Hello,
I have 4 different wireless networks: 2.4, 2.4-Guest, 5.0, 5.0-Guest. I want to give them each a unique subnet. I thought this could be edited in /etc/config/network, but they don't all show up there. Only 2 out of the 4 are in there: LAN & Guest with their correct IP range, but not the correct name. The other 2 are not.
How can I do this? Any help is appreciated!
You have to add additional networks if you wish to have 4 unique subnets (2x guest and 2x lan).
Why do you want to do this, though? It's not necessary and will actually make things more difficult since it will necessarily put 2.4G devices on a different subnet than the 5G devices (for each the lan and guest networks), thus making it harder to connect/share content and the like.
And it is amateur level to have a “2,4 ssid” and a “5 ssid” on the same network. On pro level you have identical setup wifi on each networks with the same ssid and password on all radios.
It is the clients responsibility to choose the best wifi option available when connecting to a wifi.
FWIW, I prefer to split my SSID's between 2.4 and 5 GHz so I have the option to force poorly behaved clients that prefer connecting to a slow 2.4 GHz SSID with a strong signal to instead connect to a much faster throughput 5 GHz SSID with a weaker signal. Sure, I could set up MAC filters; or reduce transmit power on 2.4 GHz until the offending client connects on 5 GHz, but then I lose the range advantage of 2.4 GHz with other clients.
This isn't really recommended these days, but there is no reason you can't do this. By all means. The normal way to handle this is simply to set two different SSIDs (i.e. "MySSID-2G" and "MySSID-5G"). Typically, they both link to the same subnet.
Is there a specific reason you want to put the devices on different subnets? To be clear, there is no performance benefit/difference by putting the devices on multiple subnets (when considering network throughput for both your 'well behaved' and 'poorly behaved' devices), but different subnets will add headaches with respect to client-to-client connectivity if the devices need to be able to talk to each other.
No, you do not have 4 networks: you have 4 SSIDs (configured at /etc/config/wifi) over two networks (configured at /etc/config/network).
Now, separating bands into different networks is a bad idea, but if you really want to do it: create two additional networks, then change the interface where each SSID bridges.
We're saying the same thing. I stated I prefer to split my SSID's between 2.4 and 5, not my sub-nets (but I see how you might have drawn that conclusion - poor phrasing on my part).
I bridge my 2.4 and 5 SSID's to the same subnet (i.e., the SSID's mywifi-2G-IOT and mywifi-5G-IOT are both on the same IOT sub-net). My main point was that I didn't think doing this was "amateur level." And I couldn't agree with you more that separate sub-nets for 2.4 and 5 would cause headaches in a hurry.
ok... good.
So are you having an actual issue or do you have questions, or is everything woring the way you expect?
Everything is as I expect.
Great.
Now, realizing that this conversation has veered from the OP a bit...
@duvel - do you have questions or need help with anything?
All,
Thanks for the replies.
The reason I was thinking to do this was from a security standpoint. Having each SSID on a different subnet like:
192.168.5.x
192.168.6.x
192.168.7.x
192.168.8.x
It sounds like I would need to create 2 more networks in /etc/config/network, then create 2 more SSID's in /etc/config/wireless.
Would I just manually add the entries to the config files like:
config wifi-iface 'guest5G
option device 'radio1'
option network 'guest'
option mode 'ap'
etc...
Or do it through the GUI?
The interfaces tab has a "add new interface" button.
There is an "add" button on each radio on the wireless tab.
Then restart the network service?
Thanks for your help
It could all be done in LuCi (and perhaps more safely so since I think that it is harder to lock yourself out of your own router when configuring things in LuCi - from memory with the config files even just placing a hyphen in the wrong place can result in an invalid config and locking yourself out of your own router, which if true seems like something that should be fixed, but I may be misremembering).
I think for each network you'd need something along the lines:
Then repeat for each network.
But why are you wanting to create such separate networks in the first place? Do you want to isolate all devices connected to each network?
Indeed it seems there is a danger of overly complicating things and violating the KISS principle:
So it is probably worth taking a step back and thinking about what you want out of the overall network in general and then we can better advise on an appropriate layout.
Most users just have:
The LAN network is the general network for most devices like work computer, phones, printers, etc. The GUEST network is for IoT devices guests to your house including coffee machines and ovens, TVs. GUEST devices are prevented from making connections with LAN devices, but LAN devices might be allowed to make connections with GUEST devices. Some users might also enable some cross-communication e.g. using 'avahi' to enable LAN devices to see guest devices over mDNS (I just set this up recently so that on my iPhone I can see a printer connected to my GUEST network and can identify and stream to televisions connected to the GUEST network).
The idea is to provide some isolation between relatively untrusted devices like a smart plug or a guest to the house and the main LAN network.
Indeed. Default OEM configurations without guest networks are few and far between today. So are devices with more than 32MB of memory and 4MB of flash that lack vlan support. I've often wondered why the default OpenWrt configuration has not similarly evolved to include a guest network.
I would consider segregated interfaces to be an essential security practice today. For better and worse, IOT devices have come a long way since the first OpenWrt release 20 years ago. One might even argue Guests shouldn't be exposed to IOT devices and vice versa, so three networks: main, Guest, and IOT.
If there were an example for a second segregated Guest network interface in the default OpenWrt configuration, even if disabled by default, users would have that template available to cut and paste into as many segregated networks as they desired, e.g., create an IOT from the Guest example. The vast majority of requests for help on this forum would evaporate.
Very well articulated. For me a big issue that I had to overcome was how to manage this situation given use of WDS to facilitate wireless extension (and the limitation that there can only be one WDS backhaul per radio). I encountered a few posts from @eduperez about the use of GRE tunnelling to pass traffic from one network over a WDS backhaul used for another network. For long enough I was able to obviate the complexity of that by simply setting up a separate 2.4 GHz backhaul for our GUEST network. But recently @patrakov helped guide me through how leverage VXLANs to pass the GUEST traffic over the LAN network and 5 GHz backhaul - and it is actually super easy.
Yes, I was thinking to keep everything separate:
192.168.5.x - Work devices
192.168.6.x - Personal devices
192.168.7.x - Guest laptops, phones, TV
192.168.8.x - Spare/Unknown
These devices don't need to talk to each other.
Well you have a recipe but beware about making things too complicated, mindful that life is short!
The templates in this post should get you where you want to go after you determine whether your device has been converted to DSA or not. It has a template for a swconfig and a DSA network file.
So I tried to create a new network following the post/templates provided by @eginnc. I created a new interface, a new SSID, and firewall rules for DNS & DHCP. The SSID appears fine, it gets an IP, I can connect to it, but it doesn't connect to the internet, and it seems to break another network that's on the same band (5.0). As soon as I disable it, the other network works fine. I did this all through the LuCi interface. Not sure what I did wrong, but any help is appreciated.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
For clarity, I think what you want are two different networks (normal lan and guest), but four different wireless interfaces: 2.4 and 5.0 wireless interfaces bridged to the normal lan network; and 2.4-Guest and 5.0-Guest wireless interfaces bridged to the Guest network. If this is your goal, then there should only be the wan, wan6 and two other network interfaces (normal lan and Guest) defined in your network configuration file.
If you truly do not want 2.4 and 5.0 to be able to communicate on the same network, i.e., 2.4-Guest and 5.0-Guest on different Guest networks for example, then two becomes four. However, that would be a rather unusual configuration.
Now, if you want to do this:
AND have separate 2.4 and 5.0 networks for each of these, then you would be up to 8 different networks and 8 different SSID's. Yowza! I would not do that. This would be a very unusual and complicated set up. See Lynx's post up above about the K.I.S.S. principle 
I would at least bridge the [name]-2.4 and [name]-5.0 WiFi interfaces to the the same [name] network, i.e., 4 networks and 8 SSID's. Still a bit complicated, but there is really no need to segregate 2.4 and 5.0 GHZ SSIDs on different networks.
In any event, think about what you want to accomplish, and clarify what that is for us so you can get better help.