Guest WiFi Across 2 AP's

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,

My network consists of 2 EA8300's running 22.03.2.
The 1st one has DHCP server enabled on the LAN interface and the 2nd device has DHCP server disabled on the LAN interface and it is cabled in using one of its LAN ports.

I have followed the guide here and successfully have this running on my 1st router:

When I connect to the guest network on the 2nd device I am not able to get an IP.

Can anyone point me in the right direction please?

Thx

Edit: I have confirmed that the DHCP server for the guest interface is enabled on both devices.

2

Is your second EA8300 setup as a Dumb AP?

I use the identical hardware in my network. For the Main Router I don't have wifi enabled, but I do on two more EA8300s each setup as Dumb APs and it works fine. Make sure the wireless on the second EA8300 is set to use different channels than on your router.

3

Your primary router should be the only one doing any routing and DHCP services. Your secondary router should only be a dumb AP for both networks.

You'll need to link them together using VLANs.

Let's start by looking at your main router's config... and also, please specify what physical port connects to the secondary router.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
4

Thanks for your reply.
Yeah, so it's not a DHCP server or anything.
I've got a normal network working, but not for guest W-Fi. Are you saying you have it working for guest Wi-Fi?
With regards to channels, I actually have the guest Wi-Fi disabled on my primary just to rule out any issues.

Thanks for your reply.
The secondary goes to a dumb hub first and that connects to port 4 on the primary, will that be an issue?

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd29:6f6f:678d::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.0.0.1'
        option delegate '0'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option peerdns '0'
        list dns '208.67.222.222'
        list dns '208.67.220.220'
        option type 'bridge'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

config device
        option name 'wlan1'
        option ipv6 '0'
        option multicast '0'

config device
        option name 'eth0'
        option ipv6 '0'
        option multicast '0'

config device
        option name 'wlan0'
        option ipv6 '0'
        option multicast '0'

config device
        option name 'wlan2'
        option ipv6 '0'

config device 'guest_dev'
        option type 'bridge'
        option name 'br-guest'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '5g'
        option country 'GB'
        option htmode 'VHT80'
        option cell_density '0'
        option channel 'auto'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key ''
        option ieee80211r '1'
        option mobility_domain ''
        option reassociation_deadline '20000'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option wpa_disable_eapol_key_retries '1'
        option ssid 'Homewifi'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option country 'GB'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key ''
        option ssid 'Homewifi'
        option ieee80211r '1'
        option mobility_domain ''
        option reassociation_deadline '20000'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option wpa_disable_eapol_key_retries '1'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option band '5g'
        option htmode 'VHT80'
        option country 'GB'
        option cell_density '0'
        option channel 'auto'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option network 'lan'
        option key ''
        option mode 'ap'
        option encryption 'psk2'
        option ieee80211r '1'
        option mobility_domain ''
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option wpa_disable_eapol_key_retries '1'
        option reassociation_deadline '20000'
        option ssid 'Homewifi'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Wifiguest'
        option encryption 'psk2'
        option isolate '1'
        option key ''
        option ieee80211r '1'
        option mobility_domain ''
        option reassociation_deadline '20000'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option wpa_disable_eapol_key_retries '1'
        option network 'guest'
        option disabled '1'

config wifi-iface 'wifinet5'
        option device 'radio2'
        option mode 'ap'
        option ssid 'Wifiguest'
        option encryption 'psk2'
        option key ''
        option wpa_disable_eapol_key_retries '1'
        option ieee80211r '1'
        option mobility_domain ''
        option reassociation_deadline '20000'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option network 'guest'
        option isolate '1'
        option disabled '1'

config wifi-iface 'guest'
        option device 'radio0'
        option mode 'ap'
        option network 'guest'
        option isolate '1'
        option ssid 'Wifiguest'
        option key ''
        option encryption 'psk2'
        option ieee80211r '1'
        option mobility_domain ''
        option reassociation_deadline '20000'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option wpa_disable_eapol_key_retries '1'
        option disabled '1'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option ednspacket_max '1232'
        option local '/Home.local/'
        option domain 'Home.local'
        option logqueries '1'
        option localservice '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option leasetime '12h'
        option dhcpv4 'server'
        option force '1'
        list dhcp_option '44,10.0.0.1'
        option limit '75'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'Router2'
        option dns '1'
        option mac ''
        option ip '10.0.0.2'

config domain
        option name 'Home'
        option ip '10.0.0.1'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '1h'
        option netmask '255.255.255.0'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Block DNS Going Out'
        option src 'lan'
        option dest 'wan'
        option dest_port '53'
        option target 'REJECT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option proto 'udp'
        option dest_port '137-138'
        option target 'ACCEPT'
        option src 'lan'

config rule
        option proto 'tcp'
        option dest_port '139'
        option target 'ACCEPT'
        option src 'lan'

config rule
        option proto 'tcp'
        option dest_port '445'
        option target 'ACCEPT'
        option src 'lan'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding 'guest_wan'
        option src 'guest'
        option dest 'wan'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option src_port '68'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'
5

Yes. It will. If there is going to be a switch between these two devices, it should be a managed one. Unmanged switches are not designed for VLANs and the behavior is undefined. It may cause major issues or other frustrations..

1 Like
6

The overall concept here is that VLANs make it possible to securely separately transport multiple networks (such as lan and guest) over the same Ethernet cable. Thus the second AP is "dumb" as far as guests are concerned and will merely bridge any of their wifi activity over to an Ethernet VLAN so the first router can incorporate it into the existing guest network.

The Ethernet system in the EA8300's chipset (IPQ4019) did not work well with VLANs under OpenWrt until very recently. If you intend to run Ethernet VLANs, it is seriously suggested to use a snapshot build rather than 22.03 or earlier. The next release should include the better VLAN support.

I've found it simpler and potentially better performance to locally route all guests. That is the second router will have a similar configuration to the first and allow guests to reach the Internet (by routing from their network into the lan network) but firewall them out of any lan resources. The downside of this is that guests can't fast roam between the two routers. In a lot of use cases this is not an issue as the guests are in relatively stationary locations.

2 Likes
7

I run my network with the same hardware but without using VLANs. That way I'm able to use fast roaming. I use a firewall rule on my Dumb APs that blocks the Guest interface running only on the Dumb APs from accessing my Lan interface. I've been using this setup for a couple of years with no hassle.

Edit: I should say I'm not using VLANs because 1) I don't have any managed switches 2) My network is extended throughout my home using multiple MOCA adapters and I'm not sure how that would affect VLANs.

8

I see, thanks, yes that makes sense now that you've said that. :rofl:
I've got some MOCA adaptors I can use, would that work?

Thanks, will bear in mind the version and upgrade if need be. :smile:

Thanks for the info, do you have any guidance on how to setup the firewall in this manner, or maybe share the rule if possible please? :grinning:

9

I used these two Openwrt Wiki articles to setup my current network:

and

1 Like
10

Some MoCA adapters can pass VLANs properly, others may not -- just like switches. Some MoCA adapters explicitly support VLANs, others may not call it out as a feature but may handle tagged networks without issue. There may be some that do not handle them properly and could cause network issues. So it all depends on the specific devices you are using.

Are both of your routers OpenWrt? The guest network should be setup on the main router and (not the dumb AP), and then the dumb AP should be set to handle both networks.

1 Like
11

Just to be very clear for future learners here, VLANs and fast roaming are two mutually exclusive topics. VLANs will neither explicitly help nor hurt 802.11r (aka "fast roaming" or "fast transition"). In the same way, 802.11r will not explicitly enable nor prevent VLAN usage.

The two can very much co-exist in the same environment, very effectively at that, with the proper configuration.

12

Thanks, is there anyway to test how well they work, or just simply try and set them up with VLANs and see if they work?

Also, if it's not too much trouble, do you either know of a guide for a guest wi-fi and vlan setup on Openwrt of are you able to bulletpoint the steps for me? I did have a look, but couldn't find much that looked correct, maybe I am tired. :smile:

Thanks again.

13
3 Likes