Guest Wi-Fi across 2 dumb APs

Hello all,

I'm using AVM FritzBox 7390 as main router managing my LAN and WLAN and providing the internet access. 2 OpenWRT driven AVM Fritzbox 7362SL are acting as dumb APs, providing WLAN. All 3 WLANs use the same SSID/WPA PSK, so I can comfortably switch between the APs according to the position / signal strength.

OpenWRT_WLAN

Now I'm extending both dumb APs to provide guest Wi-Fi, also sharing the same SSID/WPA PSK. Here the DAP1 shall act as DHCP server also for the guest WLAN clients connected to the DAP2. Guest Wi-Fi on DAP1 is working fine, but i'm struggling to set up the guest Wi-Fi on DAP2

The ethernet switch I use is basically managed, however I'm using it as a dumb switch right now.

In a second step I would like to use a third WLAN, configured similarly to the guest Wi-Fi especially for my smart home WLAN devices.

Is that basically a good idea? Could you give me any advice, how to configure the DHCP server for the guest Wi-Fi on the second dumb AP?

OneMarkFifty has a excellent video on doing what you want to do using VLANs here
This is how I have set up my home network with seperate SSIDs for Guest IoT and Lan using 2 seperate WiFi Aps and it works great.

1 Like

Thanks for this hint. I don't really understand all details, but I should be able to understand it by watching the video several times.
But I think, that the main difference in my case is, that my main router isn't driven by OpenWRT and provides less possibilities in terms of firewall and VLAN. On the other hand it provides some additional services like VoIP, Fax, DECT which cannot be covered fully by an OpenWRT device, at least I don't know how.
Therefore I would like to continue to use the original AVM Firmware on my main router and keep the Guest Wi-FI and later IOT Wi-Fi transparent for it.
Is this possible that way? Do I need to setup one of the two dumb APs as a router?

Since you have a managed switch, you can setup a guest wifi network on one of the 7326SL units and then connect that ethernet. Your second 7326SL will then simply broadcast that same SSID with no other routing -- just as a simple AP.

Have you done the initial guest wifi configuration on one of the devices?

Yes, thanks to your support yesterday.

Great.

What physical port (on the 7362S) is used to connect that AP to the managed switch?

Just one of the 4 available lan ports, the other 3 are free, so I can use any of them.

Ok... so normally I'd recommend that we use just one port and it all go through your managed switch. But, let's setup two ports for this so that you can connect directly to the other AP in the event that you want to verify the OpenWrt configs before you get to the switch itself.

I'm referencing the configs from here

First thing we're going to do is setup bridge VLANs.

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan1:t'
        list ports 'lan2:t'

Next, delete this:

and then edit the lan and guest networks to use br-lan.1 and br-lan.2 as follows:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'dhcp'
        option force_link '1'

config interface 'guest'
        option proto 'static'
        option device 'br-lan.2'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

Now, you can reboot this unit and VLAN 1 (the lan) will be untagged on all ports, VLAN 2 will be tagged on ports 1 and 2.

Next, we'll look at your other AP... can you post the config for that, please?

Done
Here is the network config from DAP2, the other config files should be the same as for DAP1


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXX'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'b'
	option tone 'av'
	option ds_snr_offset '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr 'XXX'

config device
	option name 'lan2'
	option macaddr 'XXX'

config device
	option name 'lan3'
	option macaddr 'XXX'

config device
	option name 'lan4'
	option macaddr 'XXX'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config device
	option name 'dsl0'
	option macaddr 'XXX'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'
	option gateway '192.168.2.1'

We'll be implementing many of the same configs here:

Add bridge VLANs: This will be slightly different though, because I want to make lan2 on this device untagged for VLAN 2 (the guest network) -- it is a quick way to verify that everything is working (wired) as expected.

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan1:t'
        list ports 'lan2:u*'

Delete this:

Edit the lan to use br-lan.1:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'dhcp'

And you'll be making more significant changes to the guest network on this AP. It'll look like this:

config interface 'guest'
	option proto 'none'
	option device 'br-lan.2'

Now, you can restart that device, too.

  • Connect the first AP to the managed switch via port lan1.
  • Disconnect the second AP from the managed switch.
  • Connect the first AP port lan 2 to the second AP port lan 1.

That should do it... you should be able to do the following:

  • connect to the guest network wifi on either AP.
  • Connect via ethernet to the 2nd AP's port lan2 and get an IP on the guest network.

Once that is all proven to work, you'll want to configure your managed switch to carry VLAN 1 untagged + VLAN 2 tagged on two ports -- one connecting to each of the APs (and you'll unplug the cable that goes directly between the two APs). Each AP will be connected to the managed switch on port lan1.

Done, but facing some problems:

  • as only the first AP was running, I was able to connect to main Wi-Fi but not to the guest Wi-Fi (Android phone, connection couldn't be established)
  • after power on of the second AP I wasn't able to connect to any Wi-Fi on any AP
  • as my longest ethernet cable is about 2m the AP are too close to each other, I cannot properly distinguish, to which I'm connecting, alltough I used steel plates to cover one of them in order to connect to the other.

Maybe I'll need to spend more effort tomorrow to get a better setup.

Thank you so far, I'll post the results of my tests.

Ok. Maybe you can pause the openwrt stuff and work on configuring your switch.

Unfortunately, the main Wi-Fi doesn't work too, when only the first AP is on (regarding the first "*" of my previous post).

But what needs to be configured on the switch? I thought the configuration using direct connection of the APs should work without any additional configuration? Even without having a managed switch?

Not with tagged (=VLAN) packages. Only the ones you see as "u*" can be processed. Your "dumb switch" might pass them along, but your destination might not know what to do with them.

If you want to use VLANs, at least your traffic endpoints need to be aware of it.

psherman is right in everything he said, but a video on VLANs on OWRT from the same guy, but a more recent one is here

Let's confirm the config of the first AP:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Here the config of the first AP:


 OpenWrt 23.05.2, r23630-842932a63d
 -----------------------------------------------------
root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "xRX200 rev 1.2",
        "model": "AVM FRITZ!Box 7362 SL",
        "board_name": "avm,fritz7362sl",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "lantiq/xrx200",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'XXX'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'b'
        option tone 'av'
        option ds_snr_offset '0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr 'XXX'

config device
        option name 'lan2'
        option macaddr 'XXX'

config device
        option name 'lan3'
        option macaddr 'XXX'

config device
        option name 'lan4'
        option macaddr 'XXX'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'dhcp'
        option force_link '1'

config device
        option name 'dsl0'
        option macaddr 'XXX'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan1:t'
        list ports 'lan2:t'

config interface 'guest'
        option proto 'static.2'
        option device 'br-guest'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'XXX'
        option encryption 'psk2'
        option key 'XXX'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid 'XXX'
        option encryption 'psk2'
        option key 'XXX'
        option network 'guest'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan'
        option masq '1'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config rule
        option name 'Guest-DNS'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Guest_DHCP'
        list proto 'udp'
        option src 'guest'
        option dest_port '67-68'
        option target 'ACCEPT'

config forwarding
        option src 'guest'
        option dest 'lan'

config rule
        option name 'Block_guests_from_Lan'
        option src 'guest'
        option dest 'lan'
        option target 'REJECT'
        list proto 'all'
        list dest_ip '192.168.178.0/24'

config rule
        option name 'Allow_lan2guest'
        option src 'lan'
        option dest 'guest'
        option target 'ACCEPT'

There appears to be a typo here that is likely causing the issue:

The proto should just be static and the device should be br-lan.2 -- like this:

config interface 'guest'
        option proto 'static'
        option device 'br-lan.2'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

The typo is corrected, same setup as before (APs close to each other, no proper differentiation of the Wi-Fi interfaces), Wi-Fi are displayed but cannot be connected (neither AP1 nor AP2).
I didn't any changes on my managed switch, but at least I got access to the config interface. What exactly shall I change here?