABLES. Else, try to ping an outside website or Google at Do a traceroute. Does it receive a response? Awesome!

Congrats!!! You have two working Access Points using one Wireless Router!!

See part 1, part 2

There are 4 comments left Go To Comment

  1. Pingback: Multiple Access Points With 802.1Q using OpenWRT(part1) | thejimmahknows /

  2. Dwayne /

    Nice clear instructions, thanks. I’m running OpenWrt 14.07 Barrier Breaker on an Huawei HG556a. I had no idea OpenWrt could make my device support two SSIDs.

  3. frank /

    Explain very clearly. Thanks again!
    Using a router with openwrt B.B without wifi, and linking ubiquiti picostation (openwrt C.C) with dual ssid. How could I do?
    Frank (italy)

    1. thejimmahknows / Post Author

      If I understand correctly, assuming you are trying to segregate each SSID traffic, you could just trunk (tag VLANs) from the Openwrt router you have to the Ubiquiti. You then would use the Openwrt router to route between VLANs. Hope that helps!

Leave a Reply