A simple wifi bridge between lan and wifi interfaces [UBNT nanostation AC loco]

hello all,
i got a UBNT Nanostation loco AC to connect a neighbor to my wifi, then i learned that these devices use airmax, so openwrt was a one-way road.
managed to flash it, but i have problems configuring.
i dont want routing, dhcp, firewalls, nothing. Just to bridge wifi interface with ethernet, connect wifi to my home router and setup a static ip.
can someone point me to a guide, i searched a lot, found complicated setups, but not this simple thing.
he will connect (via wireless) to my home router, gw is 192.168.1.1, device must have 192.168.1.26
i managed to make the wireless connection but i messed up with interfaces and ip addresses.
my firmware version is OpenWrt 24.10.0 r28427-6df0e3d02a / LuCI openwrt-24.10 branch 25.014.55016~7046a1c

my second issue is that after any reboot, all settings are dissapeared..

Try this guide:

There is a bug in v24 that prevents OpenWrt from writing anything to flash (including new firmware) on many ubnt models. You will need to TFTP recover to stock then install 23.03.5.

A true bridge is only possible if the AP is in WDS mode. To obtain Internet from a neighbor's wifi that does not support WDS, set up a routed client. Routed client is also advisable when you are the provider and setting this up for your neighbor as you can firewall them from reaching your LAN.

I think that @mk24 and I might have different interpretations of the network topology.

As I read it, I came to the conclusion that you will be connecting this AP to the upstream router via ethernet, and then your neighbor will be using the wifi provided by this device. Is that the intended use case?

Also, these devices are designed as point-to-point radios intended to be used as a pair to make a "wireless wire." While the underlying radios are actually the same as those that would be found in normal wifi APs, they work (using the vendor firmware) using a different method to connect two points wirelessly and are not general APs for connections to phones/tablets/computers/etc. In that capacity, they work really well, so if you're using a pair of these, you might consider staying with the vendor firmware.

On the other hand, if your intent is that this will be used as a wifi AP for 'normal' devices to connect, then using OpenWrt certainly makes sense.

All that said, if you can elaborate/clarify a bit about the specific scenario for this device, that would help us ensure we are giving you the right advice.

this is what i want to do...

Screenshot 2025-05-31 at 8.02.02 PM536×414 18.1 KB

Obviously there is only one nanostation there (not a pair), but am I reading it correctly that the the wireless is link between the ISP device and the nano station. So the upstream connection is wireless, and the downstream is wired?

If that's the case, then @mk24 's interpretation was the correct one, as was his advice.

Does the downstream network need to be one and the same as the upstream (in other words, sharing resources on the network)? Or is this really just providing an internet connection to the downstream, and not attempting to share other devices?

So you're going to install the Nanostation at the neighbor's house, and it will connect to a stock ISP router/gateway at your house?

In that case you definitely need routed client.

• Start from a default configuration.
• If the ISP router uses 192.168.1.X, change the Nanostation's LAN to something else such as 192.168.2.1.
• In the GUI go to the wireless page and click Scan on the 5 GHz radio. Find your ISP router in the list and click Join This Network.
• Set the country code on both radios to your actual country.
• Optionally enable an AP on the 2 GHz radio, on the lan network. This will allow users near the Nanostation to have low-performance wifi. If the neighbors already have a wireless router or AP you should use that instead.

This will set up a basic routed client. You may want to add a firewall rule to reject access to your ISP router's LAN so the neighbors cannot access things in your LAN.

so, i did it this way, but clients "behind" nanostation cannot ping 192.168.1.1

Screenshot 2025-05-31 at 9.18.24 PM968×445 38.5 KB

Screenshot 2025-05-31 at 9.18.47 PM958×519 58.3 KB

Screenshot 2025-05-31 at 9.19.16 PM890×920 73.5 KB

Do they have internet access? If so, that would imply that the general configuration is working

Do they need to be able to ping the upstream router? (this is not a requirement, and if you implemented a firewall blocking the 192.168.1.0/24 network from the 192.168.31.0/24 subnet, that is expected and desired behavior).

no, they do not have access..
i suppose i have to add wwan (phy-sta0) interface to lan (br-lan).
can this be done via www interface ?

No, do not do this.

Let's take a look at your configs:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

root@OpenWrt:~# ubus call system board
{
	"kernel": "6.6.73",
	"hostname": "OpenWrt",
	"system": "Atheros AR9342 rev 2",
	"model": "Ubiquiti Nanostation AC loco (WA)",
	"board_name": "ubnt,nanostation-ac-loco",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.0",
		"revision": "r28427-6df0e3d02a",
		"target": "ath79/generic",
		"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
		"builddate": "1738624177"
	}
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fddd:19bc:e4c6::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.31.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '1.1.1.1'

config interface 'wwan'
	option proto 'dhcp'
	option device 'phy0-sta0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option band '5g'
	option channel '56'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option band '5g'
	option channel 'auto'
	option htmode 'HT40'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'sta'
	option network 'wwan'
	option ssid 'Onetwelve_5G'
	option encryption 'psk2'
	option key 'Onetwelve2022'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Remove the device line from below:

Delete the ignore line:

Restart the device and test again.

i cannot restart, since its losing the conf.

i used these commands.

root@OpenWrt:~# /etc/init.d/network reload
root@OpenWrt:~# wifi reload

root@OpenWrt:~# ifconfig 
br-lan    Link encap:Ethernet  HWaddr B4:FB:E4:A5:F9:D4  
          inet addr:192.168.31.1  Bcast:192.168.31.255  Mask:255.255.255.0
          inet6 addr: fe80::b6fb:e4ff:fea5:f9d4/64 Scope:Link
          inet6 addr: fddd:19bc:e4c6::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:17407 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14739 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1744819 (1.6 MiB)  TX bytes:5988590 (5.7 MiB)

eth0      Link encap:Ethernet  HWaddr B4:FB:E4:A5:F9:D4  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:187999 errors:0 dropped:2055 overruns:0 frame:0
          TX packets:170620 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:16993221 (16.2 MiB)  TX bytes:24067745 (22.9 MiB)
          Interrupt:4 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:21012 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21012 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1600408 (1.5 MiB)  TX bytes:1600408 (1.5 MiB)

phy0-sta0 Link encap:Ethernet  HWaddr B4:FB:E4:A4:F9:D4  
          inet6 addr: fe80::b6fb:e4ff:fea4:f9d4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10484 errors:0 dropped:28 overruns:0 frame:0
          TX packets:196 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1286229 (1.2 MiB)  TX bytes:18336 (17.9 KiB)

This will be an untenable situation.

I'd recommend fixing this first so that you can safely restart the device without losing the configs.

can i downgrade it with openwrt-23.05.5-ath79-generic-ubnt_nanostation-ac-loco-squashfs-sysupgrade from www interface ?

No, you need to use tftp.

The problem is that there is a bug in some versions of OpenWrt (apparently also 24.10.0 and maybe also 24.10.1) that prevents the system from successfully writing to the flash storage. To get around this, you cannot be using OpenWrt as the method to flash firmware -- that's where the tftp process comes in.

a little help with this ?
started tftp server, uploaded the image, what do i have to do at openwrt ?
tftp server is 192.168.31.125 file is openwrt-23.05.5.bin