Dumb AP has no access to internet

mirodin · December 28, 2023, 7:21pm

I am in the process revamping my setup and adding another AP to close some white spots. My network consists of three zones (lan, guest & iot).

I followed the Dumb AP Guide and it seems to work for all clients. Since there is only one ethernet cable I use VLANS. Lan and guest clients can reach the internet and iot clients can get DNS and DHCP from the main router.

However it seems like I messed up somewhere because the AP is not able to connect to the internet. I can use the Luci Diagnostics-Tools and resolve URLs. But I can not ping hosts or IPs outside my network.

Config from main router:

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdda::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.10.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr '...'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2t 3'
	option vid '1'
	option description 'lan'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'
	option description 'wan'

config interface 'guest'
	option proto 'static'
	option ipaddr '10.30.0.1'
	option netmask '255.255.255.0'
	option device 'br-guest'

config interface 'iot'
	option proto 'static'
	option ipaddr '10.20.0.1'
	option netmask '255.255.255.0'
	option device 'br-iot'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'eth0.30'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'eth0.20'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '20'
	option ports '0t 2t'
	option description 'iot'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 2t 4 5'
	option vid '30'
	option description 'guest'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'olymp'
	option encryption 'psk2'
	option key '...'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'olymp'
	option encryption 'psk2'
	option key '...'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option ssid 'tartaros'
	option encryption 'psk2'
	option isolate '1'
	option key '...'
	option network 'guest'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'tartaros'
	option encryption 'psk2'
	option isolate '1'
	option key '...'
	option network 'guest'

config wifi-iface 'wifinet5'
	option device 'radio1'
	option mode 'ap'
	option ssid 'elysium'
	option encryption 'psk2'
	option key '...'
	option network 'iot'

Config from AP:

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf5::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.10.0.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '10.10.0.1'
	list dns '10.10.0.1'

config device
	option name 'eth0.2'
	option macaddr '...'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option auto '0'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 1 2 3 4 5t'
	option vid '1'
	option description 'lan'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t'
	option vid '2'
	option description 'wan'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '20'
	option ports '0t 5t'
	option description 'iot'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 5t'
	option vid '30'
	option description 'guest'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'
	list ports 'eth0.30'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '10.30.0.2'
	option netmask '255.255.255.0'
	option gateway '10.30.0.1'
	list dns '10.30.0.1'
	option ip6assign '60'

config device
	option type 'bridge'
	option name 'br-iot'
	option bridge_empty '1'
	list ports 'eth0.20'

config interface 'iot'
	option proto 'static'
	option device 'br-iot'
	option ipaddr '10.20.0.2'
	option netmask '255.255.255.0'
	list dns '10.20.0.1'
	option gateway '10.20.0.1'
	option ip6assign '60'

/etc/config/wireless (identical to main)

What am I missing? Any help would be very much appreciated!
Also is it ok to delete the WAN device/VLAN from the dumb AP?

lleachii · December 28, 2023, 7:23pm

Yea, you have a few gateways listed. Fix that. You need 1.

psherman · December 28, 2023, 7:35pm

Change your guest and iot networks to unmanaged...

mirodin:

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '10.30.0.2'
	option netmask '255.255.255.0'
	option gateway '10.30.0.1'
	list dns '10.30.0.1'
	option ip6assign '60'

They'll look like this, instead:

config interface 'guest'
	option proto 'none'
	option device 'br-guest'

mirodin · December 28, 2023, 7:53pm

Thank you, that did the trick!

However I do not understand why I would configure Lan differently from the other networks? Would you ELI5 why Lan must be managed or give me some source I can start looking for the answer? Logic tells me that every network needs a gateway and since the main router is either 10.10.0.1, 10.20.0.1 or 10.30.0.1 respectively I would expect to have to set it accordingly.

psherman · December 28, 2023, 8:19pm

a dumb AP only needs an address in the network that is used to manage it -- i.e. a trusted lan or a dedicated management network. The rest are just bridged through... an unmanaged interface + bridge connects witi with the VLAN in question transparently.

In the case of guest and IoT networks, it's also preferred not to have an address on those networks because they are untrusted and there is no need for those client devices (guest/IoT devices) to be able to reach the dumb AP in the first place. Without an address on an untrusted network, it simply serves as a fully transparent bridge with no ability for the untrusted devices to connect to the management/admin interfaces.

Does that help?

P.S. technically, an address on the main lan isn't even required for it to be a totally transparent dumb AP. However, from a practical perspective, you wouldn't be able to connect ot the AP to configure it if it didn't have an address.

mirodin · December 28, 2023, 8:25pm

Thank you so much for the explanation, this makes way more sense for me now!

system · January 7, 2024, 8:29pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.