Local and Guests WiFi on the primary router and a dump ap (I'm going crazy)

alex3025 · September 8, 2023, 2:40pm

Hello,
as the title says, I'm trying very hard to extend my network with a dump ap to another floor (wired).

I want to setup a "Trusted" and a "Guests" Network.

Both devices are running OpenWrt but two different versions:

Main router (from ISP but hacked):
- It provides DHCP and Firewall services
- 4 Gigabit ports + WAN
- Modified version of OpenWRT Chaos Calmer 15.05
- Because of that ^^^^^ the UI is a bit broken so config files are the only way
Dump AP:
- 3 Fast ethernet ports + WAN
- OpenWRT 23.05.0-rc3
- swconfig (legacy) switching

I want to have 3 wireless networks that supports roaming:

foo - 2.4GHz (
foo - 5GHz
foo - Guests

Also, DNS queries are resolved by my Pi-hole and I would like to use it also from the guests network.

From my searches on the internet, it seems that I need to use VLANs and I'm trying to setup all of that since 3 days but without success.

The guest network should be wireless only, so every ethernet port of my devices should connect to the "Trusted" network (except the vlan trunk port used for connecting the two devices together).

I've also tried to follow this thread on GitHub from a user that has a very similar device (main router).

I really hope someone can help me
Sorry if something isn't clear. I'm a bit tired.

Here's the configuration files for both my devices:

Main router (/etc/config/network)

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'auto'
        option default_ps '0'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option force_link '0'
        option igmp_snooping '1'
        option ipv6 '0'
        option ip6assign '0'
        option ifname 'vlan_eth0 vlan_eth1 vlan_eth2 vlan_eth3'
        list pppoerelay ''
        option netmask '255.255.240.0'
        option ipaddr '10.1.1.1'

config interface 'guest'
        option proto 'static'
        option type 'bridge'
        option ipv6 '0'
        option ip6hint '1'
        option ifname 'vlan_guest vlan_eth1'
        option force_link '0'
        option netmask '255.255.255.128'
        option ipaddr '10.10.0.1'

config device 'vlan_guest'
        option type '8021q'
        option ifname 'eth1'
        option name 'vlan_guest'
        option vid '10'

config device 'vlan_eth0'
        option type '8021q'
        option ifname 'eth0'
        option name 'vlan_eth0'
        option vid '1'

config device 'vlan_eth1'
        option type '8021q'
        option ifname 'eth1'
        option name 'vlan_eth1'
        option vid '10'

config device 'vlan_eth2'
        option type '8021q'
        option ifname 'eth2'
        option name 'vlan_eth2'
        option vid '1'

config device 'vlan_eth3'
        option type '8021q'
        option ifname 'eth3'
        option name 'vlan_eth3'
        option vid '1'

config device 'vlan_wan'
        option type '8021q'
        option ifname 'ptm0'
        option mtu '1508'
        option name 'vlan_wan'
        option vid '835'

config switch 'bcmsw'
        option reset '1'
        option enable_vlan '0'
        option qosimppauseenable '0'
        option jumbo '0'

config switch 'bcmsw_ext'
        option reset '1'
        option type 'bcmsw'
        option qosimppauseenable '0'
        option unit '1'
        option enable_vlan '1'
        option jumbo '0'

config switch_vlan 'lan_switch'
        option device 'bcmsw_ext'
        option vlan '1'
        option ports '0* 1t 2* 3* 8t'

config switch_vlan 'guest_switch'
        option device 'bcmsw_ext'
        option ports '1t 8t'
        option vlan '10'

config interface 'wan'
        option proto 'pppoe'
        option ifname 'vlan_wan'
        option reqopts '1 3 6 15 33 42 51 121 249'
        option vendorid 'Technicolor'
        option authfail '0'
        option mtu '1500'
        option ipv6 '0'
        option release '1'
        option iface6rd '0'
        option password 'timadsl'
        option username '0481486820'
        option peerdns '1'
        option auto '1'

config interface 'vdsl_check'
        option proto 'pppoe'
        option ifname 'ptm0'
        option keepalive '5,10'
        option auto '0'
        option reqopts '1 3 6 15 33 42 51 121 249'
        option vendorid 'Technicolor'
        option graceful_restart '1'
        option authfail '0'
        option mtu '1500'
        option ipv6 '0'
        option release '1'
        option iface6rd '0'

config interface 'bt_iptv'
        option ifname 'vlan_wan'
        option auto '1'
        option proto 'static'
        option ipaddr '169.254.10.1'
        option netmask '255.255.255.255'

config device 'ptm0'
        option mtu '1508'
        option name 'ptm0'

config interface 'wwan'
        option auto '1'
        option metric '10'
        option proto 'mobiled'
        option session_id '0'
        option profile '1'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'
        option reqopts '12 21 22 23 24 25 31 56 64 67 82 83'
        option noslaaconly '1'
        option iface_464xlat '0'

config config 'config'
        option wan_mode 'pppoe'

config interface 'ipoe'
        option proto 'dhcp'
        option metric '1'
        option reqopts '1 3 6 43 51 58 59'
        option release '1'
        option neighreachabletime '1200000'
        option neighgcstaletime '2400'
        option ipv6 '1'

config device 'waneth4'
        option enabled '1'
        option type '8021q'
        option name 'waneth4'
        option vid '835'

config device 'wanptm0'
        option enabled '1'
        option type '8021q'
        option name 'wanptm0'
        option vid '836'
        option ifname 'ptm0'

Dump AP (/etc/config/network)

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        option promisc '1'
        option ipv6 '0'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '10.1.1.3/20'
        option gateway '10.1.1.1'
        list dns '10.1.5.1'
        list dns_search 'mpx'
        option delegate '0'
        option ipv6 '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 1t'
        option vid '10'
        option description 'Guest Network'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 4 3 2 1t'
        option vid '1'
        option description 'Trusted Network'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'eth0.10'
        option ipv6 '0'

config interface 'guest'
        option proto 'dhcp'
        option device 'br-guest'

psherman · September 8, 2023, 2:58pm

This is very, very old, EOL, and unsupported. It also has many known serious security vulnerabilities. This should not be used on any active network, especially as a border gateway. Furthermore, there are so many major differences in syntax and operation that it is going to be hard for people to help purely based on not remembering the way that version worked. You should seriously consider removing this one and replacing it with a router (such as your dumb AP) that can support a current version of OpenWrt.

Further, if it is a "modified" version, this may mean that it doesn't work the way the official version of OpenWrt do... where did this modified version come from?

alex3025 · September 8, 2023, 3:01pm

There's a page on the OpenWRT website that explains it a little: https://openwrt.org/inbox/toh/technicolor/tg789vac_v2

psherman · September 8, 2023, 3:03pm

So it sounds like the device is running the vendor firmware?

alex3025 · September 8, 2023, 3:04pm

Yes, but it is OpenWRT under the hood.

psherman · September 8, 2023, 3:20pm

But, it is modified by the vendor. Therefore, it becomes a black-box since we don't know what they changed and why (case in point, you said the LuCI web interface doesn't work properly). The modifications can at times be very significant and can materially change the way the firmware functions. But then add to that the fact that you're talking about an 8 year old version of OpenWrt (superceeded by 5 major OpenWrt releases, soon to be 6). For support on your main router, you'll need to reach out to the vendor for help.

We can help you with your dumb AP, though....

I'd recommend removing the promisc and IPv6 lines from below.

likewise, remove the ipv6 line from here:

And finally, the guest network does not need an address... make this proto 'none'

Another thing -- why is the trusted lan on a /20 subnet? That's much larger than is normally necessary or recommended.

alex3025 · September 8, 2023, 4:04pm

I use a a /20 subnet because it allows me to create more easy to remember addresses: e.g. 10.1.2.0 for my computers or 10.1.1.0 for my network devices all in the same subnet so they can talk with each other.

psherman · September 8, 2023, 4:16pm

Ok... whatever you want, it's fine. There are other ways of organizing, and you could have different /24 subnets. But there is no technical reason why a larger subnet is a problem provided that you don't have a huge number of devices on a single broadcast domain.