Guest WiFi on dumb AP in mesh configuration

I was googling a lot on how to make guest network (where clients cannot access my LAN) on dumb APs.

I managed to make it working on my main router, but I am struggling to make it working on extenders that are connected in mesh.

The problem is that I have primary LAN on address 192.168.1.0/24 and guest on 192.168.2.0/24.

What I need to achieve is that devices connecting to dumb APs (extenders) on guest wifi will get IP from 192.168.2.0/24 space from the main DHCP server.

I am looking for some elegant solution to this. Making dumb APs smart by installing dhcp and firewall seems sub-optimal to me and I am not sure if it would even work in mesh (without wired backhaul).

Is there a way to forward DHCP request from guest wifi over mesh connection to main router and propagate DHCP reply back?

Some time ago I had Batman Adv mesh running fifth version of the protocol, four Xiaomi AX3200 and one AX53U as a print server, the advantage of batman is that you can easily create multiple networks that are carried over wired/wireless mesh, other mesh solutions require tunnels, etc ... besides, it works as one extensive switch. The backbone was on 5GHz and the access networks on 2.4GHz (each AP had full wpad-openssl installed). You can also connect the mesh nodes with a twisted pair or fiber but then you have to change the configuration a bit.

opkg update
# install batctl-full first
# otherwise installing kmod-batman-adv may install 
# a stripped-down version of batctl from dependencies
opkg install batctl-full   
opkg install kmod-batman-adv

/etc/config/network (on gateway node):

config device
        option name 'br-lan'
        option type 'bridge'
        option ipv6 '0'
        option igmp_snooping '1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'bat0.3'

config device
        option name 'br-iot'
        option type 'bridge'
        option ipv6 '0'
        option igmp_snooping '1'
        list ports 'bat0.5'

config device
        option name 'br-guest'
        option type 'bridge'
        option ipv6 '0'
        option igmp_snooping '1'
        list ports 'bat0.7'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'iot'
        option device 'br-iot'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'guest'
        option device 'br-guest'
        option proto 'static'
        option ipaddr '192.168.7.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'bat0'
        option proto 'batadv'
        option routing_algo 'BATMAN_V'
        option aggregated_ogms '1'
        option ap_isolation '1'
        option bonding '0'
        option bridge_loop_avoidance '1'
        option distributed_arp_table '1'
        option gw_mode 'server'
        option gw_bandwidth '100000/25000'
        option hop_penalty '30'
        option isolation_mark '0x00000000/0x00000000'
        option log_level '0'
        option multicast_mode '1'
        option multicast_fanout '16'
        option network_coding '0'
        option delegate '0'
        option orig_interval '60000'
        option fragmentation '1'

# Enable or disable node isolation for each vlan

config interface 'bat0_lan'
        option proto 'batadv_vlan'
        option ifname 'bat0.3'
        option ap_isolation '0'

config interface 'bat0_iot'
        option proto 'batadv_vlan'
        option ifname 'bat0.5'
        option ap_isolation '0'

config interface 'bat0_guest'
        option proto 'batadv_vlan'
        option ifname 'bat0.7'
        option ap_isolation '1'

config interface 'mesh5g'
        option proto 'batadv_hardif'
        option master 'bat0'
        option mtu '2304'

/etc/config/network (on "dumb AP" node):

config device
        option name 'br-lan'
        option type 'bridge'
        option igmp_snooping '1'
        option ipv6 '0'
        list ports 'bat0.3'

config device
        option name 'br-iot'
        option type 'bridge'
        option igmp_snooping '1'
        option ipv6 '0'
        list ports 'bat0.5'

# wan and lan ports can be freely assigned to each network, in this case all physical ports are assigned to the guest network

config device
        option name 'br-guest'
        option type 'bridge'
        option igmp_snooping '1'
        option ipv6 '0'
        list ports 'wan'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'bat0.7'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.3.5'
        option netmask '255.255.255.0'
        option gateway '192.168.3.1'
        option dns '192.168.3.1'
        option ip6assign '60'

# because it is a "dumb AP" the iot and guest networks are connected to the main router only via a bridge and do not need ip addresses

config interface 'iot'
        option device 'br-iot'
        option proto 'none'

config interface 'guest'
        option device 'br-guest'
        option proto 'none'

config interface 'bat0'
        option proto 'batadv'
        option routing_algo 'BATMAN_V'
        option aggregated_ogms '1'
        option ap_isolation '1'
        option bonding '0'
        option bridge_loop_avoidance '1'
        option distributed_arp_table '1'
        option fragmentation '1'
        option gw_mode 'client'
        option hop_penalty '30'
        option isolation_mark '0x00000000/0x00000000'
        option log_level '0'
        option multicast_mode '1'
        option multicast_fanout '16'
        option network_coding '0'
        option orig_interval '60000'

# Enable or disable node isolation for each vlan

config interface 'bat0_lan'
        option proto 'batadv_vlan'
        option ifname 'bat0.3'
        option ap_isolation '0'

config interface 'bat0_iot'
        option proto 'batadv_vlan'
        option ifname 'bat0.5'
        option ap_isolation '0'

config interface 'bat0_guest'
        option proto 'batadv_vlan'
        option ifname 'bat0.7'
        option ap_isolation '1'

config interface 'mesh5g'
        option proto 'batadv_hardif'
        option master 'bat0'
        option mtu '2304'

/etc/config/wireless (dumb AP node):

config wifi-iface 'radio2g_iot'
        option device 'radio2g'
        option network 'iot'
        option mode 'ap'
        option ssid 'iot'
        option encryption 'psk2'
        option key 'iot password'
        option hidden '1'
        option disassoc_low_ack '1'
        option wpa_disable_eapol_key_retries '1'
        option tdls_prohibit '1'
        option ieee80211w '1'
        option ieee80211w_max_timeout '500'
        option ieee80211w_retry_timeout '100'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option reassociation_deadline '20000'
        option ieee80211k '1'
        option disabled '0'

config wifi-iface 'radio2g_guest'
        option device 'radio2g'
        option network 'guest'
        option mode 'ap'
        option ssid 'guest'
        option encryption 'psk2'
        option key 'guest password'
        option isolate '1'
        option disassoc_low_ack '1'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option reassociation_deadline '20000'
        option ieee80211k '1'
        option disabled '0'

config wifi-device 'radio5g'
        option type 'mac80211'
        option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option country 'PL'
        option disabled '0'

config wifi-iface 'radio5g_mesh'
        option device 'radio5g'
        option network 'mesh5g'
        option mode 'mesh'
        option mesh_id 'MyMesh'
        option encryption 'sae'
        option key 'mesh password'
        option mesh_fwding '0'
        option mesh_ttl '1'
        option mcast_rate '24000'

In my case each interface has it own bridge but you can use one bridge with vlan_filtering and split it as you like (it depends on the hardware used: switch vs dsa). At first I tried to connect MT7622 and IPQ40xx nodes but the backbone transfer in one direction was in kbps. I don't know if this has been fixed in the current releases of Openwrt because I have used it a year ago - preferably a mesh should be composed of hardware with the same chipset or at least from the same family of chipsets.

On the gateway node's firewall you create a guest zone with: Input and Forward set to Reject and Output to Accept and then rules to allow DHCP (ports 67-68) and DNS (port 53)

1 Like

In the end I just created another mesh backhaul network and it works great. So now I have 2 meshes. one with 192.168.1.X and second with 192.168.2.X addressing. Guest SSIDs are then connected to the second mesh through br-guest interface.
Simple enough for me :slight_smile:

Would this video of the great onemarcfifty help you?