Node 1 with DHCP on and WAN:
root@Archer_C60:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0'
option htmode 'VHT80'
option legacy_rates '0'
option country 'AR'
option disabled '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option key 'password'
option ifname '5G_ap'
option ssid 'SSID'
option encryption 'psk2+ccmp'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'platform/ahb/18100000.wmac'
option legacy_rates '0'
option country 'AR'
option htmode 'HT20'
option channel '11'
option disabled '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option key 'password'
option ifname '2G_ap'
option ssid 'SSID'
option encryption 'psk2+ccmp'
config wifi-iface 'wifinet2'
option ifname '2G_ap_guest'
option ssid 'Invitados'
option encryption 'psk2+ccmp'
option device 'radio1'
option mode 'ap'
option network 'guest'
option key 'password'
option wps_pushbutton '1'
config wifi-iface 'mesh0'
option device 'radio1'
option ifname 'mesh0'
option network 'nwi_mesh0'
option mode 'mesh'
option mesh_fwding '0'
option mesh_id 'mesh'
option encryption 'sae'
option key '00000000'
root@Archer_C60:~# cat /etc/config/network
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1 bat0'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option igmp_snooping '1'
option delegate '0'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option ipaddr '192.168.2.1'
config interface 'bat0'
option proto 'batadv'
option routing_algo 'BATMAN_IV'
option aggregated_ogms '1'
option ap_isolation '0'
option bonding '0'
option fragmentation '1'
option gw_mode 'off'
option log_level '0'
option orig_interval '1000'
option bridge_loop_avoidance '1'
option distributed_arp_table '1'
option multicast_mode '1'
option network_coding '0'
option hop_penalty '30'
option isolation_mark '0x00000000/0x00000000'
config interface 'nwi_mesh0'
option mtu '2304'
option proto 'batadv_hardif'
option master 'bat0'
root@Archer_C60:~# cat /etc/config/dhcp
config dhcp 'guest'
option interface 'guest'
option start '3'
option leasetime '24h'
option limit '50'
list dhcp_option '6,8.8.8.8,1.1.1.1'
Node 2 with DHCP off:
root@CPE210:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/ahb/18100000.wmac'
option htmode 'HT20'
option legacy_rates '0'
option country 'AR'
config wifi-iface 'mesh0'
option device 'radio0'
option ifname 'mesh0'
option network 'nwi_mesh0'
option mode 'mesh'
option mesh_fwding '0'
option mesh_id 'mesh'
option encryption 'sae'
option key '00000000'
config wifi-iface 'wifinet1'
option ifname '2G_ap'
option ssid 'SSID'
option encryption 'psk2+ccmp'
option device 'radio0'
option mode 'ap'
option network 'lan'
option key 'password'
config wifi-iface 'wifinet2'
option network 'guest'
option ifname '2G_ap_guest'
option ssid 'Invitados'
option encryption 'psk2+ccmp'
option device 'radio0'
option mode 'ap'
option wps_pushbutton '1'
option key 'password'
root@CPE210:~# cat /etc/config/network
config interface 'lan'
option type 'bridge'
option ifname 'eth0 bat0'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option igmp_snooping '1'
option delegate '0'
config interface 'bat0'
option proto 'batadv'
option routing_algo 'BATMAN_IV'
option aggregated_ogms '1'
option ap_isolation '0'
option bonding '0'
option fragmentation '1'
option gw_mode 'off'
option log_level '0'
option orig_interval '1000'
option bridge_loop_avoidance '1'
option distributed_arp_table '1'
option multicast_mode '1'
option network_coding '0'
option hop_penalty '30'
option isolation_mark '0x00000000/0x00000000'
config interface 'nwi_mesh0'
option mtu '2304'
option proto 'batadv_hardif'
option master 'bat0'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option ipaddr '192.168.2.2'
root@CPE210:~# cat /etc/config/dhcp
config dhcp 'lan'
option interface 'lan'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ignore '1'
config dhcp 'guest'
option interface 'guest'
option ignore '1'
I can connect and access the internet from node 2. They can be seen with the batctl o or batctl n command. When I connect to the guest WiFi network on node 2, I cannot access or obtain an IP. How do I link to the interface of node 1?
Another fact, the WiFi network of guests of node 2 does not have Firewall rules as in node 1.
jeff
December 12, 2019, 12:38am
2
Bridge each SSID/subnet on its own VLAN on the bat0 interface, such as bat0.100, bat0.101, ...
Something like that?
config interface 'puente'
option type 'bridge'
option stp '1'
option ifname 'eth0.1 bat0 guest'
option proto 'static'
option ipaddr '192.168.11.11'
option netmask '255.255.255.0'
option delegate '0'
I can connect to LAN, but not to guest.
jeff
December 12, 2019, 1:10am
4
You'll need to assign things to the proper firewall zones (and probably add one for guest vs. LAN, if you haven't already), but you would want to bridge, for example
"LAN" covers eth0 (assuming that is correct for your router), bat0.100 and has the "normal" wireless interface assigned to it
"Guest" covers bat0.101 and has the "guest" wireless interface assigned to it (without an Ethernet interface, it won't be available to the switch).
mk24
December 12, 2019, 1:19am
5
Once you are using VLANs on the mesh, don't attach any networks to plain bat0-- always use a VLAN number.
1 Like
Do I have to create a separate VLAN for the guest network?
jeff
December 12, 2019, 8:26pm
7
In general, to isolate a guest network from other networks, it needs to be on its own interface and in its own firewall zone. If you want to have it available through the switch, then it needs to be bridged over an Ethernet interface with its own VLAN.
Think of the batman "bat0" as a virtual Ethernet cable. If you want to send two or more distinct packet streams over it, you need to use VLANs. For example, "LAN" on bat0.100 and "guest" on bat0.101 (this does not have to be the same VLAN tag as the bridged Ethernet interfaces, though consistency helps readability of the config).
Mixing tagged and untagged packets on the same line is generally bad practice for any SOHO application.
Those new interface names, where should I place them?
I understand virtual cable. Which is not how it relates to the other interfaces.
jeff
December 12, 2019, 8:38pm
10
One bridge for each network segment, each in its own firewall zone.
I can't comment on your custom firewall config. Generally you want to prevent forwarding between your internal network and the guest network and either configure SSH and LuCI not to listen on the guest network, or block access (INPUT) to it from the guest network.
jeff:
"LAN" covers eth0 (assuming that is correct for your router), bat0.100 and has the "normal" wireless interface assigned to it
"Guest" covers bat0.101 and has the "guest" wireless interface assigned to it (without an Ethernet interface, it won't be available to the switch).
In the above example, note that VLAN 100 was used to carry the "LAN" traffic between the batman nodes and VLAN 101 is used to carry the "guest" traffic. This is what I mean by "virtual Ethernet cable".
Prior to your changes, what interface is used for your "LAN" and what for your "WAN"?
Perhaps that will let me sketch out what your bridges could look like.
This is my current configuration:
root@Archer_C60:~# cat /etc/config/network
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
list dns '8.8.8.8'
list dns '1.1.1.1'
option peerdns '0'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option ipaddr '192.168.2.1'
config interface 'bat0'
option proto 'batadv'
option routing_algo 'BATMAN_IV'
option aggregated_ogms 1
option ap_isolation 0
option bonding 0
option fragmentation 1
#option gw_bandwidth '10000/2000'
option gw_mode 'off'
#option gw_sel_class 20
option log_level 0
option orig_interval 1000
option bridge_loop_avoidance 1
option distributed_arp_table 1
option multicast_mode 1
option network_coding 0
option hop_penalty 30
option isolation_mark '0x00000000/0x00000000'
config interface 'nwi_mesh0'
option mtu '2304'
option proto 'batadv_hardif'
option master 'bat0'
config interface 'vlan1111'
option type 'bridge'
option stp '1'
option ifname 'eth0.1 bat0.1111'
option proto 'static'
option ipaddr '192.168.11.11'
option netmask '255.255.255.0'
option delegate '0'
root@CPE210:~# cat /etc/config/network
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option ipaddr '192.168.1.2'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option ipaddr '192.168.2.2'
config interface 'bat0'
option proto 'batadv'
option routing_algo 'BATMAN_IV'
option aggregated_ogms 1
option ap_isolation 0
option bonding 0
option fragmentation 1
#option gw_bandwidth '10000/2000'
option gw_mode 'off'
#option gw_sel_class 20
option log_level 0
option orig_interval 1000
option bridge_loop_avoidance 1
option distributed_arp_table 1
option multicast_mode 1
option network_coding 0
option hop_penalty 30
option isolation_mark '0x00000000/0x00000000'
config interface 'nwi_mesh0'
option mtu '2304'
option proto 'batadv_hardif'
option master 'bat0'
config interface 'vlan1111'
option type 'bridge'
option stp '1'
option ifname 'eth0.1111 bat0.1111'
option proto 'static'
option ipaddr '192.168.11.12'
option netmask '255.255.255.0'
option delegate '0'
I can ping through the VLAN (192.168.11.x).here to set up the guest network.
jeff
December 12, 2019, 9:27pm
12
If your "default" is
WAN on eth1
LAN on eth0.1
Then here is one way to configure the bridges.
WAN is unchanged
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
list dns '8.8.8.8'
list dns '1.1.1.1'
option peerdns '0'
"lan" needs to be additionally bridged with a VLAN of bat0.
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1 bat0.101'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
"guest" needs to be bridged with a different VLAN of bat0
config interface 'guest'
option type 'bridge'
option ifname 'bat0.102'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option delegate '0'
(I prefer higher-numbered VLANs than is common, OpenWrt practice. If you prefer bat0.1 and bat0.2, go for it.)
You will have to configure the firewall zones and their permissions to meet your needs.
Works! I don't understand at all yet but it works.
jeff
December 12, 2019, 9:57pm
14
bat0.101 "wires" all of the "lan" bridges on the nodes together
bat0.102 "wires" all of the "guest" bridges on the nodes together
Yes, without firewall zones and rules to control it, each router will do what routers do -- route packets from one interface to another!
Ready! Thank you very much!
1 Like
system
December 22, 2019, 11:32pm
16
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.