Mesh management AP

Installing and Using OpenWrt
1

Hello,

I am trying to make a management AP on Node 3 for when the mesh loses connectivity, but I am having trouble. The management AP is on a different subnet with it’s own DHCP (to avoid the loss of DHCP when the mesh node can't connect). I tried to bridge it to the LAN / mesh subnet in the network→iface and network->firewall. I tried testing each scenario 3-4 times with save / apply and lots of reboots just in case.

Thank-you

Testing:

Mesh: 3 nodes, EA8300 linksys

Node 1: root, DHCP for the whole mesh.

Node 2: Guest and Main Aps

Node 3: Test node, management AP

Test 1:

Enabled Node 1, Node 2, Node 3:

I can connect to the management AP using an iPad with firefox and navigate to luci.

Test 2:

Enabled Node 1, Node 2.

Disable Node 3:
I can connect to the management AP but I cannot navigate to luci using an iPad with firefox.

Here’s the configs:

Wireless


root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option channel 'auto'
	option country 'CA'
	option legacy_rates '0'
	option txpower '28'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/soc/a000000.wifi'
	option htmode 'HT20'
	option disabled '1'

config wifi-device 'radio2'
	option type 'mac80211'
	option hwmode '11a'
	option path 'platform/soc/a800000.wifi'
	option htmode 'VHT80'
	option country 'CA'
	option legacy_rates '0'
	option channel '48'
	option txpower '23'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'mesh'
	option encryption 'sae'
	option mesh_id 'xxxxxxxxx'
	option mesh_fwding '1'
	option mesh_rssi_threshold '0'
	option key 'xxxxxxxxxxxxxxxx'
	option network 'lan'

config wifi-iface 'wifinet1'
	option device 'radio2'
	option mode 'ap'
	option encryption 'sae'
	option hidden '1'
	option isolate '1'
	option ieee80211w '2'
	option wpa_disable_eapol_key_retries '1'
	option ssid 'xxxxxxxxx'
	option key 'xxxxxxxxxxxxxxxxxxxxx'
	option ieee80211r '1'
	option mobility_domain 'feed'
	option ft_psk_generate_local '1'
	option ft_over_ds '1'
	option nasid 'xxxxx'
	option disabled '1'
	option network 'lan'

config wifi-iface 'wifinet2'
	option device 'radio2'
	option mode 'ap'
	option encryption 'sae'
	option hidden '1'
	option isolate '1'
	option key 'xxxxxxxxx'
	option ieee80211w '2'
	option wpa_disable_eapol_key_retries '1'
	option network 'man lan'
	option ssid 'Management AP'

network


root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxxxxxxxx'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.149'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config interface 'man'
	option proto 'static'
	option type 'bridge'
	option ifname 'eth0'
	option ipaddr '192.168.111.1'
	option netmask '255.255.255.0'

firewall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'man'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'lan man'

config forwarding
	option src 'man'
	option dest 'lan'
2

The management AP and network are for local management-- you don't want it linked to the main networks.

Set up a separate network with an IP range outside any of your other LANs, and run a DHCP server on it. And that is all. It doesn't even need a firewall provision since it is intended to log into the local machine only. (assuming the default default firewall input rule is ACCEPT).

1 Like
3

:partying_face: :partying_face: :partying_face: :partying_face: :partying_face:

Now I can connect to luci from the management AP on the disabled node .

The node's address and the management AP address both connect to luci.

TQVM

4

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.