How to proceed?

I own an IQrouter that was upgraded to 23.05.0 and [appeared] to be running. I wanted to create a vlan and add a "guest" network. After MUCH trial & error I installed 23.05.3. It didn't contain the appropriate wpad update (or so i thought) I read I needed so I ran "update" from the LUCI page and sure enough there was an updated wpad package. So far so good. The option for "fast roaming" appeared on my screen. Fast forward I couldn't get anything to work so I reverted to factory defaults. My screen still reads 23.05.3 but the option for "Fast roaming" is gone!! Should I load 23.05.0 or reload 23.05.3. After hours of searching, I don't even think I needed fast roaming.

Don't worry about 802.11r at this point. First thing to know is that it is not required in any way. Second, it is only useful if you have multiple APs. And third, it can actually cause more problems than it solves as some devices behave very poorly when this standard is in use.

If you do have multiple APs, it is most important to configure them for optimal 'classical' roaming. That is to say that you want to create the conditions for devices to roam efficiently between your APs -- this means adjusting the channels, power levels, and ideally also the physical locations of the APs to maximize performance. Roaming is a client side process -- your goal should be to help the clients make good decisions by setting up the right conditions.

Here is a good video that explains the process -- it deals with Unifi, but applies to all wifi, including OpenWrt.

Finally, as far as your main question -- you should be using 23.05.3.

1 Like

Thanks for the tip. I only have 1 5g radio - shut off & 1 2.4 ghz radio. I found the "fast roaming" checkbox and made sure it was OFF. I was able to bring up the 2.4 link and get it working in the factory config. This brings me back to where I started. I have a smart TV and am feeding it off a lan connection. I would like to only give that port internet access [block it from the lan]. Research leads me to believe I need a vlan but they appear to be complex to set up. 2nd, I would like to set up a guest Wi-FI [phy1-ap1 if possible] but it also appears to be a difficult undertaking. Do you know of good videos that might help?

It is recommended to have both 2.4G and 5G radios enabled. But to be clear, if the radios are within the same AP device, fast roaming does not apply anyway. It only comes into play when you have multiple AP devices.

As far as setting up a guest or iot vlan, start with the guest wifi process... we can add an ethernet port to this with a few minor modifications once the rest is working.

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

Thanks. I got the Guest Network working but I am stumped "segregating " a single port to the TV. The TV keeps reporting "can't reach the internet". Maybe a function of the TV software ???

Now that you have the new network setup, let’s see your config.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Thanks a jillion! Here goes


ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "Cisco",
        "system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
        "model": "TP-Link Archer C7 v2",
        "board_name": "tplink,archer-c7-v2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
root@Cisco:~# cd /etc/
root@Cisco:/etc# cd ./config
root@Cisco:/etc/config# cat ./network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdff:db21:85ad::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '172.16.20.30'
        option netmask '255.255.255.224'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4 5'
        option vid '1'
        option description 'Lan'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 1'
        option vid '2'
        option description 'Wan'

config interface 'guest'
        option proto 'static'
        option ipaddr '172.16.7.30'
        option netmask '255.255.255.224'
        option device 'phy1-ap1'

root@Cisco:/etc/config# cat ./wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'
        option country 'US'
        option channel '9'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'MyNetwork_1984'
        option encryption 'psk2'
        option key 'xxxxxxxxxxxx'
        option macfilter 'allow'
        list maclist 'xx:xx:xx:xx:xx:xx'
        list maclist 'xx:xx:xx:xx:xx:xx'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'guest'
        option encryption 'psk2'
        option isolate '1'
        option key 'xxxxxxxxxxxx'
        option network 'guest'

root@Cisco:/etc/config# cat ./dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        list server '127.0.0.1#5054'
        option dhcpleasemax '20'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        list doh_backup_server '/mask.icloud.com/'
        list doh_backup_server '/mask-h2.icloud.com/'
        list doh_backup_server '/use-application-dns.net/'
        list doh_backup_server '127.0.0.1#5053'
        list doh_backup_server '127.0.0.1#5054'
        list doh_server '127.0.0.1#5053'
        list doh_server '127.0.0.1#5054'

config dhcp 'lan'
        option interface 'lan'
        option start '1'
        option limit '20'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,1.1.1.1,1.0.0.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '1'
        option limit '20'
        option leasetime '12h'
        list dhcp_option '6,1.1.1.1,1.0.0.1'

config host
        option name 'Dell'
        list mac 'xx:xx:xx:xx:xx:xx'
        option ip '172.16.20.21'
        option leasetime '24h'

root@Cisco:/etc/config# cat ./firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option name 'Guestwifi'
        list network 'guest'

config forwarding
        option dest 'wan'

config forwarding
        option src 'Guestwifi'
        option dest 'wan'

config rule
        option name 'Guest DHCP'
        option family 'ipv4'
        list proto 'udp'
        option src 'Guestwifi'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'Guest DNS'
        option src 'Guestwifi'
        option dest_port '443'
        option target 'ACCEPT'

config forwarding
        option src 'wan'
        option dest 'Samsung'

root@Cisco:/etc/config#

I'm not sure what the logical to physical port maps are, but we'll make a new VLAN on the switch using logical port 5 (you can use a different port if you choose).

First, we'll edit vlan 1 to remove logical port 5:

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4'
        option vid '1'
        option description 'Lan'

Now we'll add VLAN 3 with logical port 5:

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 5'
        option vid '3'
        option description 'guest'

And we'll create a bridge using the new VLAN:

config device
        option name 'br-guest'
        option type 'bridge'
        list ports 'eth1.3'

Finally, we'll edit the guest network interface to use the bridge:

config interface 'guest'
        option proto 'static'
        option ipaddr '172.16.7.30'
        option netmask '255.255.255.224'
        option device 'br-guest'

Now restart and test the ports -- one of them will now work as a wired port on the guest network.

I can't thank you enough!! I already had logical port 2 cabled up so I changed to 2 but looking at the two configs it was straight-forward. Can I send you PayPal? A few fine points lets me harden my network!!!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.