Hello,
I am trying to make a management AP on Node 3 for when the mesh loses connectivity, but I am having trouble. The management AP is on a different subnet with it’s own DHCP (to avoid the loss of DHCP when the mesh node can't connect). I tried to bridge it to the LAN / mesh subnet in the network→iface and network->firewall. I tried testing each scenario 3-4 times with save / apply and lots of reboots just in case.
Thank-you
Testing:
Mesh: 3 nodes, EA8300 linksys
Node 1: root, DHCP for the whole mesh.
Node 2: Guest and Main Aps
Node 3: Test node, management AP
Test 1:
Enabled Node 1, Node 2, Node 3:
I can connect to the management AP using an iPad with firefox and navigate to luci.
Test 2:
Enabled Node 1, Node 2.
Disable Node 3:
I can connect to the management AP but I cannot navigate to luci using an iPad with firefox.
Here’s the configs:
Wireless
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'VHT80'
option channel 'auto'
option country 'CA'
option legacy_rates '0'
option txpower '28'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/soc/a000000.wifi'
option htmode 'HT20'
option disabled '1'
config wifi-device 'radio2'
option type 'mac80211'
option hwmode '11a'
option path 'platform/soc/a800000.wifi'
option htmode 'VHT80'
option country 'CA'
option legacy_rates '0'
option channel '48'
option txpower '23'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'mesh'
option encryption 'sae'
option mesh_id 'xxxxxxxxx'
option mesh_fwding '1'
option mesh_rssi_threshold '0'
option key 'xxxxxxxxxxxxxxxx'
option network 'lan'
config wifi-iface 'wifinet1'
option device 'radio2'
option mode 'ap'
option encryption 'sae'
option hidden '1'
option isolate '1'
option ieee80211w '2'
option wpa_disable_eapol_key_retries '1'
option ssid 'xxxxxxxxx'
option key 'xxxxxxxxxxxxxxxxxxxxx'
option ieee80211r '1'
option mobility_domain 'feed'
option ft_psk_generate_local '1'
option ft_over_ds '1'
option nasid 'xxxxx'
option disabled '1'
option network 'lan'
config wifi-iface 'wifinet2'
option device 'radio2'
option mode 'ap'
option encryption 'sae'
option hidden '1'
option isolate '1'
option key 'xxxxxxxxx'
option ieee80211w '2'
option wpa_disable_eapol_key_retries '1'
option network 'man lan'
option ssid 'Management AP'
network
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxxxxxxxx'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.149'
option gateway '192.168.1.1'
list dns '192.168.1.1'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0'
config interface 'man'
option proto 'static'
option type 'bridge'
option ifname 'eth0'
option ipaddr '192.168.111.1'
option netmask '255.255.255.0'
firewall
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'man'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'lan man'
config forwarding
option src 'man'
option dest 'lan'