I have a TP-Link RE200 wifi repeater that I would like to use as a WAP for guests, but I am having a hard time figuring out how to configure it to work as I want. I have a Linksys WRT1900ACS (running OpenWRT of course) as my main router, on the standard 192.168.1.x subnet. I want the RE200's ethernet port to act as a WAN port, and the wifi network transmitted by the RE200 to run it's own DHCP on a different subnet, thereby isolating the whole AP from my main network. How would I go about doing this? Any help would be appreciated.
You'll setup the device as a standard router.
Since there is only a single ethernet port on the device, you need to follow this configuration sequence:
- Enable wifi with the desired SSID + encryption type + passphrase and the appropriate country code.
- Connect to the router via wifi and unplug the ethernet cable.
- remove
eth0
frombr-lan
- Create a new interface like this:
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
- Change the lan IP of your RE200 so that the subnet doesn't overlap the upstream network (for example,
192.168.5.1
) - connect the ethernet cable between the upstream (WRT1900ACS) and the ethernet port on the RE200.
The double nat will not protect your network, you will need to make isolated guest VLAN that is piped to RE200 on main router.
@brada4 is mostly correct, and my apologies for not considering the upstream. however this can be done in 2 ways.
- Create a separate subnet on your main router to use as a guest network. This can be isolated using the firewall, and you'll ideally dedicate one port specifically to the guest network to connect to the RE200. The RE200 at that point would just be used as a basic bridged AP. This is actually probably the best option as everything is routed and firewalled in one place.
or
- If you go with routing on the RE200 (my earlier post), you can create a firewall rule on the RE200 that prevents access to the upstream network.
I'd recommend the first optoin, as @brada4 was referencing.
Thanks for your advice, both @brada4 and @psherman. Since I don't have any available ports on my main router and have to have the RE200 placed in another part of my apartment, I had to go for the first option.
It worked, and I am typing this now through the internet connection on the guest wifi. I do however still have access to devices on my main network, so I will have to create a firewall rule to prevent access to the upstream network, like you suggested. If you would be able to point me in the right direction on how I would go about doing that, it would be very much appreciated.
The rule is pretty simple -- on the RE200:
- source zone: lan
- destination zone: wan
- destination IP: 192.168.1.0/24
- protocol: all
- target: reject
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.