Improving Network Performance & Security (Vlans, Mesh etc)


After reading the forum and trying to find similar projects I'm not satisfied with my research and not sure if exactly what I want is feasible. So here we go, below my little project I would like to implement.

Thank you everyone for your time even reading this...

Main Wired LAN to communicate with main WIFI SSID.
Having multiple SSIDS (separated with VLANS and subnets so they will be isolated with each other)
Having one main OpenWRT router + 2 more OpenWRT access points that they will only operate the VLANS (Wifi Mesh)
Main router to be responsible for every settings (the rest 2 APs should only allow the clients to connect, but DHCP, firewall, etc should be managed by the main router)

House is wired so LAN is not a problem, the problem comes with the wifi solution because even though house is not so big, it has thick walls and the main router cannot cover the entire house.

What I tried so far.
Main router is WRT1200AC at the beginning I tried to create VLANS on the main router but no matter what I tried, it only worked for let's say an hour or so, then the VLAN didn't work properly, if I remember, it dropped DHCP and had to reboot the router on an endless cycle...

Then I separated one port from the router to a completely new subnet and attached there one of the two mikrotik haps I have.
On the mikrotik side I created the VLANS I wanted, I isolated every VLAN from each other and I cloned the configuration to my second mikrotik.
This solution just don't work, both mikrotiks keep hanging of some sort and have to reboot them...
I don't know if all of three (WRT1200AC & mikrotiks) are just too week to handle VLANS but it seems that I cannot find a solution. Not to mention that couldn't configure Mesh across devices so me moving around the house, became a drill to exercise patience...

Probably this may be even possible with my current hardware, but actually I prefer to use same OS for everything.

So, is it possible to
Main Router WRT1200ac - will operate LAN and 4 VLANS (wifi with different ssids, subnets)
2 more openwrt devices to operate as AP (mesh configurations for the 4VLANS wifi from the main router)
Those two devices will be connected to the main router wired.

You probably don't want mesh... most people confuse this for a roaming setup. Mesh involves wireless backhaul connections, but you don't need that because you said your home is wired. Therefore, you simply want a setup that will allow roaming (which is a client side process anyway), and you can use the wired connections for the APs (which will almost always be faster than a wireless/mesh backhaul).

Yes, absolutely possible.

Don't try to implement everything at once.. Start with the main router (WRT1200AC). Configure a single new VLAN (so you'd have 2 LANs and a WAN) and verify that it is working as expected on the 1200AC. Then, using what you learned with the first new network, you can add the others (one at a time). Then you can work on one of your APs, and so on.


Hi, thank you for your reply!

What I would like to achieve with the wifi between router and APs is a seamless transition between them, the problem that I'm facing now is that from the main router to the APs and vice versa, all of the clients never transits because there is this thin line of coverage that they refuse to drop and I have to manually switch off /on the wifi on my mobile for example in order to switch.

From what I understood Mesh makes sure that this transition is fast and without the client having to re authenticate...
In essence, you are right! Roaming is what I'm after, and there is an option in OpenWRT called 802.11r Fast Transition, maybe if I have APs with OpenWRT and enable this, it will do what I'm looking for?

Yes one step at a time.
I'll keep this post as an ongoing project so in the future anyone who is interesting in something similar can have a some sort of guide...

Things to-do.
Upgrade my router. (Now I'm on David's latest build (which is no so latest anymore...)) I'll go with the PureFusion build.

Create multiple WIFI SSIDs each one on its own domain and see if that is working.
Then, we'll take it from there...

No, mesh is really just about the infrastructure using wireless connections between the APs. Mesh may be paired with other things (such as 802.11r) to improve overall wifi performance, but mesh itself is has nothing to do with the client connectivity.

This is not going to be helped by mesh. What you need is to tune your wifi appropriately. It is part art, part science. It usually involves reducing the power of your APs to encourage the clients to roam.

Not necessarily. 802.11r can be helpful in some cases, but in others it can actually cause more problems than it solves -- especially because not all client devices play well with 802.11r. A well tuned multi-AP setup does not need fast roaming enabled to have excellent results. In fact, I do not use it (2 APs), and I don't have it enabled on my in-laws' network (2 APs), or on my dad's (5 APs).

:warning: Make sure you understand what is different about this build vs the standard/official builds, and how it may impact your configuration. In some cases, forks may operate sufficiently differently as to cause the 'standard' methods to not work as expected. In those cases, you'll want to seek specific help from the maintainers of that build (you can always tag them in or post a question in that thread). This isn't to scare you, but just to make sure you're aware of this potential complication (and it is entirely possible that this warning is not relevant in this case)... I mention this purely as a heads-up.

Meanwhile, check out this video about how to place and tune multiple APs. Although the video deals specifically with Unifi, the concepts apply to all wifi setups (as long as the controls are exposed).

1 Like

Thank you very much for the explanation, I had it all wrong in my mind...
And of course thank you for the heads up regarding choosing the build.
For sure I'll check the video and maybe even try to do it with those 2 mikrotik haps I have...

I will come back once I have updates.
For the moment, I upgraded my router and configured what I need from the main router to do.

  • Firewall
  • Switch configuration
  • DNSCrypt
  • Adblock
  • SQM

Now LANS 1,2,3 are bridged and also the main SSID for wifi is bridged together.
Once I have time next thing is to configure the new SSIDs.
LAN 4 is seperated.
I would like to create VLANS so clients can connect to Guest, IoT etc (3 in total)
Those 3 SSIDS should have different subdomains and in each domain clients must be isolated.

I hope I'll find some time soon to try this out...


Typically, bridging multiple LANs (as in networks) together is not desirable.... unless you're talking about the physical LAN ports.

this is certainly possible, and not hard to do in most cases. The guest wifi guide will probably be a good starting reference.

Yes I'm referring to physical ports, since I use them for the same LAN.

Thank I'll check this once I'll start to play around this week...

I’m no expert on this but just finished a similar setup to the one you are describing: A main router, tp link archer c7 running openwrt, connected wired (through a tagged port) to another router as a dumb ap, also running openwrt. The OneMarkFifty YouTube channel has some great content on openwrt for exactly this kind of setup, in the openwrt playlist, also with fast roaming if you want to give that a shot.

From memory

Router 1

  • create vlans in the switch section
  • interfaces for each of the bridges connected to the different vlans
  • separate static ip range for each interface
  • firewall zones for each interface
  • Wi-Fi as you please, connected to the separate interfaces
  • tagged port connection (for all vlans in the switch section of openwrt) to the other router
  • untagged ports for the physical router ports you want to appear as each vlans

Router 2:

  • setup as dumb ap: turn off firewall, turn off dnsmasq, the other router handles this
  • replicate the vlan setup on this router, with the same vlan ids
  • setup similarly named interfaces as on the other router, bound to each vlan, only using dhcp instead
  • connect a cable to the other router, through a tagged port (for all vlans in the openwrt switch)
  • setup Wi-Fi with the same ssid and pw as on the other router

On my end this setup works great also with fast roaming, making our phones transfer to the other router seemlessly as we move across the floors

Edit: typo

Thank you for your helpful comment, I will definitely check also the youtube channel!

This DSA will drive me crazy...
Did a fresh install to the latest OpenWRT snapshot. (I followed your advice @psherman to try stock firmware, but also tried with custom builds just to be sure and it is the same)

Idea: Have one bridge on the router with all the ports included (lan1-4) and then VLAN this bridge to
VLAN10- My_Lan
VLAN11- Guest
VLAN13- Work
Interfaces > Devices > configure br.lan > Enable VLAN Filtering

Then Interfaces > Add new interface > I create my interfaces and attach the specific VLANID to each interface.
Save & Apply and then I'm locked out... DHCP is not working, I have to manually add IP to my pc in order to log in to luci again.
If I go to the lan interface and remove the VLANID and replace it with the general br.lan, then DHCP works...

I tried untagged, tagged, nothing works...
DHCP just don't work with VLANS even if I don't use VLAN and just go to devices and configure one port on its own then the DHCP again is not working...

Any thoughts on this?

Few guidelines here.

Decent router with dual core at least. Main router doesn't even have to require Wifi if you have decent APs to provide coverage. (and this may be preferable if your cable/vdsl/fibre comes into house in awkward place.)

Decent switch with VLAN capability (with POE if you can for powering dedicated APs)

Some decent APs. (Ubiquiti but make sure you pick a stable firmware or stuff breaks. Bonus is you can flash it with OpenWrt if you get fed up of Ubiquitis lack of QA)

I'd also suggest reading both of the following articles.

^this. Absolutely this. Small steps and rollback if required. Also personally i separate my 2.5G and 5G wifi SSIDs. I get better coverage as with dual band it would fall back to the "stronger" but slower 2.4G when i was at range from the AP.

Have a look at AdGuard Home. It does encrypted DNS internally. No need for unbound or other plugins. And also provides filtering and client settings.

Thread there for manual installation on router or you can use the opkg version which is detailed on the wiki here.

1 Like

Thank you for your time writing all this!
I will check everything once each of its time comes...

For the moment I cannot figure out how to make DSA and vlans working.
For some weird reason I can't get DHCP to work... only with the standard br.lan configuration.
From the moment I even add one vlan to the table then DHCP breaks...

1 Like

for each VLAN, make sure you are passing correct gateway and dns service to them.

DHCP option 6: which DNS (Domain Name Server) to include in the IP configuration for name resolution

DHCP option 3: default router or last resort gateway for this interface

Setup your networks first. Get DHCP/DNS/Gateway working and correct on each network. Then add the VLANs to isolate them.

TLTR - Describing how I managed to fix the DHCP vlan issue and install AdGuard
But I have a couple of questions at the end...

Everything now works as it should.
After many re-flashes trials and errors, it finally works!
Reason of not giving DHCP on vlans, I came to conclusion that it must be my backup settings, something there, breaks this option but I couldn't think of it since without vlans, the DHCP worked...

Anyway I manually re configured everything and got it working.

Since I already lost my sleep two days now switching from the very old Snapshot r13342 to the latest one, I thought maybe is a good opportunity to change from DNSCrypt Proxy 2 to your recommendation @mercygroundabyss (AdGuard)
I've read both your guide and also this one from @directnupe

To be honest at some point I couldn't follow because the scripts throwed me errors, so I decided to combine your knowledge with what I do usually with DNSCrypt and it seems to work.
Below the procedure and your comments are more than welcome.

USB Storage | Format and configure as extroot for AdGuard Home.

  1. Install USB related stuff
    opkg update && opkg install block-mount e2fsprogs kmod-fs-ext4 kmod-usb-storage kmod-usb2 kmod-usb3 kmod-usb-storage-uas usbutils

  2. Check USB name

ls -l /dev/sd* 
block info
  1. Format USB
    mkfs.ext4 /dev/sda1

Increase Routers Storage by Using The Available USB

mkdir /mnt/sda1
mount /dev/sda1 /mnt/sda1
mkdir -p /tmp/cproot
mount --bind / /tmp/cproot
tar -C /tmp/cproot -cvf - . | tar -C /mnt/sda1 -xf -
umount /tmp/cproot

Set Router to boot from USB
Edit the /etc/config/fstab (I did this by sshing with WinSCP)
changed the below lines.

config 'global'
option anon_swap '1'
option anon_mount '1'

config 'mount'
option target '/'
option uuid 'must be filled with the uuid of the usb from the block info command'
option enabled '1'

Save & Reboot

Now that I have that sorted out, it was time to install AdGuard Home.

Installation Procedure:

Necessary packages:
opkg update && opkg install sudo ca-certificates ca-bundle curl wget wget-ssl tar unzip bind-tools

AdGuard Home installation folder:
mkdir -p /opt/

I downloaded and extracted the package that corresponds to my router's architecture from here
Then moved the AdGuardHome folder created after the extraction with WinSCP to the path I created earlier /opt.
ssh again and hit the following in order to install AdGuard.
chmod 755 /opt/AdGuardHome/AdGuardHome
/opt/AdGuardHome/AdGuardHome -s install

After that, I went to the listening address of AdGuard that showed after the installation and configured the wizard.

The below are the steps I always do with DNSCrypt so I did also with AdGuard.

Change the dnsmasq port from 53 to 5353
Luci > Network > DHCP and DNS > Advanced Settings > DNS Server Port

Prevent DNS Leaks & Disable dnsmasq Cache & Rebind Protection
Edit etc/config/dhcp and add

config dnsmasq
option noresolv '1'
option localuse '1'
option boguspriv '0'
option cachesize '0'
option rebind_protection '0'

Save & /etc/init.d/dnsmasq restart

Completely disable ISP's DNS
Edit etc/config/network

config interface 'wan'
option peerdns '0'

Force All Clients to use AdGuard Even if They Use a Different DNS
Edit /etc/config/firewall and add the following rules.

config redirect
option name 'Divert-DNS, port 53'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'

config rule
option name 'Reject-DoT, port 853'
option src 'lan'
option dest 'wan'
option proto 'tcp udp'
option dest_port '853'
option target 'REJECT'

config redirect
option name 'Divert-DNS, port 5353'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '53'
option target 'DNAT'

At the end, I added to the router which DNS to use.
Luci > Network > DHCP and DNS > General Settings > DNS Forwardings and added the AdGuard DNS I configured in the setup wizard. ex:

Final step force AdGuard DNS to clients through DHCP.
In every interface I have (ex vlans) I edit each one with the following.
Luci > Network > Interfaces > Edit > DHCP Server > Advance Settings > DHCP Options and added the DNS with the 6, in front. ex 6,

Rebooted the router and everything is working as it should!

Under DNS Settings on AdGuard on the Private reverse DNS servers field I just added and my dns ip ex
Is that correct? I cannot figure exactly what IP I should add there.

Also should I enable Encryption if I use DoH servers already under Upstream DNS servers?
Otherwise they will not work? or this Encryption settings is if I don't want to use public servers and instead I have my own?

Thank you!

Both mine and directnupe's guides were written up from old threads in an effort to make AGH more user friendly for the install. The primary difference between mine and his, is that I do pre-setup and then use AGH install script and he does it all manually (which is also what you did).
This is fine if you know what you are doing and understand your routers cpu and thus know what version to install. AGH's install script does that all for you and thus makes it much easier for beginners to just do as a push button install.

the scripts from my thread would have done most of that for you. I just do some pre-setup things then call AGH's install script from their page to do the install.

Which version have you installed? The stable branch (107) or the more updated edge branch (108)?

All this is done as my presetup in my script.

Again, this is done in the dns script that i made optional for some people. I split my DNS script from the install script to give people the option to keep their ISP DNS or even to edit the script and use a different DNS.

However one important thing to note here. What you have done is disable your upstream DNS for the router but have NOT given it an alternate DNS. Right now your router has no external DNS ( Ah i see you have pointed it internally at AGH. But that will mean when your router boots you will not get NTP updates until AGH loads. if you have done this then you will require an exception for ntp updates to pass them as plain DNS because without a proper date/time being set then encrypted DNS will fail due to SSL errors) the fix is here.

thats dns hijacking to make all your internal clients use AGH and prevent them using hardcoded external DNS.

You dont need this rule. Just enable the Reverse DNS (PTR) lookup internally in AGH and it will call dnsmasq to do internal dns name lookups.

That i've answered a few times in my thread. I guess i really should update the picture in my thread to make it clearer.

Both and will work as they both refer to your router. The differance is one refers to the routers IP and the other is the internal loopback address. The reason i use is for statistics tracking. i can see how many lookups the router does because it will show that as a seperate number.

The encrpytion option is for SSL to AGH home. In order to keep things simple I just had AGH as HTTP on port 8080 because luci takes 80 and SSL 443. If you want SSL connection to AGH you will need to proxy it as per here.

Also discussed here.

In summary, fix your upstream DNS for your router. Either use my wan DNS script to set your upstream to cloudflare or whoever you want or manually configure it via Luci. That way you can get NTP updates and opkg updates for your router directly. Your router itself does not require filtering via AGH. Only your downstream clients do and they are being passed AGH as primary DNS.

1 Like

Yes your script actually does everything I did manually.
Unfortunately I couldn't make it run, so since the procedure was easy, I did everything manually.

Good to know, I will comment it out then :+1:

I prefer also to use only

Good to know, I don't need this. I will stick with 8080.

Step two:
Since I already have it, let's try to configure a mikrotik as dump ap with vlans.
If that's doesn't work, then I will buy a ap capable for Openwrt.

PS: I noticed something strange.
On my interfaces the DHCP server is configured at default values, meaning it assigns IPs on the range of 100-150 but I've noticed that many clients got from range 200...
Any thoughts?

1 Like

did you copy it to the router and make it executable?

chmod +x <name of>
It cannot be run unless its set as executable.

I use WinSCP for editing scripts on my router. makes things easier and also you avoid the LF/CR conversion issues that can break scripts.

You are sure that is the only DHCP on your network? Are you using static DHCP reservations in that range?

Dont forget to fix your router WAN DNS btw.

1 Like

Are you sure you have this set properly? I suspect that you have the values as follows:

Start: 100
Limit: 150

This means that it will start at .100 and will allow up to 150 DHCP leases (the limit value is the number of leases, not the end of the range) -- so the range is from < start > - < start + limit -1 > = .100 - .249.

If your limit is set to <=100, there may be something else going on... but if limit is set as I guessed above, you are seeing expected behavior.


Yes, absolutely, but since it was easy to do it manually I didn't try to figure it out as of why some things didn't work.

Exactly that!
That explains it!

1 Like