How to create a wireless subnet with a TL-WR902AC (v3)?

My goal is to create a subnet using a TL-WR902AC that can use a Pihole device as DNS. The ISP router doesn't allow changing the DNS.

The goal would be something like this:
A WiFi access point that does DHCP on the 192.168.2.X network, assigns 192.168.1.5 as the DNS and gives access to the internet. The devices on the 192.168.2.X network should be able to access devices on the 192.168.1.X network.

Goal (red network is wireless)774×443 28.4 KB

With the default TP Link software, I couldn't enable routing between the wired network (192.168.1.X) and the wireless network (192.168.2.X).

So after some research, I found out that it is possible to use OpenWrt with this device and I successfully installed it. However, I'm very lost in the amount of settings available and already borked the config twice.

Now I'm starting again with the default OpenWrt settings.
I have three devices:

• br-lan: bridge
• eth0: Network device
• eth0.1: VLAN

I'm confused about what I should configure next.

I'm guessing I should have another interface that acts as a DHCP server with the 192.168.2.X network, but what device should it be associated to ? Also, the current LAN interface that contains br-lan should probably be configured as WAN ? How to configure the wireless devices for such thing ?

configure wifi.
change the devices LAN side IP to 192.168.2.1, and reboot.

connected via wifi, double check you get an 192.168.2.x IP.
reassign the ethernet port to the WAN firewall zone.

if working, use the 6 option, to point your clients to the IP of the Pi, via the DHCP.

https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#dhcp_options

I did the following:

• Set up wifi, network is lan (composed of br-lan with eth0.1 bridged)
• Changed the lan interface's device to phy1-ap0 and ip 192.168.2.1
• Added a new interface Ethernet with device eth0.1 (eth0 wouldn't work for some reason) as DHCP client, and WAN firewall zone.

So now the interface is accessible from my phone via wifi, I got internet access on my phone, and both interfaces have their IP's.

However, I'm not able to connect to the OpenWrt interface from my ISP network. Navigating to the IP assigned to the Ethernet interface doesn't work.

that's expected, the ethernet port is now considered to be internet, no incoming connections will be allowed.

you need to punch a hole in the 902s firewall.

I'm not familiar with firewall hole punching. What does it mean ?

to allow traffic coming from "internet" (your 192.168.1.x subnet) to access the router, or devices behind it.

Ok. So I should modify the WAN firewall rule of the 902 to accept input traffic ?

create rather, but yes.

This is what I have now:

image955×179 14.7 KB

yeah, if you don't want to restrict it, then I guess it's fine.

Well, ideally, it would probably be better to restrict the access to 192.168.1.X devices, I guess ? So I should leave the second rule to reject and create a new one with WAN -> LAN and with a covered subnet 192.168.1.0/24 ?

you can restrict the client access to the 192.168.1 subnet, but at least the router needs to have permission to query the Pi, but then the 6 switch posted previously won't work, because it tells the clients to query the Pi directly.

OK, sorry, I'm not sure if I understood correctly. Should I leave it like I did (is that a potential security threat?), or should I do something else, and in that case what would it be?

The only reason that I want this is for the convenience of being able to access the 902's settings from my computer connected to the 192.168.1.X network.

the 902 isn't exposed to internet, and if you have no reason for keeping the .2. subnet devices separated from the ones in the .1. subnet, you can leave it as it is.

Thank you very much for your help !

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.