Additional Dumb Access Point

Hello everyone,

I want to create an AP similar to https://openwrt.org/docs/guide-user/network/wifi/dumbap. The guide itself works fine for me. However, I cannot use the lan network because I need it for another network.

To be more specific, I want to create a dumb AP for the gateway router (192.168.178.0/24) which is connected on the wan port. Furthermore, I want that the lan network (10.0.0.0/16) remains in its current state. So my approach was to duplicate the lan network as much as possible and name it kurti. The only difference to my knowledge is that its device is an empty bridge since all ports except wan are part of the lan network.

However, with the kurti network, the dumb AP does not work, traffic not even on layer 2 is able to pass through clients to the main gateway and vice versa. Does anybody have a clue what could be wrong? I suspect it to be related with some firewall settings.

Thank you in advance!

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdad:0ee6:24d4::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.0.1'
	option netmask '255.255.0.0'
	option ip6assign '64'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option type 'bridge'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option type 'bridge'

config interface 'ISOWLAN'
	option proto 'static'
	option ipaddr '10.1.0.1'
	option netmask '255.255.255.0'
	option device 'wlan0-1'

config device
	option name 'eth0'
	option ip6segmentrouting '1'

config device
	option name 'br-kurti'
	option type 'bridge'
	option bridge_empty '1'

config interface 'kurti'
	option proto 'static'
	option ipaddr '192.168.178.111'
	option netmask '255.255.255.0'
	option gateway '192.168.178.1'
	list dns '192.168.178.1'
	option device 'br-kurti'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '2g'
	option country 'AT'
	option cell_density '0'
	option htmode 'HT40'
	option channel '3'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Internal AP'
	option encryption 'sae-mixed'
	option key 'Anotherkey#555'
	option hidden '1'
	option network 'lan ISOWLAN'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Internal AP'
	option encryption 'sae-mixed'
	option key 'Anotherkey#555'
	option hidden '1'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option encryption 'sae-mixed'
	option key 'Somekey#777'
	option network 'kurti'
	option ssid 'Dumb AP'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'kurti'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'kurti'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'kurti'
	option dest 'wan'

Since what you want to achieve is not a dumbAP, it is wrong to use it as a template.
Better make a drawing/explanation of what you want to achieve and we can help you to implement it from a factory default state.

Thank you for your reply!

This is the topology I want to achieve. I hope it helps to understand my goals.

topology794×1123 142 KB

R0 has a DHCP server for 192.168.178.0/24 (blue) and R1 has a DHCP server for 10.0.0.1/16 (green). Every hardware of the red area is part of the OpenWRT device whereas R0 is not under my control.

I still named one AP "dumb AP" to be consistent with my posted configuration. I thought that a dump AP is just a term for an AP where the OpenWRT device does not alter any traffic from an ethernet port.

You might look into setting up a guest wifi on a dumb AP.
The Guest wifi is the 10.0.0.0 subnet:

Of course first setup the Dumb AP:

This actually looks quite similar to my approach with the difference being the guest network and lan network swapped in my case. I will try this out though. Thank you!

Exactly

Ok, after a some time by following both guides, I was able to at least make it work with IPv6 (global unicast addresses generated out of the router advertisements from R0). Although not optimal, I think it is sufficient at least for now and I will find out the IPv4 part eventually in the future.

Thank you very much!

About IPv4 guest wifi on a dumb AP, make sure you enable MASQUERADING on the LAN interface:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap#firewall_-_part_1

I will try. However, I do not think this will work out for me since I want the DHCP4 server from my main router R0 and not addresses from a NAT.

It was indeed what I was missing out. Works completely as intended now. Thank you very much!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.