Extended wifi on specific subnet?

Apologies for the stupid question and also please excuse me using the wrong terminology. I am trying to extend the range of my wifi to a location where I have a wired connection available. However, here's the issue: I need the clients associated to one of the wifi networks to be given an IP on a specific subnet while others get a IP on the other subnet.
This works fine on the main router but I am struggling to put it together on the satellite. Both are running openwrt.

Set up:
-main router, IP 192.168.1.1
provides wifi network A with dhcp to give out ips in 192.168.1.x range
Also provides wifi network B with dhcp to give out ips in 192.168.2.1

-satellite, IP 192.168.1.5
Should provide network A and B and clients to should get IPs in the same subnet (A in .1.X and B in .2.X)

What should I do to make this work? I can either choose to connect the satellite through a wired connection to the main router or through wds. But in both scenarios I am not getting the clients connected to the satellite handed out ips in the right subnets.

Any pointers would be highly appreciated! I searched a lot but likely not using the right words...

I guess best place to start is dump your config on your "satellite" AP and your primary router.

either using cat on the config files in /etc/config/ or with uci show? oh and also ubus call system board

My first thought is you want some sort of vlan and bridged AP setup?

On the router, you need to "trunk" both networks over the wire, using a different VLAN for each network. Then, on the AP, you do the opposite, and bridge each SSID to one of the VLANs.

This is a recurrent question around here; use the search function with these terms, and you will find several posts about it.

@evs specifically which part of the uci show output do you want to see? it's quite long.

@eduperez thanks, but I am trying to do this without vlans. I was able to create the separate wifi networks without vlans and tbh I don't understand vlans

the point was uci show is an easy way to give me everything =P Of course redact PII.

You either need to do vlans, routing or doing layer 2 tunneling. And routing won't really extend the "subnet" as in on layer 2. Extending a subnet without having an actual layer 2 connection is challenging as you're probably talking arp proxying or something. If you do it by routing then becomes a firewalling and static or dynamic routing problem, plus you then have issues with "roaming".

If you don't understand vlans, I wouldn't suggest going down other paths to avoid vlans.... (Other than perhaps just creating a guest network on the satellite and firewalling it down too, but then you don't have networks that can talk to each other)

I suggest if both the router and satellite can do vlans and run openwrt then we do that as it's the most straightforward method.

thanks, here's the output of uci show on my main router:

adblock.global=adblock
adblock.global.adb_enabled='1'
adblock.global.adb_debug='0'
adblock.global.adb_forcedns='0'
adblock.global.adb_safesearch='0'
adblock.global.adb_dnsfilereset='0'
adblock.global.adb_mail='0'
adblock.global.adb_report='0'
adblock.global.adb_backup='1'
adblock.global.adb_dns='dnsmasq'
adblock.global.adb_fetchutil='uclient-fetch'
adblock.global.adb_sources='adguard' 'adguard_tracking' 'android_tracking'
adguardhome.config=adguardhome
adguardhome.config.workdir='/var/adguardhome'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='0'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].cachesize='1000'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.@dnsmasq[0].server=''192.168.1.1' '/openwrt.org/1.1.1.1'
dhcp.@dnsmasq[0].noresolv='1'
dhcp.@dnsmasq[0].port='5353'
dhcp.@dnsmasq[0].dnsforwardmax='1024'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='10'
dhcp.lan.limit='244'
dhcp.lan.leasetime='24h'
dhcp.lan.dhcpv4='server'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_flags='managed-config' 'other-config'
dhcp.lan.dhcp_option='6,192.168.1.1' '3,192.168.1.1'
dhcp.lan.dns='::1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.guest=dhcp
dhcp.guest.interface='guest'
dhcp.guest.start='100'
dhcp.guest.limit='150'
dhcp.guest.leasetime='1h'
dhcp.guest.dhcp_option='6,192.168.1.1'
dhcp.iot=dhcp
dhcp.iot.interface='iot'
dhcp.iot.start='10'
dhcp.iot.limit='244'
dhcp.iot.leasetime='24h'
dhcp.iot.dhcp_option='6,192.168.1.1'
dropbear.@dropbear[0]=dropbear
dropbear.@dropbear[0].PasswordAuth='on'
dropbear.@dropbear[0].RootPasswordAuth='on'
dropbear.@dropbear[0].Port='22'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='DROP'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='DROP'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='Plex'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='32400'
firewall.@redirect[0].dest_ip='192.168.1.9'
firewall.@redirect[0].dest_port='32400'
firewall.@redirect[1]=redirect
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].name='Home Assistant 443'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].src_dport='443'
firewall.@redirect[1].dest_ip='192.168.1.88'
firewall.@redirect[1].dest_port='443'
firewall.@redirect[2]=redirect
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].name='Home Assistant 80'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].src_dport='80'
firewall.@redirect[2].dest_ip='192.168.1.88'
firewall.@redirect[2].dest_port='80'
firewall.@redirect[2].enabled='0'
firewall.@redirect[3]=redirect
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].name='Home Assistant 8123'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].src_dport='8123'
firewall.@redirect[3].dest_ip='192.168.1.88'
firewall.@redirect[3].dest_port='8123'
firewall.@redirect[3].enabled='0'
firewall.guest=zone
firewall.guest.name='guest'
firewall.guest.network='guest'
firewall.guest.input='DROP'
firewall.guest.output='ACCEPT'
firewall.guest.forward='DROP'
firewall.guest_wan=forwarding
firewall.guest_wan.src='guest'
firewall.guest_wan.dest='wan'
firewall.guest_dns=rule
firewall.guest_dns.name='Allow-DNS-Guest'
firewall.guest_dns.src='guest'
firewall.guest_dns.dest_port='53'
firewall.guest_dns.proto='tcp udp'
firewall.guest_dns.target='ACCEPT'
firewall.guest_dhcp=rule
firewall.guest_dhcp.name='Allow-DHCP-Guest'
firewall.guest_dhcp.src='guest'
firewall.guest_dhcp.dest_port='67'
firewall.guest_dhcp.proto='udp'
firewall.guest_dhcp.family='ipv4'
firewall.guest_dhcp.target='ACCEPT'
firewall.iot=zone
firewall.iot.name='iot'
firewall.iot.network='iot'
firewall.iot.input='DROP'
firewall.iot.output='ACCEPT'
firewall.iot.forward='DROP'
firewall.iot_dns=rule
firewall.iot_dns.name='Allow-DNS-iot'
firewall.iot_dns.src='iot'
firewall.iot_dns.dest_port='53'
firewall.iot_dns.proto='tcp udp'
firewall.iot_dns.target='ACCEPT'
firewall.iot_dhcp=rule
firewall.iot_dhcp.name='Allow-DHCP-iot'
firewall.iot_dhcp.src='iot'
firewall.iot_dhcp.dest_port='67'
firewall.iot_dhcp.proto='udp'
firewall.iot_dhcp.family='ipv4'
firewall.iot_dhcp.target='ACCEPT'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='lan'
firewall.@forwarding[2].dest='iot'
firewall.@rule[13]=rule
firewall.@rule[13].name='Allow-IOT-To-HA'
firewall.@rule[13].src='iot'
firewall.@rule[13].dest='lan'
firewall.@rule[13].dest_ip='192.168.1.88'
firewall.@rule[13].target='ACCEPT'
firewall.@rule[14]=rule
firewall.@rule[14].name='Allow-IOT-mDNS'
firewall.@rule[14].proto='udp'
firewall.@rule[14].src='iot'
firewall.@rule[14].src_port='5353'
firewall.@rule[14].dest_ip='224.0.0.251'
firewall.@rule[14].dest_port='5353'
firewall.@rule[14].target='ACCEPT'
firewall.@rule[15]=rule
firewall.@rule[15].name='Allow-LAN-mDNS'
firewall.@rule[15].proto='udp'
firewall.@rule[15].src='lan'
firewall.@rule[15].src_port='5353'
firewall.@rule[15].dest_ip='224.0.0.251'
firewall.@rule[15].dest_port='5353'
firewall.@rule[15].target='ACCEPT'
firewall.@rule[16]=rule
firewall.@rule[16].name='Block-IOT-to-Other'
firewall.@rule[16].src='iot'
firewall.@rule[16].dest='lan'
firewall.@rule[16].target='REJECT'
firewall.dns_int=redirect
firewall.dns_int.name='Intercept-DNS'
firewall.dns_int.src='lan'
firewall.dns_int.src_dport='53'
firewall.dns_int.proto='tcp udp'
firewall.dns_int.target='DNAT'
firewall.dns_int.family='any'
firewall.dns_int.enabled='0'
luci.main=core
luci.main.lang='auto'
luci.main.mediaurlbase='/luci-static/bootstrap'
luci.main.resourcebase='/luci-static/resources'
luci.main.ubuspath='/ubus/'
luci.flash_keep=extern
luci.flash_keep.uci='/etc/config/'
luci.flash_keep.dropbear='/etc/dropbear/'
luci.flash_keep.openvpn='/etc/openvpn/'
luci.flash_keep.passwd='/etc/passwd'
luci.flash_keep.opkg='/etc/opkg.conf'
luci.flash_keep.firewall='/etc/firewall.user'
luci.flash_keep.uploads='/lib/uci/upload/'
luci.languages=internal
luci.sauth=internal
luci.sauth.sessionpath='/tmp/luci-sessions'
luci.sauth.sessiontime='3600'
luci.ccache=internal
luci.ccache.enable='1'
luci.themes=internal
luci.themes.Bootstrap='/luci-static/bootstrap'
luci.themes.BootstrapDark='/luci-static/bootstrap-dark'
luci.themes.BootstrapLight='/luci-static/bootstrap-light'
luci.apply=internal
luci.apply.rollback='90'
luci.apply.holdoff='4'
luci.apply.timeout='5'
luci.apply.display='1.5'
luci.diag=internal
luci.diag.dns='openwrt.org'
luci.diag.ping='openwrt.org'
luci.diag.route='openwrt.org'
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdcc:2a05:1061::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3' 'lan4'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.device='wan'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='94.140.14.14' '94.140.15.15' '1.1.1.1'
network.wan6=interface
network.wan6.device='wan'
network.wan6.proto='dhcpv6'
network.wan6.dns='2606:4700:4700::1111 2606:4700:4700::1001'
network.wan6.peerdns='0'
network.@device[1]=device
network.@device[1].name='wan'
network.@device[1].macaddr='xxxx'
network.guest_dev=device
network.guest_dev.type='bridge'
network.guest_dev.name='br-guest'
network.guest=interface
network.guest.proto='static'
network.guest.device='br-guest'
network.guest.ipaddr='192.168.3.1/24'
network.iot_dev=device
network.iot_dev.type='bridge'
network.iot_dev.name='br-iot'
network.iot=interface
network.iot.proto='static'
network.iot.device='br-iot'
network.iot.ipaddr='192.168.2.1/24'
network.iot.gateway='192.168.1.1'
network.iot.dns='192.168.1.1'
rpcd.@rpcd[0]=rpcd
rpcd.@rpcd[0].socket='/var/run/ubus/ubus.sock'
rpcd.@rpcd[0].timeout='30'
rpcd.@login[0]=login
rpcd.@login[0].username='root'
rpcd.@login[0].password='$p$root'
rpcd.@login[0].read='*'
rpcd.@login[0].write='*'
samba4.@samba[0]=samba
samba4.@samba[0].workgroup='WORKGROUP'
samba4.@samba[0].charset='UTF-8'
samba4.@samba[0].description='Samba on OpenWRT'
sqm.eth1=queue
sqm.eth1.enabled='0'
sqm.eth1.interface='wan'
sqm.eth1.download='137214'
sqm.eth1.upload='9666'
sqm.eth1.qdisc='cake'
sqm.eth1.script='piece_of_cake.qos'
sqm.eth1.linklayer='ethernet'
sqm.eth1.debug_logging='0'
sqm.eth1.verbosity='5'
sqm.eth1.overhead='22'
sqm-opkg.eth1=queue
sqm-opkg.eth1.enabled='0'
sqm-opkg.eth1.interface='eth1'
sqm-opkg.eth1.download='85000'
sqm-opkg.eth1.upload='10000'
sqm-opkg.eth1.qdisc='cake'
sqm-opkg.eth1.script='piece_of_cake.qos'
sqm-opkg.eth1.qdisc_advanced='0'
sqm-opkg.eth1.ingress_ecn='ECN'
sqm-opkg.eth1.egress_ecn='ECN'
sqm-opkg.eth1.qdisc_really_really_advanced='0'
sqm-opkg.eth1.itarget='auto'
sqm-opkg.eth1.etarget='auto'
sqm-opkg.eth1.linklayer='none'
system.@system[0]=system
system.@system[0].hostname='OpenWrt'
system.@system[0].timezone='UTC'
system.@system[0].ttylogin='0'
system.@system[0].log_size='64'
system.@system[0].urandom_seed='0'
system.ntp=timeserver
system.ntp.enabled='1'
system.ntp.enable_server='0'
system.ntp.server='0.openwrt.pool.ntp.org' '1.openwrt.pool.ntp.org' '2.openwrt.pool.ntp.org' '3.openwrt.pool.ntp.org'
ubootenv.@ubootenv[0]=ubootenv
ubootenv.@ubootenv[0].dev='/dev/mtd14'
ubootenv.@ubootenv[0].offset='0x0'
ubootenv.@ubootenv[0].envsize='0x40000'
ubootenv.@ubootenv[0].secsize='0x20000'
ubootenv.@ubootenv[0].numsec='2'
ucitrack.@network[0]=network
ucitrack.@network[0].init='network'
ucitrack.@network[0].affects='dhcp'
ucitrack.@wireless[0]=wireless
ucitrack.@wireless[0].affects='network'
ucitrack.@firewall[0]=firewall
ucitrack.@firewall[0].init='firewall'
ucitrack.@firewall[0].affects='luci-splash' 'qos' 'miniupnpd' 'sqm'
ucitrack.@olsr[0]=olsr
ucitrack.@olsr[0].init='olsrd'
ucitrack.@dhcp[0]=dhcp
ucitrack.@dhcp[0].init='dnsmasq'
ucitrack.@dhcp[0].affects='odhcpd'
ucitrack.@odhcpd[0]=odhcpd
ucitrack.@odhcpd[0].init='odhcpd'
ucitrack.@dropbear[0]=dropbear
ucitrack.@dropbear[0].init='dropbear'
ucitrack.@httpd[0]=httpd
ucitrack.@httpd[0].init='httpd'
ucitrack.@fstab[0]=fstab
ucitrack.@fstab[0].exec='/sbin/block mount'
ucitrack.@qos[0]=qos
ucitrack.@qos[0].init='qos'
ucitrack.@system[0]=system
ucitrack.@system[0].init='led'
ucitrack.@system[0].exec='/etc/init.d/log reload'
ucitrack.@system[0].affects='luci_statistics' 'dhcp'
ucitrack.@luci_splash[0]=luci_splash
ucitrack.@luci_splash[0].init='luci_splash'
ucitrack.@ntpclient[0]=ntpclient
ucitrack.@ntpclient[0].init='ntpclient'
ucitrack.@samba[0]=samba
ucitrack.@samba[0].init='samba'
ucitrack.@tinyproxy[0]=tinyproxy
ucitrack.@tinyproxy[0].init='tinyproxy'
ucitrack.@sqm[0]=sqm
ucitrack.@sqm[0].init='sqm'
ucitrack.@upnpd[0]=upnpd
ucitrack.@upnpd[0].init='miniupnpd'
uhttpd.main=uhttpd
uhttpd.main.listen_http='0.0.0.0:80' '[::]:80'
uhttpd.main.listen_https='0.0.0.0:443' '[::]:443'
uhttpd.main.redirect_https='0'
uhttpd.main.home='/www'
uhttpd.main.rfc1918_filter='1'
uhttpd.main.max_requests='3'
uhttpd.main.max_connections='100'
uhttpd.main.cert='/etc/uhttpd.crt'
uhttpd.main.key='/etc/uhttpd.key'
uhttpd.main.cgi_prefix='/cgi-bin'
uhttpd.main.lua_prefix='/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
uhttpd.main.script_timeout='60'
uhttpd.main.network_timeout='30'
uhttpd.main.http_keepalive='20'
uhttpd.main.tcp_keepalive='1'
uhttpd.main.ubus_prefix='/ubus'
uhttpd.defaults=cert
uhttpd.defaults.days='730'
uhttpd.defaults.key_type='ec'
uhttpd.defaults.bits='2048'
uhttpd.defaults.ec_curve='P-256'
uhttpd.defaults.country='ZZ'
uhttpd.defaults.state='Somewhere'
uhttpd.defaults.location='Unknown'
uhttpd.defaults.commonname='OpenWrt'
upnpd.config=upnpd
upnpd.config.enabled='1'
upnpd.config.download='1024'
upnpd.config.upload='512'
upnpd.config.internal_iface='lan'
upnpd.config.port='5000'
upnpd.config.upnp_lease_file='/var/run/miniupnpd.leases'
upnpd.config.igdv1='1'
upnpd.config.uuid='x'
upnpd.@perm_rule[0]=perm_rule
upnpd.@perm_rule[0].action='allow'
upnpd.@perm_rule[0].ext_ports='1024-65535'
upnpd.@perm_rule[0].int_addr='0.0.0.0/0'
upnpd.@perm_rule[0].int_ports='1024-65535'
upnpd.@perm_rule[0].comment='Allow high ports'
upnpd.@perm_rule[1]=perm_rule
upnpd.@perm_rule[1].action='deny'
upnpd.@perm_rule[1].ext_ports='0-65535'
upnpd.@perm_rule[1].int_addr='0.0.0.0/0'
upnpd.@perm_rule[1].int_ports='0-65535'
upnpd.@perm_rule[1].comment='Default deny'
upnpd-opkg.config=upnpd
upnpd-opkg.config.enabled='0'
upnpd-opkg.config.enable_natpmp='1'
upnpd-opkg.config.enable_upnp='1'
upnpd-opkg.config.secure_mode='1'
upnpd-opkg.config.log_output='0'
upnpd-opkg.config.download='1024'
upnpd-opkg.config.upload='512'
upnpd-opkg.config.internal_iface='lan'
upnpd-opkg.config.port='5000'
upnpd-opkg.config.upnp_lease_file='/var/run/miniupnpd.leases'
upnpd-opkg.config.igdv1='1'
upnpd-opkg.@perm_rule[0]=perm_rule
upnpd-opkg.@perm_rule[0].action='allow'
upnpd-opkg.@perm_rule[0].ext_ports='1024-65535'
upnpd-opkg.@perm_rule[0].int_addr='0.0.0.0/0'
upnpd-opkg.@perm_rule[0].int_ports='1024-65535'
upnpd-opkg.@perm_rule[0].comment='Allow high ports'
upnpd-opkg.@perm_rule[1]=perm_rule
upnpd-opkg.@perm_rule[1].action='deny'
upnpd-opkg.@perm_rule[1].ext_ports='0-65535'
upnpd-opkg.@perm_rule[1].int_addr='0.0.0.0/0'
upnpd-opkg.@perm_rule[1].int_ports='0-65535'
upnpd-opkg.@perm_rule[1].comment='Default deny'
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.path='platform/soc/c000000.wifi'
wireless.radio0.channel='36'
wireless.radio0.band='5g'
wireless.radio0.htmode='HE80'
wireless.radio0.cell_density='0'
wireless.radio1=wifi-device
wireless.radio1.type='mac80211'
wireless.radio1.path='platform/soc/c000000.wifi+1'
wireless.radio1.channel='auto'
wireless.radio1.band='2g'
wireless.radio1.htmode='HE20'
wireless.radio1.cell_density='0'
wireless.default_radio1=wifi-iface
wireless.default_radio1.device='radio1'
wireless.default_radio1.network='lan'
wireless.default_radio1.mode='ap'
wireless.default_radio1.ssid='A'
wireless.default_radio1.encryption='sae'
wireless.default_radio1.key='x'
wireless.default_radio1.wds='1'
wireless.wifinet1=wifi-iface
wireless.wifinet1.device='radio0'
wireless.wifinet1.mode='ap'
wireless.wifinet1.ssid='A_5G'
wireless.wifinet1.encryption='sae'
wireless.wifinet1.key='x'
wireless.wifinet1.network='lan'
wireless.wifinet1.wds='1'
wireless.guest=wifi-iface
wireless.guest.device='radio1'
wireless.guest.mode='ap'
wireless.guest.network='guest'
wireless.guest.ssid='Guest'
wireless.guest.encryption='sae'
wireless.guest.key='x'
wireless.guest.isolate='1'
wireless.iot=wifi-iface
wireless.iot.device='radio1'
wireless.iot.mode='ap'
wireless.iot.network='iot'
wireless.iot.ssid='IOT'
wireless.iot.encryption='psk2'
wireless.iot.key='x'
wireless.iot.isolate='1'
wireless.iot.wmm='0'
wireless.iot.wds='1'

output from ubus call system board:

{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Dynalink DL-WRX36",
        "board_name": "dynalink,dl-wrx36",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "ipq807x/generic",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}

I have enabled WDS because at first I thought the location I needed to put in the satellite wouldn't have a wired lan connection.

As you can (hopefully) see, this is what I have set up:

• main LAN wifi network A and A_5G
• dedicated Guest network that cannot access main wifi network but has internet connection
• dedicated IOT network that cannot access internet nor main wifi, except for traffic to/from my Home Assistant installation on 192.168.1.88.
• Adguard as DNS server

As I said, I didn't use vlans for this, but happy to do it, but please help me migrate to it from this setup.

With this in mind, here's what I'd like my sattelite to do:

• have a wired connection to the main router (since it's available)
• provide wired connection on it's ethernet ports to the main LAN network.
• provide access to the A or A_5G network by extending its range
• provide acccess to the IOT network by extending its range, but make sure devices get IPs in the right subnet (192.168.2.X).

both my main and satellite devices run OpenWrt and are Dynalink DL-WRX36.

OK cool. Basically what I suggest first on both the satellite and the main router:

• As this can cause a breaking change to all your networks to do this via vlans. I highly suggest a two stage approach where one sets up a dedicated management interface. This can be one of the following:
  • non bridged connection over wired (since you have DSA)
  • Or set up an empty bridge network and separate SSID for a wireless management connection. (Basically the same as your IoT and guest etc but don't have to have it forward anywhere)
  • obtain serial console access

Then we move you to a bridge with vlan filtering. I would suggest the following regarding vlan ID selection. You can pick arbitrary vlan numbers as long as your devices can handle any vlan number. I suggest pick from vlans 3 through 15 unless you only plan on getting good equipment that can handle anything within 1 through 4094 or whatever. A stretch goal would would be setting up a dedicated management vlan that isn't vlan 1.

There should be wiki articles or other posts but if you run into troubles or want step by step I or someone else can run you through it as it's a frequently asked question on the forum.

First of all, sorry for my late reply. I have read up a bit on vlans and I think I am getting better understanding of them.

I am confused about tagged and untagged and it's implications though. My satellite is connected to my main router via a tp-link switch, which doesn't run openwrt (and can't). Can I still create a clan between my min and satellite and get the scenario working? What's should be the tagged / untagged setting be in this case?

Depends if your switch can handle tagged frames. Is it a managed switch or not? Can you please elaborate on your switch model?

Does the switch have to be between the satellite and the main router. If you can do a cabled connection between the router and the satellite without anythhing in between then it doesn't matter what the switch is.

Best is probably give us a block diagram of your network?

I ended up changing my architecture and made it work with my satellite directly connected to my main router. I have another issue though, but don't want to hijack this thread.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.