Extend Wi-Fi on Same Subnet: Works in Official Firmware But Not in OpenWrt?

Is it possible to use OpenWrt on a wireless extender and keep the device on the same subnet as the main network?

I have a Netgear EX3700 and I was running OpenWrt on it for about a month but I couldn't figure out how to set it up so that the interfaces on both networks were using the same subnet. I had to set it up like this:

WiFi network:
Extender network:

I followed several guides to attempt to bridge the networks together but I wasn't successful and ended up losing connection to the device, so I reinstalled the official firmware. The official firmware sets both networks up on the same subnet like this:

Wi-Fi network:
Extender network:

All the devices on both networks were able to communicate with each other since they were all on the same subnet.

I know that the difficulty is that Linux won't let you bridge Wi-Fi networks, but I'm curious how the official firmware is able to do it? Does anybody know of a working procedure to extend a wireless network and have both networks be on the same subnet?

802.11 is not a directly "bridge-able" protocol for any system. Though there is a standard for WDS packet format, there is no standard for use of the WDS "4ADDR" headers. WDS, as a result, tends to only be interoperable if both/all devices are running the same OS or a close variant thereof.

Solutions such as Layer 2 GRE tunnels for point-to-point links, or batman-adv for mesh (three or more stations) tend to be the most robust, when you have control over all the end points.

"relayd" is an IPv4 "hack" that sort of works. It or something similar is likely what is used by most, if not all OEM "repeater" functionality.

I'm guessing that the OEM made it "even more of a hack" by hiding the subnet conflict behind some fancy source-based routing.


Yeah, I tried relayd and I couldn't get it to work right. The issue I was having was my upnp server wasn't showing up because it was on the other side of the network. The broadcast messages weren't getting relayed over to the extender and it's WiFi network.

I thought about trying this guide on Debian's wiki that uses ebtables, but it kind of looks like a pain in the a$$ because you have to set up rules for each device so that it can spoof the MAC addresses to make it look like the devices are all on the same network.


In effect, that is what relayd tries to do. For the network to look contiguous, one would need to ensure that all L2 and L3 broadcast packets are forwarded across the bridge, as well as targeted L2 and L3 traffic. This seems to require both proxy ARP, some fancy routing rules, as well as explicitly handling the broadcast packets (as they are generally not routed off the link on which they are generated).

Do you have administrative control of the "upstream" router? If so, can it be configured for a L2 GRE tunnel (recent OpenWrt can do this)?

I'm sure the EdgeRouter would be capable of the GRE tunnel. It's the device that is connected directly to my AT&T FIOS ethernet port in the wall block.(I have my AT&T supplied router connected directly to the EdgeRouter on port eth2, and the EdgeRouter has a proxy on it that forwards the authentication packets between the AT&T Router and the FIOS port, then the AT&T router is out of the loop and does no routing (functions as only to authenticate the FIOS connection then it acts only as a Wireless AP in my setup). The EdgeRouter is running Debian.

I have control over all of the devices that are involved, except for some of the wireless clients of other people in the house, but I can easily get those devices IP addresses/MAC addresses by looking at my EdgeRouter'd DHCP server's leases and static assignments.

My setup looks like this:

   (Netgear EX3700 Wi-Fi Extender*2*)
(AT&T Router/Wi-Fi AP)    (D-Link Wi-Fi AP*3*)
                |                          |                   
                |  [eth2]                  |                             
FIOS---[eth0](EdgeRouter*1*)[eth1]---(1Gb switch)
                                      |   |   |
                                    (2 Laptop PCs + 1 Desktop PC)

*1* : (Router/Gateway/DNS server/DHCP server)

*2* : (official FW) / (OpenWRT)

*3* : (D-Link DAP-2360 Wi-Fi AP)

|    : Ethernet link
:::: : Wireless link

My apologies for what is going to be a sketchy answer, as we're without power here in California right now. Going from memory:

  • Create a new (virtual) AP on the upstream wireless device, "GRE_SSID" or whatever

    • Static IP, /2 netmask is enough -- I use "Class B" private addresses for this (so they're "obvious" in tcpdump or the like),, for example
    • Disable DHCP on the device
    • Set the MTU "big" to allow for GRE encapsulation. As I recall 32 additional bytes is enough for IPv4 GRE. But check this!
  • Create a new STA (client) on the repeater, associated with GRE_SSID

    • Static IP in same subnet,, for example
    • Set the MTU "big" to allow for GRE encapsulation.
  • Disable DHCP and other "unneeded" services on the repeater

  • Install the gretap package on both routers

  • Create a GRE tunnel between and

    • There was some funkiness in the config, as I recall, needing to specify both the local and remote IP addresses
    • Be careful with interface names, as there is a 15-character limit and OpenWrt "helpfully" adds gre4t- to whatever you specify in UCI.
  • Bridge the GRE interface with the (existing) bridge for "LAN" (or whichever you want to bridge) on both routers

    • If you want to bridge multiple subnets, you can use VLAN notation, such as gre4t-guest.101 (15 characters, phew!) with an "arbitrary" VLAN for each, consistent on both ends of the tunnel (as it doesn't go through the switch)
1 Like

Hmm. In the last step, I don't know if I'll be able to create a bridge on one of the Wireless APs upstream because they are on stock firmware. Can I create the bridge on the EdgeRouter instead? It only has ethernet ports but it's upstream and on the same subnet as the Wireless APs.

I would be connecting the wireless extender to a
wireless network of either the D-Link AP or the AT&T Router/AP, but gretap would actually be running on the EdgeRouter. I think I get the general idea. Is gretap similar to openvpn? I seem to remember reading something about bridging with openvpn on the wiki?

My lack of clarity, I think!

I was calling things in my head

AT&T FIOS (transparent) <--> OpenWrt "upstream" <--> OpenWrt "repeater"
                                    |----- GRE tunnel ------|

Similar to a "tap" OpenVPN connection, but without the CPU overhead of encryption. For many people (myself included), WPA2 encryption is "enough" to bridge WPA2-encrypted wireless segments.

See the dated (2016), but still interesting https://justus.berlin/2016/02/performance-of-tunneling-methods-in-openwrt/

Thanks for the link. Looks like there's not much overhead at all with a GRE tunnel according to that site. I'll definitely give it a try when I get OpenWrt put back on my wireless extender.

1 Like

Network A = EdgeRouter: directly connected to internet. It has three gigabit ethernet ports:

eth0 -> AT&T FIOS ONT port (Internet)

eth1 -> 5-port Gigabit switch

eth2 -> AT&T Router( authorizes EdgeRouter with AT&T FIOS through a proxy script then functions only as Wireless AP)

EdgeRouter supports gretap tunnels. It's running Debian Linux and I have root SSH access.

It is running DHCP and DNS servers and leasing IPs in the subnet. Internet is supplied to wired and wireless clients through masquerading. It's the "default gateway" for Network A. D-Link DAP-2360 Wireless AP. It runs a stripped down version of Linux with busybox providing most of it's functionality. I have root SSH access to this device. I believe it supports gretap tunnels as well.

The wireless extender on Network B connects wirelessly to this device in 'sta' mode and gets internet access through it.

Network B = Netgear EX3700 Wireless Extender running OpenWrt. Currently has DHCP server on and leases IPs in the subnet. Internet is currently supplied to wireless clients through masquerading. It's the 'default gateway' for Network B.

@jeff I tried setting this up earlier today and I couldn't get my head around the basic concepts involved.

I'd like to set the wireless extender in Network B to only be a wireless client to a WAP on Network A and disable DHCP and DNS servers and IP forwarding on the extender. Then I'd like to bridge the wireless client connection to the 2.4 and 5 GHz networks on the extender.

Network A LAN
^ (A.eth0:
WAP on Network A: br0 --> A.gretap0
^ (A.wlan0:
STA(2.4GHz): (B.wifi1:
WiFi Extender: br0 --> B.gretap0
v---AP(2.4GHz): B.wifi1-1(no ip)
v (B.br-lan: wifi1-1, wifi0)
v (B.br-lan:
v---AP(5GHz): B.wifi0(no ip) /

I think I understand the first part. I think first you create a bridge on both devices, create a gretap on both devices and then add the gretap interface on each device to the bridge on that device.

Device on Network A: br0 -> gretap0

Device on Network B: br0 -> gretap0

And add a different IP address(in a different subnet than the original networks) to each gretap0 device, but reference each other's IP addresses as 'remote' when the devices are created.

The part I'm having trouble figuring out is which interfaces are added to the bridges on each device other than the gretap interfaces.
(Device 1->br0: eth0, gretap0) ??
(Device 2->br-lan: wifi1-1, wifi0, gretap0) ??

I'm a bit lost in the interface names, but maybe this will help some. Based on my understanding/guesses, these are probably close to the bridges you need

EdgeRouter bridges over:

  • eth1 -- your "LAN"
  • wlan0 -- your "public" wireless (or whatever it is, not the wlan that the GRE tunnel rides over)
  • gre0.100 -- a convenient VLAN

Extender bridges over:

  • eth1 -- your "LAN"
  • wlan1-1 -- your "public" wireless (or whatever it is, not the wlan that the GRE tunnel rides over)
  • gre4t-xxxx.100 -- the same, convenient VLAN

One way to think of it is that you bridge each of the devices as you would as "stand-alone" devices, then use the GRE tunnel as a "wire" between the two bridges.

Yeah, the EdgeRouter one I'm not sure about. Everything that goes over the ethernet and wireless gets routed to eth2 if the packet was destined for the EdgeRouter. My extender network actually connects wirelessly to the D-Link Wireless AP and then it's ethernet from there to the EdgeRouter.

I tried to set up the gretap on the D-Link AP but the busybox "ip" command it has only supports gre and not gretap. Apparently gre is level 3 and gretap is level 2. I'm trying to set up a gretap link with a spare server I've got running on my network. I'm afraid to try it on the EdgeRouter because if I screw up then everybody's internet in the whole house goes out.

I'm not sure why I'm getting this message:

optiplex:~$ sudo ip link add gretap0 type gretap local remote dev eth0
ip: RTNETLINK answers: File exists

I rebooted the server and check the interfaces. It's only got lo and eth0.

I guess that makes sense actually. I'd have to have at least two interfaces to make it work on that computer.

Looking at the EdgeRouter, as far as I know, it does not have wireless. That leaves me a little confused on where "wlan0" comes in, but it seems it's on the end of an Ethernet cable connected to the switch, connected to the EdgeRouter's eth0.

Ugh, need to think through this as the interface you want to use for the GRE tunnel is on the D-Link DAP-2360(which, as I recall it not being supported, isn't running OpenWrt) and the D-Link doesn't support GRE L2 tunnels.

Yep, wise idea right now not to go forward yet!

I'm thinking so far:

  • Two VLANs, one for your existing LAN, one for access to the GRE tunnel
  • Some clever subnetting or routing rules that somehow let the EdgeRouter manage tunnel portal, but route it over the second SSID by way of the "other" VLAN

I don't think it's going to be too bad, just takes some thought to get it right.

lol. Wish I had of read your message about ten minutes ago. I wrote a script to execute all the commands so that I could run it with nohup and it would still finish if I got disconnected. The site I was reading said to remove the interface ip and add a different one. I should've looked at that more carefully. Everything went down as soon as I executed the script.

I almost had it fixed, though, because I added another ip on the same subnet as a backup so that I could still ssh back in. So I started going backwards through the script and reversing each command and I ended up typing "ip link set br0 down." lol. Couldn't get back into it after that.

It's alright, though. I just did a power cycle on it and the AT&T router and the internet came back up.

I thought about trying VLANs but I don't know much about them. I was reading an article about virtual interfaces on red hat's web site and I saw this illustration of virtual LANs. vlan
Seeing that made me think that having one physical port might not work, but I don't know.

By the way, that ASCII art diagram I drew that had wlan0 on it was meant to be the D-Link access point. You're right that the EdgeRouter doesn't have WiFi.

I'm actually using a virtual interface on the EdgeRouter already. When I set it up to take the place of the AT&T router, I created eth0.0 and that's the interface that has DHCP set to get an external IP from AT&T. I don't remember exactly why I had to do it like that. It was in an article that I read that walked me through the process.

That's the script that proxies the packets from the AT&T Router on eth2 and the ONT on eth0. The router they gave me was awful. It would randomly reset itself and the internet would go down for five minutes every 30 minutes or so.

Now all it does is send some authentication packets at the start of the connection and the EdgeRouter takes over all the routing from there.

Quick check -- when you say "switch" is that the one in the EdgeRouter, or a stand-alone device?

Stand-alone switch.

It would be nice if I could cross compile iproute2 for the D-Link AP, but that would require glibc. I don't think that would fit in it's flash memory.

I started a thread about that device a few weeks ago. I was trying to build an OpenWrt image for it since it has the same hardware in it as some other devices.

1 Like

Not so bad.

I'm going to pick two VLAN numbers that should be small enough not to complicate config with switch drivers that are limited to 16 VLANs, and high enough to avoid "common" reserved VLANs in OpenWrt and consumer-grade, managed switches:

  • VLAN 10 -- "LAN"
  • VLAN 11 -- GRE tunnel participants

VLAN 10, conceptually, needs to handle the subnet, including:

  • EdgeRouter Ethernet "LAN" ports
  • Switch “LAN” ports
  • DIR "LAN" Ethernet ports
  • DIR "LANSSID" wireless
  • EX3700 "LAN" Ethernet ports
  • EX3700 "LANSSID" wireless

If all of the above are logically bridged together, you've got your "LAN" on the right SSIDs and available untagged where you need it.

Now, to make a "wire" between the EX3700 and the "LAN" bridge...

VLAN 11, needs to handle the GRE tunnel traffic. I'll pick from the Class B Private Address Space for clarity, (four hosts)

  • EdgeRouter Ethernet port
  • DIR Ethernet port

If you follow these line-by-line, you will probably lose connectivity at many points. Create a management VLAN first, or work though a plan on how to make the changes without locking yourself out!

Let’s get it “wired up” first

On the EdgeRouter

  • Configure the LAN bridge or interface to involve eth1.10 (instead of just eth1)
  • Configure eth1.11 for
  • On the in-built switch, configure the “trunk” port to be
    • VLAN 10 tagged
    • VLAN 11 tagged
    • PVID 4095 (blackhole)
    • Reject untagged and unconfigured VLANs (if possible)
  • On the in-built switch, configure the “LAN” ports to be
    • VLAN 10 untagged
    • PVID 10
    • Reject unconfigured VLANs (if possible)

On the switch

  • Configure VLAN 10 and VLAN 11
  • Configure the EdgeRouter’s port to be
    • VLAN 10 tagged
    • VLAN 11 tagged
    • PVID 4095 (blackhole)
    • Reject untagged and unconfigured VLANs (if possible)
  • Configure the DIR’s port to be
    • VLAN 10 tagged
    • VLAN 11 tagged
    • PVID 4095 (blackhole)
    • Reject untagged and unconfigured VLANs (if possible)
  • Configure the “LAN” ports to be
    • VLAN 10 untagged
    • PVID 10
    • Reject unconfigured VLANs (if possible)

On the DIR

  • Configure the LAN/LANSSID bridge to involve eth0.10
  • Create GRESSID as an AP, with a “sufficiently large” MTU, bridging over eth0.11
    • For now, set its IP to, confirming that the MTU (ip link) is still sufficiently large for GRE traffic
  • Configure its built-in switch for VLAN 10 and VLAN 11
  • Configure the DIR’s switch port that connects to the central switch to be
    • VLAN 10 tagged
    • VLAN 11 tagged
    • PVID 4095 (blackhole)
    • Reject untagged and unconfigured VLANs (if possible)


  • Run an Ethernet cable from the EdgeRouter’s “trunk” port to the central switch’s “EdgeRouter” port
  • Run an Ethernet cable from the DIR’s “trunk” port to the central switch’s “DIR” port

You now should be able to ping:

  • <==>
  • <==>

Set up the wireless link

On the EX3700

  • Set up a new interface as a client of the DIR’s GRESSID with the static/fixed address of and a sufficiently large MTU
  • Set its LAN bridge for (which already includes LANSSID)

You now should be able to ping among,, and

Set up the GRE tunnel

Now that you can ping from, you can configure the GRE L2 tunnel portals on the EdgeRouter and the EX3700.

The DIR is “invisible” in the setup.

  • On the EdgeRouter, add gre0.10 to the “LAN” bridge
  • On the EX3700, add gre4t-xxx.10 to the “LAN” bridge

I think that should do it!

Finishing touches would be to make sure there is no forwarding permitted between the LAN and the GRE subnets. You may need firewall rules at each of the three routers.

You can remove from the DIR once you’re confident everything is up and running.


Wow. Thanks for the write up. I'm going to look it over now.

If something doesn’t make sense, it’s probably my mistake. Ask...

1 Like
Configure the EdgeRouter’s port to be
VLAN 10 tagged
VLAN 11 tagged
PVID 4095 (blackhole)
Reject untagged and unconfigured VLANs (if possible)
Configure the DIR’s port to be
VLAN 10 tagged
VLAN 11 tagged
PVID 4095 (blackhole)
Reject untagged and unconfigured VLANs (if possible)
Configure the “LAN” ports to be
VLAN 10 untagged
Reject unconfigured VLANs (if possible)

How do I configure a port to be tagged or untagged? I think my switch is a "dumb switch." It doesn't have any switches or buttons on it.

This is what I've got so far:

ip link add link eth0 name eth0.10 type vlan id 10
ip link add link eth0 name eth0.11 type vlan id 11
ip addr add dev eth0.11

One of the parameters for "ip link add DEVICE type bridge":

vlan_default_pvid VLAN_DEFAULT_PVID - set the default PVID (native/untagged VLAN ID) for this bridge.

Edit: I starting writing a shell script to keep track of the commands I needed to enter and to try to list out the commands that would perform the actions you suggested in your post, but I got confused so I thought I'd try something simple and see if I could establish a gretap connection and do a ping test.

I entered in the commands listed at the bottom of this post and all the commands succeeded successfully, but when I did a ping test from Optiplex to EX3700 I got a "Destination Host Unreachable" error. When I pinged from EC3700 to Optiplex I got an "Operation Not Permitted" error. I was trying to ping the 172.16.0.x addresses.

I think the problem was on the EX3700 side with the "Operation Not Permitted" error. That seems like maybe gretap wasn't able to send or receive data over the wlan1 interface.

Netgear EX3700 Wireless Extender (OpenWrt)

opkg update && opkg install ip-full
ip link add gretap0 type gretap local remote dev wlan1
ip addr add dev gretap0
ip link set gretap0 up

Dell Optiplex PC (Alpine Linux)

apk add iproute2
ip link add gretap1 type gretap local remote dev eth0
ip addr add dev gretap1
ip link set gretap1 up

By the way, from what I've been reading VLAN IDs 0 and 4095 aren't able to be assigned to an interface. Do they have some other special function?