3 OpenWrts on Network Configuration Question

I've got 3 OpenWRT routers as follows:

1.) Edge Router acting as (ISP Gateway, 5 VLANs, DHCP & Firewall)
2.) WiFI AP device on VLAN3
3.) WiFI AP device on VLAN4

Curious if there is a short direct answer this question. I want 2.) WiFI device on VLAN3 to fetch its DHCPs from 1.) Edge Router device. The same for 3.) WiFI AP device corresponding VLAN4. Is there a quick and dirty way to do this. Also, don't want either WiFI AP device firewalling / Double NATING.

Yes. You want your ap devices configured as a dumb ap. That will basicallly just bridge wired and wireless.

1 Like

Correct @psherman in basic bridge mode. However, available sysupgrade images install luci, iptables firewall, etc... Any way to easily rip it all out? I don't see any specific settings in Luci to config bridge mode either.

There's not a specific push-button setting to configure bridge mode, but there's a pretty simple dumb ap howto

2 Likes

Thank you @dlakelan for providing a link to the dumb AP guide... I probably should have done that.

@troysio - there is no reason to remove the functionality, just disable certain things (like the DHCP server) and the routing layer (NAT, firewall, etc.) will just simply not be used by nature (since you'll be essentially LAN only, nothing going through the routing subsystem).

Found that, there are actually two of them. One with Luci example and one without https://openwrt.org/docs/guide-user/network/wifi/bridgedap. Thanks for the heads up, I should have searched a bit more as apposed to asking publicly answered questions. My apologies.

I'm using RBM33G boards however, I'm fumbling through its 3 ports setup for bridging. One is a WAN port the other 2 LAN. Would rather just bridge all three ports (WAN port is supposed to support PoE, however its MT's special Latvia PoE I'm discovering).

On the LuCI switch configuration page (Network -> Switch), in the WAN port column, set VLAN 2 to off and VLAN 1 to untagged, just like the two LAN ports.

Thanks for the tip @mpa ! ...I'm wondering if bridging is the way to go now because currently there are 5 SSIDs each of which are own their own VLANs.

Are the AP's and the router connected with (wired) ethernet?
You can use VLAN tags to carry multiple VLANs on a single physical ethernet link.

On your router, each VLAN needs a network interface, DHCP and firewall (you might alredy have this).
Also on your router, add the VLANs in the switch config, and set the downlink ports to the APs to carry all of the VLANs as tagged, with the exception of VLAN 2, which is the router's WAN VLAN.

On your access points, set up the same switch configuration with multiple tagged VLANs on the WAN port, which is connected to the router. Again, each VLAN needs an interface set up as bridge. The wireless networks can then be assigned to these interfaces. This is basically the dumb AP config replicated 5 times.

How the APs' LAN ports are set up is up to you, let us know if you want any suggestions.

Excellent @mpa ! thanks for the additional direction. Yes, each AP is wired and has the same VLANs config as the gateway router. Both router and APs same config as follows:

Just so I'm clear, you're saying on the APs I need to change all the VLAN WAN ports from off to tagged? Then turn off the firewall, dnsmasq and the DHCP servers on each VLAN? Then the gateway router will handle the WiFI DHCP requests?

Currently the main aggregate Ethernet switch's ports are already configured to default a specific VLAN ID for corresponding untagged traffic, and are configured to accept all tagged VLAN ID traffic. Sounds like I'm there, I'll know tonight when I head down to building and plug each AP in. :slight_smile:

Change these values, DHCP off...

Yes, assuming each AP's WAN port is used to connect the AP to the router.

Be careful when combining tagged and untagged VLANs on a port, not all devices support this.
As an alternative, you can create a dedicated management port by setting VLAN 1 to untagged, and all other VLANs to off. On ports used to link network infrastructure devices, set all VLANs to tagged, excluding VLAN 2, but including VLAN 1. However, if you are sure that your devices support this tagged/untagged combination, you can keep it.

In any case, the ports on both ends of a link need an identical VLAN configuration (compare the port columns).

Yes, since each VLAN is bridged all the way from the AP's WiFi to the router's CPU.

Could this be a typo in the VID?

And some require an explicit reboot...which should result in the untagged VLAN in any instance.