Hello,
I am using OpenWRT on 2 Nighthawk 500 (OpenWRT #1 and #2) and 1 Net-link CPE210-220 (OpenWRT #3).
OpenWRT #1 and #2 are wired using RJ45 to my ISP router. OpenWRT #3 is wirelessly connectd (WDS) to OpenWRT#1.
+------------------------+
|ISP Router |
|192.168.2.254 |
|DHCP Server LAN1 +------------------+
|WIFI Access Point LAN1 | |
| | |
| | |
+------------+-----------+ |
| |
| |
| |
+------------+-----------+ +------------+-----------+
|OpenWRT Route #1 | |OpenWRT Router #2 |
|192.168.2.1 | |192.168.2.2 |
|WIFI Access point LAN1 | |WIFI Access point LAN1 |
| | | |
|DHCP Server LAN2 | | |
|WIFI Access Point LAN2 | |WIFI Access Point LAN2 |
+------------------------+ +------------------------+
+-------------------------+
| OpenWRT DummyAP |
| 192.168.2.3 |
| |
| |
| |
| WIFI Access Point LAN2 |
+-------------------------+
My goals are the following:
- Let my ISP router acting as the DHCP server for LAN1 (192.168.2.0/24). It also acts as WiFI access point for this same LAN1.
- OpenWRT #1 acts as RJ45 switch for LAN1
- OpenWRT #1 and #2 act as WiFi AP for LAN1 (same SSID and password as ISP router)
- A second LAN2 (192.168.1.0/24) for my IoT. I want this LAN2 to have internet access but no vision on LAN1. But devices from LAN1 need to view and access LAN2.
- OpenWRT #1, #2 and #3 act as WiFi AP fro LAN2 (same SSID and password for the 3 of them).
So far:
Goal #1 is obviously OK
Goal #2 is OK
Goal #3 "looks" OK. But how to check if traffic is effectively following the path Computer > OpenWRT #1/#2 > ISP Router?
Goal #4 almost there as LAN#2 works and can not see LAN1. My concern is how to get access from LAN1 to LAN2?
Goal #5 is my main issue. Few minutes after enabling AP for LAN2 on the OpenWRT #2, I lost all my devices (no more IP address assigned). Looks like DHCP server from OpenWRT #1 screws as soon as I start the radio from OpenWRT #2
Any help would be welcomed as I tried for several days/weeks to solve the issues. But without any luck untill now.
Here are the config for OpenWRT #1 and #2
OpenWRT-#1 [192.168.2.1]
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix xxxx:043d:3dbc::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.2.254'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config device
option type 'bridge'
option name 'br-RollDom76133'
option bridge_empty '1'
config interface 'RollDom76133'
option proto 'static'
option device 'br-RollDom76133'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
list dns '8.8.8.8'
list dns '8.8.4.4'
option gateway '192.168.2.254'
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'RollDom76133'
option name 'RollDom7613'
config forwarding
option dest 'lan'
config forwarding
option dest 'lan'
config forwarding
option dest 'lan'
config forwarding
option src 'RollDom7613'
option dest 'lan'
config rule
option name 'Roll_DHCP'
list proto 'udp'
option src 'RollDom7613'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'Roll_DNS'
option src 'RollDom7613'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Roll_Block'
option src 'RollDom7613'
option dest 'lan'
list dest_ip '192.168.2.0/24'
option target 'REJECT'
list proto 'all'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel 'auto'
option band '5g'
option htmode 'VHT40'
option cell_density '0'
option country 'FR'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'Freebox-3E2237'
option encryption 'sae-mixed'
option key 'key’
option disassoc_low_ack '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option country 'FR'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'RollDom76133'
option encryption 'sae-mixed'
option key ‘key’
option network 'RollDom76133'
option wds '1'
option disassoc_low_ack '0'
OpenWRT-#2 [192.168.2.2]
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:7b16::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.2'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.2'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.2.254'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config device
option type 'bridge'
option name 'RollDom76133'
option bridge_empty '1'
config interface 'RollDom76133'
option proto 'static'
option device 'RollDom76133'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'RollDom7613'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'RollDom76133'
config rule
option name 'Allow-DNS-Roll'
option src 'RollDom7613'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-Roll'
list proto 'udp'
option src 'RollDom7613'
option dest_port '68-68'
option target 'ACCEPT'
config forwarding
option src 'RollDom7613'
option dest 'lan'
config rule
option name 'Block_RollDom'
list proto 'all'
option src 'RollDom7613'
option dest 'lan'
list dest_ip '192.168.2.0/24'
option target 'REJECT'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel 'auto'
option band '5g'
option htmode 'VHT40'
option cell_density '0'
option country 'FR'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'Freebox-3E2237'
option encryption 'sae-mixed'
option key 'key'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option country 'FR'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'RollDom76133'
option encryption 'sae-mixed'
option key 'key
option network 'RollDom76133'