Create separate wifi access points for each interface

I am using wireguard on my openwrt (related thread here Openwrt as a wifi repeater and wireguard setup)

Is it possible to make isolated wifi networks with wireguard?

  1. Pristine wan interface wifi access point (by default openwrt creates this which emits internet through lan interface)
  2. Access point connecting through the wireguard interface (need to create one more access point which which emits internet through wireguard interface)

My interfaces

I tried to point wifi access point to the wan/wwan interface but it does not work

cheers
nitin

Likely your internet provider gives you one IP address only.

One ip is given by the ISP and the other by vpn

Nutnot 2nd ip for wifi client.

I followed the guide as mentioned by @Linux-DADDY

AP1(Jimmy Neutron) is pointed to network wf_wireguard
AP2(Goddard) is pointed to network wf_home
and my original AP(Nitin) is pointed to network lan

AP1 connects successfully to VPN

The issues are:

  1. AP2 does not connect to internet, I get IP address successfully, no access to luci router configuration panel
  2. AP does not connect to internet, I get IP address successfully, I am able to access luci router configuration panel
  3. when PC connected via LAN, it does not connect to internet, I don not get IP address

Please post your config files directly into the forum... this helps improve the process of troubleshooting the issues:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

--ubus call system board--

/etc/config$ ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "Nitin",
	"system": "MediaTek MT7628AN ver:1 eco:2",
	"model": "TP-Link Archer C50 v4",
	"board_name": "tplink,archer-c50-v4",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ramips/mt76x8",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

--cat /etc/config/network--

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd4:6727:00d4::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.141.42'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr '1c:3b:f3:21:7e:25'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '2 4 6t'

config interface 'wwan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wf_home'
        option proto 'static'
        option ipaddr '10.0.3.1'
        option netmask '255.255.255.0'

config interface 'wf_wireguard'
        option proto 'static'
        option ipaddr '10.0.5.1'
        option netmask '255.255.255.0'

config interface 'wireguard_jp'
	option proto 'wireguard'
	option private_key '<private key>'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list addresses '10.2.0.2/32'

config wireguard_wireguard_jp
	option description 'nitin'
	option public_key '<public key>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'wg.nitinsawant.com'
	option endpoint_port '51820'
	option persistent_keepalive '21'
	option route_allowed_ips '1'

config route
        option interface 'wireguard_jp'
        option target '0.0.0.0/0'
        option table '102'
        option source '10.2.0.1/24'

config route
        option interface 'wireguard_jp'
        option target '0.0.0.0/0'
        option table '102'
        option source '10.2.0.2'

config rule
        option in 'wf_wireguard'
        option lookup '102'

config interface 'wf_free'
        option proto 'static'
        option ipaddr '10.0.7.1'
        option netmask '255.255.255.0'

--cat /etc/config/wireless--

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/10300000.wmac'
	option channel '11'
	option band '2g'
	option htmode 'HT20'
	option country 'IN'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'Nitin'
	option encryption 'psk-mixed'
	option macaddr 'f4:1a:9c:dc:53:24'
	option key '<pwd>'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'sta'
	option network 'wwan'
	option ssid 'RH-5.8G'
	option bssid '44:95:3B:9E:70:81'
	option encryption 'psk2'
	option key '<pwd>'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Jimmy Neutron'
	option encryption 'psk-mixed'	
	option macaddr 'f4:1a:9c:dc:53:25'
	option key '<pwd>'
	option network 'wf_wireguard'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Goddard'
	option encryption 'psk-mixed'
	option macaddr 'f4:1a:9c:dc:53:26'
	option key '<pwd>'
	option network 'wf_home'

--cat /etc/config/dhcp--

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'
	list server '127.0.0.1#5054'
	list server '/mask.icloud.com/'
	list server '/mask-h2.icloud.com/'
	list server '/use-application-dns.net/'
	list server '127.0.0.1#5053'
	option doh_backup_noresolv '-1'
	option noresolv '1'
	list doh_backup_server '127.0.0.1#5054'
	list doh_backup_server '/mask.icloud.com/'
	list doh_backup_server '/mask-h2.icloud.com/'
	list doh_backup_server '/use-application-dns.net/'
	list doh_backup_server '127.0.0.1#5053'
	list doh_server '127.0.0.1#5053'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'wf_home'
	option interface 'wf_home'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'wf_wireguard'
	option interface 'wf_wireguard'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'wf_free'
	option interface 'wf_free'
	option start '100'
	option limit '150'
	option leasetime '12h'

--cat /etc/config/firewall--

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config zone
        option name 'wf_free'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wf_free'

config zone
        option name 'wf_home'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wf_home'

config zone
        option name 'wf_wg'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wf_wireguard'

config zone
        option name 'wg_jp'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wireguard_jp'
        option masq '1'
        option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
        option name 'WF_Home DNS'
        option src 'wf_home'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'WF_Home DHCP'
        list proto 'udp'
        option src 'wf_home'
        option dest_port '67'
        option target 'ACCEPT'

config forwarding
        option src 'wf_home'
        option dest 'wan'

config rule
        option name 'WF_WireGuard DNS'
        option src 'wf_wg'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'WF_WireGuard DHCP'
        list proto 'udp'
        option src 'wf_wg'
        option dest_port '67'
        option target 'ACCEPT'

config forwarding
        option src 'wf_wg'
        option dest 'wg_jp'

config rule
        option name 'WF_FREE DNS'
        option src 'wf_free'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'WF_FREE DHCP'
        list proto 'udp'
        option src 'wf_free'
        option dest_port '67'
        option target 'ACCEPT'

Forward rules do look in right places.
Try first without firewall flow offloads, then add them and check speed vs latency.
Also will not hurt to update to 23.05.5

1 Like

total newbie here to firewall,
it will be good for me if you post the config

thanks in advance

Find back 2 boxes you ticked in Luci/Network/Firewall

1 Like

First of all you don't have to name the AP as i did there. WF stands for Wireless Freedom.
I can see you have some issues.

This should be /24.

Remove this.

1 Like

Thanks a ton @Linux-DADDY , @brada4
I did the settings as mentioned, and both APs have internet now,

after things stable I removed the wf_free and wf_home interfaces and firewall rules related to it. as it was not used anywhere.

cheers
nitin

1 Like

@Linux-DADDY , @brada4

Only one issue is LAN not working

How it is not working? wifi connected to br-lan allegedly works, so should physical ports.

1 Like

Yes you should. You don't need to copy as i did everything there. If i get time i probably would update that old config file of mine and want to make an tutorial on it.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.