Help on setting up a Linksys WRT3200ACM to run as a bridge

Wolfpup · March 15, 2022, 3:09pm

Hello all I am new here. I'm trying to set up an old Linksys WRT3200ACM to use as a bridge to a wireless network where I'm currently staying. Here is a list of what I'm trying to do.

Connect to wireless network "campus wifi" "passwd" ( network is on 2.4GHz)
Keep full access to my router including and drives plugged into usb ports
Have a local to me network while all devices have access to internet via the bridge while administrators of said net work can not see any of my devices.
Be able to change the the default internal address to something like 10.67.25.1 and not lose access to the router and have to re-flash it get it back working.
Be able to set up and use personal wifi networks on both 2.4 and 5 GHz bands.

I have loaded the router with the latest released version of OpenWRT for the unit. I know people are going to ask for different information from certain config files so here they are.

etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc5:b767:76ea::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr '62:38:e0:c7:4a:e0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

etc/config/wireless


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'
	option country 'US'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option macaddr '60:38:e0:c7:4a:e2'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'
	option country 'US'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option macaddr '60:38:e0:c7:4a:e1'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option channel '34'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

I apologize for this being a long post, but i wanted to hopefully have enough information here for those that will be helping me to get this done to have the information that they need.

mk24 · March 15, 2022, 8:23pm

This means that you want to route, not bridge. The campus will only be a link to the Internet, much like a cable modem would be. like with cable, the default firewall blocks all attempts to initiate a connection to your network from the Internet side. The default settings are in place for this. You only need to remove the wired port "wan" from the wan interface and use wifi instead.

So remove the option device 'wan' from the config interface 'wan' block leaving it just proto dhcp but without any device (yet). Then remove the default-radio1 block and replace with:

config wifi-iface 'wanlink'
    option network 'wan'
    option mode 'sta'
    option ssid '<network name>'
    option key '<preshared key>'
    option encryption 'psk2'

If the campus uses EAP authentication (you have to provide a username and password, not just a password) you'll have to replace the package wpad-basic-wolfssl with the more full featured wpad-wolfssl. This requires a temporary connection to the Internet. A simple way to do this at a campus is to use the hotspot in your smartphone, with the settings above matching your phone.

After upgrading then configure for Enterprise authentication:

    option encryption 'wpa2'
    option identity '<your username>'
    option password '<your password>'
    option eap_type 'PEAP'
    option auth 'MSCHAPV2'
    option ca_cert '/etc/ssl/cert.pem'

Nearly every campus uses PEAP + MSCHAPV2 since that is about the only method that Windows machines support. The ca_cert line will check the network's certificate against a list of public root level CAs. Most campuses have a certificate signed against one of them. If the IT department supplies a different CA certificate, import it into the router filesystem and use it. Checking the CA certificate is optional but a big security risk if you don't.

Wolfpup · March 15, 2022, 10:19pm

mk24:

So remove the option device 'wan' from the config interface 'wan' block leaving it just proto dhcp but without any device (yet). Then remove the default-radio1 block and replace with:
config wifi-iface 'wanlink'
    option network 'wan'
    option mode 'sta'
    option ssid '<network name>'
    option key '<preshared key>'
    option encryption 'psk2'

Which file is this being edited in network or wireless? I also want to use that same radio to broadcast a 'private' wifi. Would that be possible?

This wifi network only provides internet access through there own content filtering system. The campus only provides housing and is one of many the organization has around town.