Need help configuring guest wifi & dumb AP

purse · November 19, 2023, 2:02pm

I have a main router and 2 aux routers. Main router connects to internet, aux router #1 connects to main and aux router #2 connects to aux #1. All routers run OpenWRT 23.05

[MAIN] -- [AUX1] -- [AUX2]

I want

instead of each router defining its own subnet, to configure the AUX routers to be dumb switches, but also broadcast an AP, which will be part of the main routers subnet too (trusted, LAN).
I want each of the AUX routers to also broadcast a "GUEST" or untrusted Wifi network that I can impose restrictions on, for connecting IOT devices and untrusted guests
I want each device to be somehow addressable after the above configuration.
I want to use the AUX routers' WAN ports as an extension of the built-in switch (those routers only provide 2 LAN ports, can sometimes be limiting)

How many of the above points, which are ordered in sequence of importance would be possible to do? Can I do all 4? Can you provide configuration suggestions?

thank you so much

psherman · November 19, 2023, 3:35pm

Are all of your devices running openwrt?

purse · November 19, 2023, 3:44pm

Yes, all of the devices run OpenWRT 23.05. I will add this to the original post

psherman · November 19, 2023, 3:59pm

Great!

I would recommend starting with the guest wifi tutorial on the primary router. Once that is working, we can modify things slightly to connect the guest network by ethernet to the secondary routers. Those other routers will continue to operate as dubm APs, but now with VLANs and an additional SSID.

purse · November 19, 2023, 4:33pm

OK, I've already followed that for the AUX routers originally. So I will delete the interfaces from the AUX routers, and do that on the MAIN router. What configuration follows?
Reminder: I would like a trusted wifi AP from the AUX routers, alongside the untrusted Wifi network.

mk24 · November 19, 2023, 4:36pm

If the connections between the routers are Ethernet cable (not wireless) you would transport multiple networks over VLANs on the cables. The main router controls all the routing and firewalling so it needs to be set up first.

psherman · November 19, 2023, 4:38pm

On the main router, we'll start with the guest network which is wifi specific. Then we'll incorporate ethernet so we can connect that new. guest network via ethernet to the other devices.

Once you have your guest wifi working on the main router, post the config for review. We'll double check that it is all correct and then recommend the changes to add ethernet. Then we'll work on the downstream devices.

psherman · November 19, 2023, 4:47pm

I have been making the assumption that this is the case.... but I didn't explicitly ask

@purse - can you confirm that everything is connected by ethernet?

purse · November 20, 2023, 9:36am

Yes, all 3 devices are connected by ethernet. We like cables.

So, I implemented the guest wifi basics, plus encryption and guest isolation. Here are some configs:

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf8:3b0c:6ab3::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'wan'
	option proto 'pppoe'
	option device 'eth1'
	option keepalive '2 5'
	option ipv6 'auto'
	option peerdns '0'
	list dns '1.1.1.1'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config device 'guest_dev'
	option type 'bridge'
	option name 'br-guest'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.13.1/24'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option country 'US'
	option hwmode '11g'
	option htmode 'HT20'
	option short_gi_40 '0'
	option cell_density '0'
	option channel '11'
	option txpower '20'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid '***'
	option encryption 'psk2'
	option key '***'

config wifi-iface 'guest'
	option device 'radio0'
	option mode 'ap'
	option network 'guest'
	option ssid '***'
	option encryption 'psk2'
	option key '***'
	option isolate '1'

I feel like I'm in good hands

psherman · November 20, 2023, 3:06pm

Ok. Unless it is a copy paste issue, you seem to have two copies of br-lan. Delete one.

Then, add Ethernet to the guest bridge like this (we will use vlan 13)

config device 'guest_dev'
	option type 'bridge'
	option name 'br-guest
	list ports 'eth0.13'

That is all we need to change here, and we can move onto the second device. Post your /etc/config/network file from the first AP and we'll get that configured for the VLAN. NOTE: we also need to know which port on the 2nd device is used to connect to the upstream (router) and the downstream (3rd device).