How to create a second access point with WireGuard

Good day.
I have a Model TP-Link TL-WR840N v4 router on Architecture MediaTek MT7628AN ver:1 eco:2 with OpenWrt 23.05.0-rc2 r23228-cd17d8df2a
I also have WireGuard VPN and Policy Based Routing installed. Using PBR, I configured the WireGuard interface only on some wireless devices. And I already wrote on the forum that there are problems with the Internet on these devices. Namely, Internet access may suddenly disappear and not return until you restart the router, while the Internet works on wired devices. They are not covered by the WireGuard interface.

I already created a topic in an attempt to find the reason but it didn't lead to anything. Now I am writing for a slightly different reason. My router has two antennas. Can I create two separate Wi-FI access points with the difference that one access point would go through WireGuard, and the second would provide Internet access directly.

If this can be done, then write instructions. Preferably via LuCI

  1. Create a new interface, like lan1 or whatever name you prefer. Set up DHCP and whatnot.
  2. You probably already a vpn zone in the firewall, just like the default lan to wan masquerade forwarding, make a new forwarding lan1 to vpn zone.
  3. Create new SSID, select the network to be lan1.
1 Like

I wrote that I use Policy Based Routing. I didn't do anything in the firewall and I don't know how

So I made a new interface

Summary



Made a second access point

Summary


And I configured the firewall as best I could.

Summary

What to do next? How to bind WireGuard to a new access point?

But as? I don't see in PBR how to filter devices by connection point. I used to filter by IP.

Now he spoke in code. Is it possible to use understandable language?

What part of the commands posted is unclear?

You asked:

That information was provided. So we can better assist, what part is not understandable?

You don't need to be rude if you don't understand. Those are the commands to execute after you SSH into your router.

1 Like

well, for example
uci set pbr.@policy[-1].src_addr="192.168.2.0/24"
What does this command mean? Where did you get 192.168.2.0 from? How does this relate to the new access point? I don't understand

1 Like

As I understand it, no one is able to write adequate, understandable instructions?

Well, if you want to be rude:

That wasn't me, you need to up your comprehension skills to see who's posting what.

Yes, we are posting this because we want to, not because we're obligated to. The entire project exists because someone wanted it to, not because someone paid him to, or because he's selling this product or service. Someone worked on it, he shared it because he wanted to, not because you're entitled to it. You asking for explaining what a command does is entirely understandable and reasonable, your demand is not. Good luck getting your answers.

Maybe next time you should try purchasing a product and then be entitled to be rude because you're not getting the product or service you actually paid for. And just to be clear: even in that case you'd be a dick to be rude, not to mention in a volunteer user support forum.

2 Likes

I have not seen your other thread, so I dont know, if you had scanned the logs already for OOM.
But since its only 64MB RAM, an issue with low RAM would be my first guess. If a component for Wifi crashes due to OOM, LAN might still work meanwhile.

You give me no other choice

I have a TP-Link TL-WR840N v4 router
Firmware Version OpenWrt 23.05.0-rc2 r23228-cd17d8df2a / LuCI openwrt-23.05 branch git-23.118.79121-6fb185f
WireGuard VPN is also configured. Each network device is assigned a specific internal IP address via a MAC address.
Using Policy Based Routing, I pass some wireless devices through WireGuard by their IP address. But sometimes these wireless devices lose access to the Internet, and I even lose access to the router page. This error does not apply to a wired device that connects directly to the Internet without a VPN. The only solution I found was to restart the router manually.

But for the test I want to try a different option. Create two different wireless access points on one router. One access point will connect to the Internet directly, and the second through WireGuard. As far as I understand, Policy Based Routing will have to be disabled for this.

I created a second access point

Screenshots


I created a new interface

Screenshots







Now both access points are working and both are connected to the Internet. But how to connect WireGuard to the second access point?

The two interfaces need to have different IP ranges. For example 192.168.1.1/24 and 192.168.2.1/24. Note that 24 in CIDR notation is the same as netmask 255.255.255.0, meaning every IP with the first three numbers matching (but different last number) is in the same network.

This is the same as setting up a guest network. Create a new different interface, new different bridge, and separate DHCP service. The firewall instructions for a guest network can be omitted if you don't care to have a firewall isolating the two networks. In that case place the new network in the existing lan firewall zone.

Then use PBR with the rule based on source interface instead of source IP.

Made

Summary

Where in the PBR are there rules like this? I don't see anything other than addresses.

Summary

How can you do without PBR? It seems to me that my router is too weak for all this. And if there is an opportunity to make the router's work easier, I would like to take advantage of this opportunity...

You can manually create IP Routes and IP Rules without installing the PBR package. I'll provide the Wiki links, if you have questions, just feel free to ask.

Per the Wiki, an IP Rule based on SRC interface needs:

option in '<interface_name>'

I don't understand console commands at all. What does this team do? Where and how can I then check that the command was applied? How can I change or cancel this command? Check everything through the console? I can't

What team ?

You don't get a team, you get a bunch of volunteers, since you didn't pay the maintenance fee.

1 Like

What is this then? option in '<interface_name>'

Where such confidence?

If you can't answer, don't clutter up the thread.