Dumb Access Point has no internet

Hi, Hoping someone can help, I am going crazy trying to setup a Dumb Access Point with OpenWRT..I am a compete newb to openwrt so I’m sure it’s something I’m doing wrong, I just don’t know what.

My setup is I have a Linkysys WRT3200acm that I installed OpenWRT on, which is my main internet router and it is working perfectly providing internet on wifi, VPNs, etc.

I have run an ethernet cable to a Linksys WRT32x in another room, that I also installed OpenWRT on, I want this to be the Dumb Access Point, and I followed the instructions here exactly as written: Here

My main router is on IP 192.168.1.1, and I set the AP to 192.168.1.2, I have attached a screenshot of the setup on the WRT32x, I was only allowed to upload one screenshot, but I have also disabled dnsmasq, firewall,opchd, etc in Startup.

Ever since I changed the settings on the AP, I cannot access Luci at 192.168.1.2, apart from only if I go into wifi settings on my Mac, and change settings to manual IP instead of DHCP, and then enter an IP in the range, then I can access it perfectly. The wifi network from the AP is working but has no internet, and the AP itself has no internet and anything connected via ethernet doesn't receive internet. I have tried a ping under diagnostics and it comes back with bad address so I believe the AP itself doesn’t have internet.

The ethernet cable is working well (i.e. I can attach it to my computer to the AP and connect perfectly and I have connected the ethernet to numbered LAN ports on both the routers as instructed (not WAN port on the AP).

I have watched tutorials, and read as many posts online as I could about dumb access points on openwrt but I just can’t tell what it is that I have done wrong in this setup, or why the AP can’t get internet if anyone can help, thanks!

Screen Shot 2021-02-27 at 11.45.05 AM1358×1317 100 KB

At the first glance that looks quite correct, especially as you say that you have connect the cable properly as LAN port - LAN port.

Can you show the /etc/config/network in the wrt32x (the AP) ?

What are the contents of the following four files?

• /etc/config/network
• /etc/config/dhcp
• /etc/config/firewall
• /etc/config/wireless - NOTE: make sure to redact your WiFi key/password before pasting this.

Thanks for your replies, here is the network config:

config interface ‘loopback’
	option ifname ‘lo’
	option proto ‘static’
	option ipaddr ‘127.0.0.1’
	option netmask ‘255.0.0.0’

config globals ‘globals’
	option ula_prefix ‘fd0a:b426:4e56::/48’

config interface ‘lan’
	option type ‘bridge’
	option ifname ‘eth0.1’
	option proto ‘static’
	option ipaddr ‘192.168.1.1’
	option netmask ‘255.255.255.0’
	option ip6assign ’60’

config interface ‘wan’
	option ifname ‘eth1.2’
	option proto ‘static’
	option netmask ‘255.255.255.0’
	list dns ‘213.154.124.1’
	option ipaddr ’86.125.34.160’
	option gateway ’86.125.34.1’

config interface ‘wan6’
	option ifname ‘eth1.2’
	option proto ‘dhcpv6’

config switch
	option name ‘switch0’
	option reset ‘1’
	option enable_vlan ‘1’

config switch_vlan
	option device ‘switch0’
	option vlan ‘1’
	option ports ‘0 1 2 3 5t’

config switch_vlan
	option device ‘switch0’
	option vlan ‘2’
	option ports ‘4 6t’

config interface ‘tun0’
	option ifname ‘tun0’
	option proto ‘none’
	option auto ‘0’

etc/config/dhcp:

config dnsmasq
	option domainneeded ‘1’
	option boguspriv ‘1’
	option filterwin2k ‘0’
	option localise_queries ‘1’
	option rebind_protection ‘1’
	option rebind_localhost ‘1’
	option local ‘/lan/‘
	option domain ‘lan’
	option expandhosts ‘1’
	option nonegcache ‘0’
	option authoritative ‘1’
	option readethers ‘1’
	option leasefile ‘/tmp/dhcp.leases’
	option resolvfile ‘/tmp/resolv.conf.auto’
	option nonwildcard ‘1’
	option localservice ‘1’

config dhcp ‘lan’
	option interface ‘lan’
	option start ‘100’
	option limit ‘150’
	option leasetime ‘12h’
	option dhcpv6 ‘server’
	option ra ‘server’
	option ra_management ‘1’

config dhcp ‘wan’
	option interface ‘wan’
	option ignore ‘1’

config odhcpd ‘odhcpd’
	option maindhcp ‘0’
	option leasefile ‘/tmp/hosts/odhcpd’
	option leasetrigger ‘/usr/sbin/odhcpd-update’
	option loglevel ‘4’

/etc/config/firewall:

config defaults
	option input ‘ACCEPT’
	option output ‘ACCEPT’
	option forward ‘REJECT’
	option synflood_protect ‘1’

config zone
	option name ‘lan’
	option input ‘ACCEPT’
	option output ‘ACCEPT’
	option forward ‘ACCEPT’
	option network ‘lan’

config zone
	option name ‘wan’
	option input ‘REJECT’
	option output ‘ACCEPT’
	option forward ‘REJECT’
	option masq ‘1’
	option mtu_fix ‘1’
	option network ‘tun0 wan wan6’

config forwarding
	option src ‘lan’
	option dest ‘wan’

config rule
	option name ‘Allow-DHCP-Renew’
	option src ‘wan’
	option proto ‘udp’
	option dest_port ’68’
	option target ‘ACCEPT’
	option family ‘ipv4’

config rule
	option name ‘Allow-Ping’
	option src ‘wan’
	option proto ‘icmp’
	option icmp_type ‘echo-request’
	option family ‘ipv4’
	option target ‘ACCEPT’

config rule
	option name ‘Allow-IGMP’
	option src ‘wan’
	option proto ‘igmp’
	option family ‘ipv4’
	option target ‘ACCEPT’

config rule
	option name ‘Allow-DHCPv6’
	option src ‘wan’
	option proto ‘udp’
	option src_ip ‘fc00::/6’
	option dest_ip ‘fc00::/6’
	option dest_port ‘546’
	option family ‘ipv6’
	option target ‘ACCEPT’

config rule
	option name ‘Allow-MLD’
	option src ‘wan’
	option proto ‘icmp’
	option src_ip ‘fe80::/10’
	list icmp_type ‘130/0’
	list icmp_type ‘131/0’
	list icmp_type ‘132/0’
	list icmp_type ‘143/0’
	option family ‘ipv6’
	option target ‘ACCEPT’

config rule
	option name ‘Allow-ICMPv6-Input’
	option src ‘wan’
	option proto ‘icmp’
	list icmp_type ‘echo-request’
	list icmp_type ‘echo-reply’
	list icmp_type ‘destination-unreachable’
	list icmp_type ‘packet-too-big’
	list icmp_type ‘time-exceeded’
	list icmp_type ‘bad-header’
	list icmp_type ‘unknown-header-type’
	list icmp_type ‘router-solicitation’
	list icmp_type ‘neighbour-solicitation’
	list icmp_type ‘router-advertisement’
	list icmp_type ‘neighbour-advertisement’
	option limit ‘1000/sec’
	option family ‘ipv6’
	option target ‘ACCEPT’

config rule
	option name ‘Allow-ICMPv6-Forward’
	option src ‘wan’
	option dest ‘*’
	option proto ‘icmp’
	list icmp_type ‘echo-request’
	list icmp_type ‘echo-reply’
	list icmp_type ‘destination-unreachable’
	list icmp_type ‘packet-too-big’
	list icmp_type ‘time-exceeded’
	list icmp_type ‘bad-header’
	list icmp_type ‘unknown-header-type’
	option limit ‘1000/sec’
	option family ‘ipv6’
	option target ‘ACCEPT’

config rule
	option name ‘Allow-IPSec-ESP’
	option src ‘wan’
	option dest ‘lan’
	option proto ‘esp’
	option target ‘ACCEPT’

config rule
	option name ‘Allow-ISAKMP’
	option src ‘wan’
	option dest ‘lan’
	option dest_port ‘500’
	option proto ‘udp’
	option target ‘ACCEPT’

config include
	option path ‘/etc/firewall.user’

/etc/config/wireless:

config wifi-device ‘radio0’
	option type ‘mac80211’
	option channel ’36’
	option hwmode ‘11a’
	option path ‘soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0’
	option htmode ‘VHT80’
	option country ‘RO’

config wifi-iface ‘default_radio0’
	option device ‘radio0’
	option network ‘lan’
	option mode ‘ap’
	option ssid ‘Wifi DT Bedroom 5G’
	option key ‘*********’
	option encryption ‘psk2’

config wifi-device ‘radio1’
	option type ‘mac80211’
	option channel ’11’
	option hwmode ‘11g’
	option path ‘soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0’
	option htmode ‘HT20’
	option country ‘RO’

config wifi-iface ‘default_radio1’
	option device ‘radio1’
	option network ‘lan’
	option mode ‘ap’
	option ssid ‘Wifi DT Bedroom 2G’
	option key ‘********’
	option encryption ‘psk2’

config wifi-device ‘radio2’
	option type ‘mac80211’
	option channel ’36’
	option hwmode ‘11a’
	option path ‘platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1’
	option htmode ‘VHT80’
	option country ‘RO’
	option disabled ‘1’

Apologies, I think I sent the files for the main router not the AP, I will correct that now...sorry still learning SSH and Terminal!

No worries. However, no need to edit those posts; the files for the main router may also be useful.

/etc/config/network Access Point:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd18:c1e1:1d8d::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option ifname 'eth0 eth0.1 eth1 eth1.2 wlan'
	list dns '192.168.1.1'
	option broadcast '192.168.1.255'
	option ipaddr '192.168.1.2'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

/etc/config/firewall Access Point:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

/etc/config/dhcp Access Point:

config dnsmasq
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option authoritative '1'
	option domainneeded '1'

config dhcp 'lan'
	option interface 'lan'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/etc/config/wireless Access Point:

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'VHT80'
	option country 'RO'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option macaddr '62:38:e0:c3:74:da'
	option key ‘********’
	option ssid 'WiFi DT Living Room 5G'
	option encryption 'psk2'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'
	option country 'RO'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option macaddr '62:38:e0:c3:74:d9'
	option key ‘********’
	option ssid 'WiFi DT Living Room 2G'
	option encryption 'psk2'

config wifi-device 'radio2'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

Ok I have now uploaded the 4 files for both devices, thanks for your help!

That row looks strange.

I have successfully run a Buffalo WZR-HP-G300NH as a dumb access point in the past, and I am currently running (as I type this) a GL.iNet GL-MT300N as a dumb AP.

In a nutshell:

• Configure the dumb AP's LAN interface with an IP address in the same subnet as the main router's LAN interface
• Disable the DHCP server on the dumb AP, so it doesn't conflict with the DHCP server on the main router
• Connect the dumb AP's LAN interface (not the WAN interface) to the LAN side of the main router

From your description and your config files, it seems that you've done all of the above.

I don't have a WRT32x for comparison, but the item spotted by @hnyman also caught my eye: the interface definition for the "lan" interface. Without knowing the requirements of the WRT32x, I can't categorically state whether that line is correct or incorrect, but it's unlike what I'm accustomed to seeing.

If it helps, here's my own dumb AP's configuration, which you may use as a reference:

/etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option delegate '0'
        option ipaddr '192.168.66.66'
        option netmask '255.255.255.0'
        option gateway '192.168.66.1'
        option broadcast '192.168.66.255'
        list dns '208.67.222.222'
        list dns '208.67.220.220'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr 'e4:95:6e:40:72:32'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr 'e4:95:6e:40:72:33'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

/etc/config/firewall: - note: the dumb AP isn't routing traffic, so I don't require it to do any firewalling itself; the firewall configuration is basically empty

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option drop_invalid '1'

config include
        option path '/etc/firewall.user'

/etc/config/wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/10180000.wmac'
        option channel 'auto'
        option country 'GB'
        option legacy_rates '0'
        option htmode 'HT40'
        option disabled '0'

config wifi-iface 'wifinet0'
        option network 'lan'
        option ssid 'WAP'
        option device 'radio0'
        option mode 'ap'
        option key '**********'
        option wpa_disable_eapol_key_retries '1'
        option encryption 'psk2+ccmp'
        option disabled '0'

Thank you so much for your help, I was locked out for 24 hours as I'm a new member...

I have changed my firewall document to mirror the contents of yours, as it seemed like mine had way more settings than it needed for being an AP...

I'm wondering with the interface line that doesn't look correct to you and @hnyman, what I might I be doing wrong there and how would I work out how to correct that?

Would that issue be enough to cause the AP not to receive internet from my main router, and to lock me out from the AP unless I use manual IP access on my computer?

It's important to keep in mind the purpose of the firewall when deciding whether or not to strip out the configuration. The firewall's job is to control layer 3 (IP) traffic as it crosses the router between different subnets. A dumb AP doesn't route layer 3 traffic; it merely extends the existing subnet to any connected WiFi clients (it's a layer 2 bridge). Therefore a firewall isn't needed for this purpose. If your AP was itself providing routing services between two subnets then you might wish to use a firewall.

To act as a dumb AP, the router has to bridge the wireless and LAN interfaces so that they're in the same broadcast domain. The default out-of-the-box configuration of OpenWRT does this anyway.

Unless I miss my guess, your configuration puts both the LAN (VLAN 1) and WAN (VLAN 2) VLANs onto the same interface. That would be... challenging to make work, to say the least.

Essentially, for a dumb AP, you don't need the WAN interface at all. Everything goes through the LAN side.

In addition, your LAN interface definition includes a device called "wlan", but I can't see "wlan" defined anywhere in your configurations. Your wireless configuration assigns the 2G and 5G networks to the "lan" interface already.

I would suggest changing the "ifname" definition for "lan" to just "eth0.1" and see how you get on.

Potentially. If the router doesn't know which way to send traffic, it can cause some interesting problems to solve.

You are mashing everything together on the ifname line: lan, wan, vlans, wlan. Why?

That is not the default line for your router, I guess
Just try with the default ifname line for your router (for a normal routing config).

With "dumb AP" you just forget about wan, but otherwise the lan & wlan config can stay pretty much intact.

You can later try e.g. including the unutilized wan port into the bridge, but just start simple.

E.g. on my own dumb AP the ifname line is just the simple original 'eth0.1' (matching the normal default for my device):

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.2'
        option ip6ifaceid '::2'
        option gateway '192.168.1.1'
        option dns '192.168.1.1'

I have a gut feeling that you are trying to over-configure something there. Dumb AP is pretty much just about assigning a fixed IP, providing DNS server and gateway addresses correctly, and disabling DHCP/DNS & firewall.

Ok I changed to Eth0.1 as suggested, and rebooted, and still no internet connection, the ping still shows bad address.

I followed the instructions exactly as shown on the openwrt tutorial, but I wasn't sure about the settings for that line so I think that is where things have gotten confused...if eth0.1 wasn't correct (or perhaps that is correct and something else is the issue?), what should I try next?

I really appreciate your help, I feel like I'm doing something stupid here that is causing this issue!