Access point on port 5 (vlan2) of main router setup

latest stable openwrt.
BT HH5a. (VDSL wireless etc router)

What seems to be the default vlan config as no changes made is:
ports 1-4 (yellow) and two wireless devices bridged and on vlan 1 , DHCP gives out 192.168.1.x

port 5 (red) on vlan 2, no DHCP it seems as plugging something in does not issue address

Is it possible to put one of those simple repeater* devices (or other old wireless router) that has on it one ethernet port to connect to [main] router - set in access point mode and using a different ip address scheme eg. 192.168.2.x - on the port 5 and let it have access to the internet ?

*in access point mode it it doesn't seem to issue nameservers ... so it may not be possible but there is another old netgear wireless router to be used if better.

The use case: to have this separate wireless ap for a guest wireless network (using different addressing) with internet access via main router only , but isolated from everything else on the main router.

As will be obvious, this is from me as a networking newbie and upfront, I am sorry for any incorrect terms used etc and frustrated at my lack of knowledge in having to come here so soon. I have read and read, but what I think is needed is for some kind person to explain what to set up or check is set up (devices, vlan, interfaces, firewall using luci or uci or direct editing of config) to achieve the use case and then I can go away to do it and understand it as I do it ... i.e. to provide a setup suggestion and component parts to work with. If there is a better way, please advise too.

Regards and thank you. I'm dubious the above is well written or clear enough ... but here goes
Habs

This would be expected as that port is typically an upstream (WAN) connection -- DHCP client by default -- and not part of your LAN.

I assume this device is running OpenWrt? If so, please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network

thank you.

Since I posted I have 'achieved' some success in getting a setup working.

The AP is configured to 192.168.10.254 with 'gateway' set to 192.168.10.1 and DHCP dishing out 192.168.10.100 - ..200 addresses netmask 255.255.255.0.

The port 5 on the HH5a (red - wan) in the Luci 'switch' details is shown as 'untagged' on vlan 2 (linked to device eth0.2 it seems) and o'ff' on vlan 1.

I jumped in and created an interface 'GLAN' linked to the eth0.2 device with static address of 192.168.10.1 (the address set as gateway on AP). Additionally created GLAN firewall zone with settings accept and 'forwarding' to the WAN zone (internet on the HH5 using device dsl0.101 ..another vlan listed as it seems which is to the ISP over PPOE etc) ... essentially it is just same as for the main LAN zone settings.

Then, connected a CAT5 lead from the AP single eth port to the Port 5 (red) on the HH5A and all seemed to work.

From the main LAN it is possible to ping the 192.168.10.1 (port 5 red) but nothing else inside that vlan 2.

From any client connected to the AP (in VLAN2) it is possible to get to the internet but nothing on the main LAN.

It seems to work ... but I have a lot to learn (inc. if it is secure!) and to think about. It seems fine for now, but will study it a bit more.

When I've digested I will come back and post the config requested for a critique. If there is something glaringly 'wrong' with the above (its a jumble of words and a diag would be better guess) then let me know ... otherwise, I will be back (gulp).

Thank you again

A diagram of your network as well as a description of the actual intent/end-goals will be useful to supplement your config files. Also, the capabilities of your AP are relevant, too -- i.e. is it a VLAN aware (which depends on the hardware and the firmware that is installed) -- so providing info about that device would be good.

The relevant files on your HH5a are shown below (wireless is only relevant if the HH5a is also going to be handling multiple networks on wifi):

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

In general, the red WAN port on the bthub5 is 'just another port on the switch' - it can be configured any way you want (the default is for it is to be off, in favour of the integrated xDSL modem taking the WAN capacity). Check https://openwrt.ebilan.co.uk/viewtopic.php?f=7&t=266 for a verbose walkthrough for your device.

Other than that -and after you've read the guide above, please follow psherman's advice of both outlining your desired outcome (diagram of the desired network topology) and your current configurations, as I have to admit that it isn't quite clear to me what you're trying to accomplish exactly (and the details matter).

network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'xxxx'

config dsl 'dsl'
        option ds_snr_offset '0'
        option tone 'av'
        option xfer_mode 'ptm'
        option annex 'b'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'
        option ipv6 '0'

config device
        option name 'eth0.1'
        option macaddr 'xxxxxx'
        option ipv6 '0'

config device
        option name 'dsl0'
        option macaddr 'xxxxxx'
        option mtu '1480'
        option ipv6 '0'

config device
        option name 'dsl0.101'
        option type '8021q'
        option ifname 'dsl0'
        option vid '101'
        option ipv6 '0'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.1'
        option device 'br-lan'
config interface 'wan'
        option proto 'pppoe'
        option password 'xxxxxxx'
        option username 'xxxxxxx'
        option mtu '1480'
        option ipv6 '0'
        option delegate '0'
        option peerdns '0'
        list dns 'xxx'
        list dns 'xxx'
        option device 'dsl0.101'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'

config device
        option name 'wlan0'
        option ipv6 '0'

config device
        option name 'wlan1'
        option ipv6 '0'

config device
        option name 'pppoe-wan'
        option ipv6 '0'

config device
        option name 'eth0'
        option ipv6 '0'

config interface 'GLAN'
        option proto 'static'
        option device 'eth0.2'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        list dns 'xxxx'
        list dns 'xxxx'

config device
        option name 'eth0.2'
        option type '8021q'
        option ifname 'eth0'
        option vid '2'
        option ipv6 '0'
        option mtu '1480'

firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option disable_ipv6 '1'
        option synflood_protect '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config include
        option path '/etc/firewall.user'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'glan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'GLAN'
        option family 'ipv4'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option family 'ipv4'
        list network 'wan'

config forwarding
        option src 'glan'
        option dest 'wan'

dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option domain 'xxxxxxxx'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option local 'xxxxxxxxx'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

'concept' diag

TheWireless AP does not vlan by the way, but it seems not to matter ... at least to my ignorant eye.

The AP is on vlan 2 on the switch (again apologies for any incorrect terms used) which is unaltered from its default install state

It seems to work ... but is it 'right' (security wise etc).

Thank you ... anything I need to clarify please let me know. I hope this is enough to highlight anything in error.

Habs

PS: could not upload small image directly (no permissions ?) so I have linked it

following up - the above is 'working' but not as it should - issues with DNS etc and the fact that the cheap AP being used has limited configurability (if that is a word). Therefore I am closing this so to speak and going to reconsider and read further a bit more - I need to learn some. Cheers to everyone who reads this.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.