Device single ethernet port: 192.168.1.2 (LAN on single ETH port on device)
Wireless radio: 192.168.222.1 (seperate network)
So, client will connect to the router from wireless port.
Then internet requests will be forwarded over ethernet port.
For instance, firewall service is disabled and iptables has no additional rules.
So, to achieve this goal, I created a VLAN2
I created a WIFI interface in addition to LAN and put radio in it.
I assigned WIFI interface to VLAN2
I finally achieved above config with no success:
DHCP
----
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option dhcpv4 'server'
option start '23'
option limit '5'
option leasetime '24h'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config dhcp 'wifi'
option interface 'wifi'
option start '23'
option limit '5'
option leasetime '12h'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
---
---
FIREWALL
--------
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option output 'REJECT'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'wifi'
list network 'wifi'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
---
---
NETWORK
-------
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'X::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option ip6assign '60'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 6t'
config interface 'wifi'
option proto 'static'
option ipaddr '192.168.222.1'
option netmask '255.255.255.0'
option force_link '0'
option delegate '0'
option device 'radio0.network1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '6t'
config device
option name 'eth0.2'
option type '8021q'
option ifname 'eth0'
option vid '2'
option ipv6 '0'
---
---
WIRELESS
--------
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/10300000.wmac'
option band '2g'
option htmode 'HT20'
option channel 'auto'
option txpower '0'
option cell_density '0'
option disabled '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option key 'SecurityKey'
option network 'wifi'
option macfilter 'allow'
option isolate '1'
list maclist 'AA:BB:CC:DD:EE:FF'
list maclist 'FF:EE:DD:CC:BB:AA'
option encryption 'psk2+ccmp'
I can't get IP for wireless client.
I can't ping when I manually assign an IP number to wireless client.
I'm not sure even if will there be any other settings to make the router recognizes
LAN port on ethernet as WAN port and forward wireless client requests to it.
VLAN2 doesn't connect to anything. You can actually delete the section below entirely.
Add option dhcpv4 'server' to the wifi dhcp server.
Also, while you are there, add option ignore '1' to the lan DHCP server-- if you don't do this, you may have 2 DHCP servers on your upstream network and that will cause problems.
You need to add a gateway and DNS to the lan interface. This would be the address of the upstream router -- likely 192.168.1.1 (guessing).
Remove the force link, delegate, and radio device lines from the wifi network
turn on masquerading on the lan fireawll zone (add option masq '1')
add a forwarding statement from wifi > lan
config forwarding
option src 'wifi'
option dest 'lan'
The general process for devices with a single Ethernet port is:
Start with the default configuration.
If the upstream network is using IP addresses in the 192.168.1.X range, you will need to change the lan IP to something else such as 192.168.222.1. If you do this in Luci, make and apply the change then wait about 2 minutes until a confirmation page appears then click the red "Apply Unchecked" button.
If lan IP was changed above, unplug Ethernet cable from your PC then re-plug it to make the PC obtain the new address range. Enter the new IP in your browser and log in.
Set up a wifi AP on the lan network. Disconnect the Ethernet cable from your PC and log back in to the router using wifi.
Remove eth0 from the br-lan bridge.
Create a new network interface named exactly "wan" (lower case). Protocol should be DHCP Client or Static IP. Device should be eth0.
If you use Static IP, make sure the netmask, gateway, and DNS server as well as the IP address are as needed by the upstream network. DHCP Client will handle these automatically.
Plug the Ethernet port to the upstream network. Routed Internet access from wifi devices should now be possible.
As noted, the firewall must be running since it handles address translation. And of course firewalling, which you probably want. If you own and/or completely trust the upstream network, you can set up symmetric routing next as an optional feature. This requires installing a route in the upstream router.
As @mk24 suggested, it's probably best to start with the default configuration. It should be really easy to get what you want from this state (complete details already posted by @mk24).
Before proceding the steps you propose, I would like to share with you some further information and some questions related to:
There is only one mac address for all interfaces on this device: br-lan, eth0, eth0.1, vlan and wifi.
Default config consists just one LAN interface which groups vlan and eth0.1 . When wifi is up, it is automatically added to this only LAN group and shares same IP pool.
Previously, as you know, I couldn't seperate wifi interface either by creating an additional, dedicated VLAN2, nor applying first alternative configuration.
Our last settings (which is not defaulted yet) has a dedicated wifi (WIFI) interface however gives a network device error message as mentionned previously.
Since I already locked in the device once and did some upgrade/downgrade, I would kindly like to request further details about the procedure and your detailled suggestions, prior walking through the steps.
Thank you very much for your help. Regards.
Safak Kayhan
When you reset your router to defaults, wifi will be disabled and your ethernet port will be the lan.
Plug a computer into the ethernet port -- it will get an IP address via DHCP.
change the lan IP so that it doesn't conflict with the upstream router (as @mk24 suggested 192.168.222.1 or any RFC1918 address that doesn't conflict with 192.168.1.0/24)
save and apply (note the auto-rollback feature that could get in your way -- details in the link above)
Enable wifi (set the country code, SSID, encryption type, and password)
unplug ethernet from the mr3020 and connect using wifi
remove eth0.1 from br-lan
create a new interface called 'wan' (all lower case), associate it with eth0.1 and set the proto to dhcp.
save and apply.
plug an ethernet cable between the upstream router's lan and the mr3020 ethernet port...
Hi, tested and as you said it did work. I could ping upstream router. There will
be some tweaks especially for DNS settings and if I stuck again I will
bother you then.