IoT on OpenWRT + TP-Link AX6000

Hello,

I have a Linksys EA8300 with 2 x 5ghz radios (one may be broken) and 1 x 2.4ghz radio. I wanted to use the good 5ghz channel as a backhaul back to the AX6000 and the 2.4ghz channel for a number of sensors and speakers and google devices.

However, I still want to be able to cast to them, so I probably need igmp, mDNS, and multicast?

I am wondering how some of you would set this up. As it stands, I have this nearly configured.

This is how I am attempting:
laptop <~2.4ghz~> OpenWrt Linksys <~5ghz~> AX6000 ===> ISP Modem

It nearly works, the laptop can ping the gw of the AX6000 10.0.0.1 from 192.168.2.1 - so the backhaul is working, NAT is working on the Linksys, but I cannot ping 8.8.8.8 or anything past that 10.0.0.1 gateway. It could be the AX6000 blocking it or it could be the ISP Modem. Maybe it's something in the Linksys.

I feel like there has to be an easier way, right now I just have IoT on a guest network, but I only have an "access to LAN" checkbox in the AX6000, so I can't cast.

(Note: The ISP modem/router ALSO does NAT, although I set it up as a passthrough, it still uses DHCP and NAT to give out IPs on 192.168.1.0/24, it's a BGW302).

Any advice on how to accomplish the goal of having all this IoT junk off the main LAN, but still accessible for casting and direct connections would be great.

Thank you!
Chris

You will probably need relayd on your OpenWrt router to make this work. You cannot simply bridge wifi sta and wifi ap mode configurations.

WDS or 802.11s could also be options, but generally you need to have the same firmware on both APs for it to work.

psherman,

Yes, I was trying to have separate subnets, my little diagram didn't come out quite right:

[laptop] <----2.4ghz-----> [OpenWrt Linksys] <----5ghz----> [AX6000] <---- 2.5gbps ----> ISP Fiber Router

If we zoom in on the OpenWrt Linksys, for each radio I had:
wlan0 - IoT-5G gw 192.168.5.1
wlan1 - IoT-2G gw 192.168.2.1
wlan2 (aka backhaul0) with gw 192.168.0.1 and routed to 10.0.0.3 on the AX6000

Via a laptop connected to IoT-2G, I can ping 10.0.0.1, the far side of the AX6000. So that tells me the routes and the backhaul is working, but something else is broken. I could not get any farther than that.

It could be the ATT BGW320 router that is blocking me, I'm not sure. It has an IP range of 192.168.1.1/24 that it hands out, with .254 as the gateway. I avoided overlapping with it, so I'm not sure why it would care. But I don't see a way to turn off NAT on that device, so I may be setting up triple NAT for the IoT.

I had static routes set up so that the routers would still work, I was intending to not bridge anything and just route it.

Right now all my IoT devices are on the guest network of the AX6000, but it doesn't do me any good if I have to give them access to the LAN to stream or interact with them.

I could wire the OpenWRT Linksys, but I'm not sure what it would buy me, except that other half of the 5ghz channels back (I've since learned the Linksys EA8300 has 2 x 5ghz radios SORT OF - each only covers half the channels of the 5ghz band.)

So a few questions:

• Is it even possible to have semi-secure network separation yet still allow casting and such with Google Home? Or do I just need to put my Google devices back on my main LAN and just forget the Linksys EA8300 altogether?

• Assuming I got this to work, would I be able to configure firewall rules that would protect the LAN on the AX6000 (10.0.0.0/24) but still allow the various 192.168.2.1, .5.1, .0.1 to have access to the internet, allow incoming connections from 10.0.0.0/24, allow multicast, proxy igmp, and run mDNS so that I can stream to some of these devices?

• Is there an easier way to do this? Like would using relayd provide me a way to use the openwrt firewall? I have fiber, and I have a NAS connected to my managed switch that is bonded ethernet, just like the AX6000 is bonded ethernet to the switch, there's a 2.5gbps uplink, so I'm trying to keep things as speedy as possible.

Thanks, I hope that clarifies a bit more.
Chris

Does the ax6000 support static routes?

Let’s see the config from the openwrt router.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Hello,

Thank you for looking at it! I tried a lot of different configs, but the furthest I got was pinging the AX6000 from IoT-2G subnet. The AX6000 does support static routes and I had 3 in it all going to 10.0.0.1:
192.168.0.0/24
192.168.2.0/24
192.168.5.0/24

I really wish I could put OpenWrt on the AX6000, but I read it's not compatible.

This may be more trouble than it's worth, but if the Google devices can work securely-ish on the IoT WiFi, that would be nice. The wireless backhaul is nice, but I can just wire the thing near the primary router if you think that would help. I don't really plan on using the 5ghz WiFi network unless (1) the IoT device is 5ghz and (2) I can get it to see the half the spectrum one 5ghz radio gives me.

root@mesh01:~# ubus call system board
{
        "kernel": "5.10.146",
        "hostname": "mesh01",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "Linksys EA8300 (Dallas)",
        "board_name": "linksys,ea8300",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.2",
                "revision": "r19803-9a599fee93",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 22.03.2 r19803-9a599fee93"
        }
}
root@mesh01:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6f:a45f:fa7e::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'

config interface 'wan'
        option device 'eth1'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan6'
        option device 'eth1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

config interface 'IoT_2G'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option device 'wlan1'
        option type 'bridge'

config interface 'IoT_5G'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        option device 'wlan0'
        option type 'bridge'

config interface 'BACKHAUL'
        option device 'wlan2'
        option proto 'static'
        option ipaddr '10.0.0.3'
        option netmask '255.255.255.0'
        option gateway '10.0.0.1'

root@mesh01:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '5g'
        option cell_density '0'
        option channel 'auto'

config wifi-iface 'IoT_2g'
        option device 'radio1'
        option mode 'ap'
        option ssid 'IoT_2G'
        option network 'IoT_2G'
        option key 'JailedNetworkPw'
        option encryption 'psk-mixed'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'IoT_5g'
        option device 'radio0'
        option network 'IoT_5G'
        option mode 'ap'
        option ssid 'IoT_5G'
        option key 'JailedNetworkPw'
        option encryption 'psk-mixed'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option channel 'auto'

config wifi-iface 'backhaul0'
        option device 'radio2'
        option mode 'sta'
        option ssid 'nancy'
        option bssid '60:A4:B7:76:AA:E6'
        option key 'primary_wifi_pw'
        option encryption 'psk-mixed'
        option network 'BACKHAUL IoT_2G IoT_5G lan'

root@mesh01:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        list server '8.8.8.8'
        list server '8.8.4.4'
        list server '208.67.220.123'
        list server '10.0.0.1'
        list server '208.67.222.123'

config dhcp 'lan'
        option interface 'lan'
        option start '50'
        option limit '250'
        option leasetime '96h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'IoT_2G'
        option interface 'IoT_2G'
        option start '50'
        option limit '250'
        option leasetime '96h'
        list dhcp_option '6,8.8.8.8'
        list dhcp_option '3,192.168.2.1'

config dhcp 'IoT_5G'
        option interface 'IoT_5G'
        option start '50'
        option limit '250'
        option leasetime '96h'
        list dhcp_option '6,8.8.8.8'
        list dhcp_option '3,192.168.5.1'

I'm not sure this will be helpful, but here is the basic config of the AX6000:

Status: Connected
Internet Connection Type: Dynamic IP
IP Address: 192.168.1.69
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.1.254
Primary DNS: 192.168.1.254
Secondary DNS: 0.0.0.0
Online Duration: 21 hours 25 minutes
LAN MAC Address: 60-A4-B7-76-AA-E8
IP Address:10.0.0.1
Subnet Mask:255.255.255.0
Link Aggregation: LAN 1 & LAN 2
DHCP Server: Enabled
IP Address Pool:10.0.0.100-10.0.0.249

And here is basic info from the fiber modem / router from the ISP:

Home Network Status
Device IPv4 Address	192.168.1.254

DHCPv4 Netmask	255.255.255.0
DHCP Server	On
DHCPv4 Start Address	192.168.1.64
DHCPv4 End Address	192.168.1.253
DHCP Leases Available	186
DHCP Leases Allocated	4
DHCP Primary Pool	Private

Cascaded Router Status	Disabled

IP Passthrough Status	On (public IP address)
IP Passthrough Address	107.217.86.242

Interfaces
Interface	Status	Active Devices	Inactive Devices
Ethernet	Enabled	0	0
5G Ethernet	Enabled	1	5

Wi-Fi 2.4 GHz	Disabled	0	0
Wi-Fi 5 GHz	Disabled	0	0
Mesh Clients	Disabled	0	0

I know this setup is a little ridiculous, but I don't think I can get rid of the NAT in the ISP router, which is very annoying, but it's what I got at the moment.

Thanks,
Chris

psherman - don't get whiplash, but ignore all that above, I think my AX6000 is bad. I keep completely losing connectivity between WiFi and the wired LAN. As in, I can ping things on WiFi, but not anything hard-wired from the WiFi until I reboot the AX6000. I could try unbonding it from the switch and just using one ethernet port, but I don't want to work around shoddy equipment.

If you had to recommend a router with OpenWrt support for what I am trying to accomplish, what would you suggest? Or even if it doesn't do OpenWrt, but it is just a good router that would make it easier to do what I am trying to do. Any suggestions?