Extending Guest WiFi to Outdoor (dumb) AP

Hey everyone! Hope you all had a good start in 2026!

I recently upgraded my Router to a GL.iNet MT-6000 and flashed stock OpenWrt (24.10.5) to it. After that I noticed that my WL-WN570HA2 (Outdoor AP) also supports OpenWrt (25.12.0-rc2), and flashed that as well.

I want to setup 2 WiFi networks, I call them "Home" and "Guest" in this post.

"Home" is my existing home network, living in 192.168.0.0/16.
"Guest" only has access to the internet and lives in 172.20.0.0/24

I want both WiFi networks on both my router and ap for better coverage of my home.

I got it working to the point that "Home" is available on both devices (with working roaming) and the "Guest" WiFi on my router is working as well.

But when I try to setup the Guest WiFi on my outdoor AP, it doesn't work.
I will get a network connection, but can't seem to reach DHCP to get an IP address.

I'm not using VLANs at the moment, since I don't quite understand them yet.
It's on the list.

I've setup bridges (br-guest) and interfaces (guest) on both devices. The AP has disabled DHCP and the router IP is setup as IPv4 gateway.

The AP has a firewall rule to allow forward to "lan" zone.

I configured all of this in LuCi. I have no issue with the CLI, it's just easier for me to get started in the GUI. I would attach the relevant configuration, but I really don't know what is relevant yet. If you tell me I'll happily add what you need.

I mainly followed these guides:

• https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedap
• https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

But they don't quite fit for what I want to do, and I'm not really sure where to deviate from the guide to reach my goal.

Hope someone can help.

Thanks in advance!

I'm not using VLANs at the moment, since I don't quite understand them yet.
It's on the list.

Now™ would be a good time to look into VLANs.

One common setup is to add a tagged VLAN on the connection between the APs and add it to br-guest on both devices.

I second the application of VLANs.

Start with main router... you might consider starting over if the configuration doesn't resemble the guest network as described here:

From there, you'll make a few minor tweaks to associate the guest network with an ethernet port using a tagged VLAN.

Finally, your second device will be setup using the bridged AP method (the first one you linked), and then you'll add the VLAN config and an unmanaged network interface to the AP.

We can help you through the process if you need assistance. We'll need your config to be able to advise.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

My thanks to both of you!

I'm a bit hesitant to jump into VLANs because I have more than a few devices, containers and services running in my little homelab. But I agree with you, it's time. I'll read up on VLANs and try to implement them in my network. Once I have them setup and working properly I'll try to get my guest wifi working again.

If that still won't work, I will report back.

One question though about VLANs: This might be kinda subjective, but how many do I want?
A common setup I've seen is one for home network, one for guests, one for IoT.
Does it make sense to separate hypervisors / containers / VMs as well?

I would need to setup a lot of inter-VLAN routing then if I'm not mistaken.
Might not be worth it? What do you tink?

How many do you need ?

You can set up as may VLAN as you want with out even licking max limit of possible vlans. The hardest part is to set up your first vlan after that is is easy, as it is basically c/p of your first vlan with some minor changes.

Start with a total of 2 networks... your existing trusted lan, then add one more network. Get that working fully before building any additional ones. Based on your description, it sounds like the guest network is the one of more 'immediate' concern. Once that is working properly, you can add additional networks as needed using the same general recipe.

You can, but it may be overcomplicating things. Consider the question of why you want extra networks.

If you want to connect multiple different networks (e.g. lan + guest) to an AP via a wired uplink, you need VLANs for this uplink, it's not optional.

Yes, technical there are alternatives, but you really don't want to go there needlessly, as those make the whole setup even more complex (and slower).

I got this working, using VLAN's. Only thing I never really got around to is how to extend the locked-down Guest WiFi concept to multiple AP's w/o configuring them as separate network each.

If you post your configs, we can show you how...

We need to know:

• What port on the router is used to connect to the AP (and what port on the AP, as well, unless it's a single port device).
• the information below...

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network

I'm back! After converting my whole home-network to a more suitable subnet for VLAN (and breaking my proxmox-cluster and my wireguard vpn in the process) I have returned.

Some notes I thought might be important:

1. I use PiHole as my local DNS, not OpenWrt. this seems to work fine for my main network.
2. There is a managed switch that all my devices connect to. It's a HP 1920-24G-PoE+ and it now has port 2 (router) and port 24 (outdoor ap) configured as trunk ports with VLAN1 (untagged) and VLAN100 (tagged).
3. the main subnet (VLAN1) now is 192.168.1.0/24 and guest (VLAN100) is 192.168.100.0/24

I really appreciate the help! This must be a lot of work to sift through.

main router configs

root@GL-MT6000:~# ubus call system board

{
        "kernel": "6.6.119",
        "hostname": "GL-MT6000",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.5",
                "revision": "r29087-d9c5716d1d",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
                "builddate": "1766005702"
        }
}

root@GL-MT6000:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb8:a6c8:fe3c::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns_search 'lan'
        list dns '192.168.1.50' <- this is my PiHole instance

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config interface 'wanLTE' <- I'm currently using an older android phone over USB, this is my WAN
        option proto 'dhcp'
        option device 'usb0'

config interface 'wanLTE6'
        option proto 'dhcpv6'
        option device 'usb0'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'
        list dns '1.1.1.1'  <- set guest to a WAN DNS, assumed this makes it easier for now

config bridge-vlan
        option device 'br-guest'
        option vlan '100'

root@GL-MT6000:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel '13'
        option htmode 'HE20'
        option country 'DE'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '<REDACTED>'
        option encryption 'psk2'
        option key '<REDACTED-key>'
        option ieee80211r '1'
        option mobility_domain '4F2A'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel '56'
        option htmode 'HE80'
        option country 'DE'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid '<REDACTED>'
        option encryption 'psk2'
        option key '<REDACTED-key>'
        option ieee80211r '1'
        option mobility_domain '4F2A'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid '<REDACTED>-Guest'
        option encryption 'psk2'
        option key '<REDACTED-guest-key>'
        option network 'guest'
        option ieee80211r '1'
        option mobility_domain '4F2B'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

root@GL-MT6000:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'guest'
        list interface 'lan'

config dhcp 'lan'
        option interface 'lan'
        option start '200'
        option limit '50'
        option leasetime '1d'
        option dhcpv4 'server'
        option master '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'
        option force '1'
        list dhcp_option '6,192.168.1.50' <- tell dhcp clients to use PiHole as DNS

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

< REDACTED multiple "config host" segments (just static leases) >

config dhcp 'guest'
        option interface 'guest'
        option start '50'
        option limit '200'
        option leasetime '12h'
        list dhcp_option '6,1.1.1.1'

root@GL-MT6000:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wanLTE'
        list network 'wanLTE6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

# I'm pretty sure below this line is all I changed in firewall

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option src 'guest'
        option name 'Allow-DHCP-Guest'
        list proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option name 'Allow-DNS-Guest'
        option dest_port '53'
        option target 'ACCEPT'

outdoor ap configs

root@OutdoorAP:~# ubus call system board

{
        "kernel": "6.12.63",
        "hostname": "OutdoorAP",
        "system": "MediaTek MT7628AN ver:1 eco:2",
        "model": "Wavlink WL-WN570HA2",
        "board_name": "wavlink,wl-wn570ha2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "25.12.0-rc2",
                "firmware_url": "https://downloads.openwrt.org/",
                "revision": "r32429-d76c64ad00",
                "target": "ramips/mt76x8",
                "description": "OpenWrt 25.12.0-rc2 r32429-d76c64ad00",
                "builddate": "1767653330"
        }
}

root@OutdoorAP:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        list ipaddr '127.0.0.1/8'

config globals 'globals'
        option dhcp_default_duid '00048f72624a609a46ceae8fe9c6110b4b24'
        option ula_prefix 'fd1a:4d6c:ff6c::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option gateway '192.168.1.1'
        list ipaddr '192.168.1.2/24'
        list dns '192.168.1.50'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.100.2'
        option netmask '255.255.255.0'
        option gateway '192.168.100.1'
        list dns '192.168.100.1'

config bridge-vlan
        option device 'br-guest'
        option vlan '100'

root@OutdoorAP:~# cat /etc/config/wireless

    config wifi-device 'radio0'
            option type 'mac80211'
            option path 'platform/10300000.wmac'
            option band '2g'
            option channel '12'
            option htmode 'HT20'
            option country 'DE'
            option cell_density '0'

    config wifi-iface 'default_radio0'
            option device 'radio0'
            option network 'lan'
            option mode 'ap'
            option ssid '<REDACTED>'
            option encryption 'psk2'
            option key '<REDACTED-key>'
            option ieee80211r '1'
            option mobility_domain '4F2A'
            option ft_over_ds '0'
            option ft_psk_generate_local '1'

    config wifi-iface 'wifinet1'
            option device 'radio0'
            option mode 'ap'
            option ssid '<REDACTED>-Guest'
            option encryption 'psk2'
            option key '<REDACTED-guest-key>'
            option network 'guest'
            option ieee80211r '1'
            option mobility_domain '4F2B'
            option ft_over_ds '0'
            option ft_psk_generate_local '1'
            option disabled '1'  <- just disabled it for testing

root@OutdoorAP:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option leasefile '/tmp/odhcpd.leases'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piodir '/tmp/odhcpd-piodir'
        option hostsdir '/tmp/hosts'

root@OutdoorAP:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

# I'm pretty sure below this line is all I changed in firewall

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config rule
        option src 'guest'
        option name 'Allow-DNS-Guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option name 'Allow-DHCP-Guest'
        list proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'

config forwarding
        option src 'guest'
        option dest 'lan'

I really hope I redacted everything properly here ^^

Thanks again for taking the time to look at my mess.

Starting with the main router...

You will need to use bridge-VLANs to accomplish the goal. It's fairly simple.

In the /etc/config/network file, add the bridge-vlans (I'm assuming that port lan1 is used to connect to the switch, and I'll also move port lan5 to the guest network so that you have an easy way to verify the wired guest functionality):

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'lan1:t'
        list ports 'lan5:u*'

Now, edit the network interfaces to use br-lan.1 and br-lan.100 respectively (I've also removed the DNS lines since they don't actually do anything in this context):

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
 ...

config interface 'guest'
        option proto 'static'
        option device 'br-lan.100'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'

Delete this bridge and the errant bridge-vlan:

Now, we can move on to the AP:
Create bridge-vlans:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'eth0:t'

And edit the network configs. The guest network should be unmanaged:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ip6assign '60'
        option gateway '192.168.1.1'
        list ipaddr '192.168.1.2/24'
        list dns '192.168.1.50'

...

config interface 'guest'
        option proto 'none'
        option device 'br-lan.100'

And delete the guest bridge stuff:

You can delete all of the guest related firewall entries on the AP:

Restart and test.

[edit: fixed typo in the router config for VLAN 100 on port lan1]

Thank you so much! As far as I can tell, this almost works perfectly!

The networks are both up, I can see all 5 WiFi mac adresses, and can connect to every network.

But I won't get an IP from the Outdoor AP in the Guest network (main network works fine).

I first thought it might have something to do with my static leases, but I will get an IP in the guest network from my main router's WiFi no problem.

Any idea why that might be?

Can you confirm (or correct):

• Main network wifi works fine on both the main router and on the AP
• Guest network works fine on the main router
• But guest network doesn't work on the AP

Let's see the complete updated configs from both devices. This way I can see the whole picture with the latest configs.

The other thing to look at is the configuration of the switch. It should have trunk ports for both the router connection (port 2) and port 24 to the AP where you have VLAN 100 tagged and VLAN 1 untagged.... make sure that's configured properly.

I can confirm:

• home network works, both from router and and AP, with roaming, no problem
• guest network works on main router - no Problem
• guest network from AP connects, but doesn't get an IP.
  • Android Wifi debug even tells me it's an DHCP issue.

The Router VLAN config:

switch-vlan-config-2812×192 30.2 KB

Port 2 is the router, Port 24 is the AP (double checked it, the ports are correct)

I collect the current configuration for both devices and add it in a moment.

And here are the config files in the current state:

main router

root@GL-MT6000:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb8:a6c8:fe3c::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'lan1t'
        list ports 'lan5:u*'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'guest'
        option proto 'static'
        option device 'br-lan.100'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config interface 'wanLTE'
        option proto 'dhcp'
        option device 'usb0'

config interface 'wanLTE6'
        option proto 'dhcpv6'
        option device 'usb0'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'

root@GL-MT6000:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel '13'
        option htmode 'HE20'
        option country 'DE'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '<redacted-ssid>'
        option encryption 'psk2'
        option key '<redacted-key>'
        option ieee80211r '1'
        option mobility_domain '4F2A'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel '56'
        option htmode 'HE80'
        option country 'DE'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid '<redacted-ssid>'
        option encryption 'psk2'
        option key '<redacted-key>'
        option ieee80211r '1'
        option mobility_domain '4F2A'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid '<redacted-ssid-guest>'
        option encryption 'psk2'
        option key '<redacted-key-guest>'
        option network 'guest'
        option ieee80211r '1'
        option mobility_domain '4F2B'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

root@GL-MT6000:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'guest'
        list interface 'lan'

config dhcp 'lan'
        option interface 'lan'
        option start '200'
        option limit '50'
        option leasetime '1d'
        option dhcpv4 'server'
        option master '1'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'
        option force '1'
        list dhcp_option '6,192.168.1.50'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

< REDACTED config host blocks - static leases>

config dhcp 'guest'
        option interface 'guest'
        option start '50'
        option limit '200'
        option leasetime '12h'
        list dhcp_option '6,1.1.1.1'

root@GL-MT6000:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wanLTE'
        list network 'wanLTE6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option src 'guest'
        option name 'Allow-DHCP-Guest'
        list proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option name 'Allow-DNS-Guest'
        option dest_port '53'
        option target 'ACCEPT'

outdoor AP

root@OutdoorAP:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        list ipaddr '127.0.0.1/8'

config globals 'globals'
        option dhcp_default_duid '00048f72624a609a46ceae8fe9c6110b4b24'
        option ula_prefix 'fd1a:4d6c:ff6c::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'eth0:t'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ip6assign '60'
        option gateway '192.168.1.1'
        list ipaddr '192.168.1.2/24'
        list dns '192.168.1.50'

config interface 'guest'
        option proto 'none'
        option device 'br-lan.100'

root@OutdoorAP:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/10300000.wmac'
        option band '2g'
        option channel '12'
        option htmode 'HT20'
        option country 'DE'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '<redacted-ssid>'
        option encryption 'psk2'
        option key '<redacted-key>'
        option ieee80211r '1'
        option mobility_domain '4F2A'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid '<redacted-ssid-guest>'
        option encryption 'psk2'
        option key '<redacted-key-guest>'
        option network 'guest'
        option ieee80211r '1'
        option mobility_domain '4F2B'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

root@OutdoorAP:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option leasefile '/tmp/odhcpd.leases'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piodir '/tmp/odhcpd-piodir'
        option hostsdir '/tmp/hosts

root@OutdoorAP:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

there is a : missing on port lan1... it should be:

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'lan1:t'
        list ports 'lan5:u*'

Fix that, reboot the main router and test again.

EDIT: I see that this was my fault -- typo in my advice upthread... I just fixed that typo, hopefully that's the only issue.

Yes! That's it. Everything working now, at least from the short testing I just did.
That's great - thank you so much. I couldn't have done it without you.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.