Need help with configuring OpenWRT as dumb AP

Hi,

New OpenWRT user and i'm very frustrated...clients do not take an IP from routers (opnsense) DHCP when I disable openwrt DHCP.

I'm using OpenWRT on Asus TUF AX6000 router version 23.x

I'm trying to set it up as an AP, so in br-lan I set a static IP (192.168.4.70) (Outside the routers dhcp range) which belongs to my opnsense router (192.168.4.1)

The opnsense router is connected to a managed switch and from the managed switch a cable to WAN, and i can access the internet fine and it takes an IP from the routers DHCP.

Configurations attached

Appreciating your support please

openwrt31580×513 54.9 KB

openwrt41414×516 34.9 KB

opnsense11331×562 34.6 KB

opnsense21311×974 53.8 KB

https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedap

What port is used on your AP to connect to the upstream network?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "ASUS TUF-AX6000",
        "board_name": "asus,tuf-ax6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "mediatek/filogic",
                "description": "23.05.5 240924"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd41:d1b3:d404::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config device
        option name 'lan1'
        option macaddr '10:7c:61:a0:82:66'

config device
        option name 'lan2'
        option macaddr '10:7c:61:a0:82:66'

config device
        option name 'lan3'
        option macaddr '10:7c:61:a0:82:66'

config device
        option name 'lan4'
        option macaddr '10:7c:61:a0:82:66'

config device
        option name 'lan5'
        option macaddr '10:7c:61:a0:82:66'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.4.70'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.4.1'
        option broadcast '192.168.4.255'
        option defaultroute '0'

config device
        option name 'eth1'
        option macaddr '10:7c:61:a0:82:66'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option disabled '0'
        option country 'US'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'tuf-ax6000-2g-0'
        option encryption 'psk2'
        option key '12345678'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option disabled '0'
        option country 'US'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'tuf-ax6000-5g-1'
        option encryption 'psk2'
        option key '12345678'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'
        option dynamicdhcp '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'wantolan'

config forwarding
        option dest 'wan'

config forwarding
        option src 'lan'

config forwarding
        option dest 'wan'

config forwarding
        option src 'lan'

config forwarding
        option src 'wantolan'
        option dest 'lan'

config forwarding
        option src 'wan'
        option dest 'wantolan'

config zone
        option name 'test'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wan'

config forwarding
        option src 'test'
        option dest 'lan'

config forwarding
        option src 'test'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'test'

config forwarding
        option src 'wan'
        option dest 'test'

root@OpenWrt:~#

Your firewall is rather messed up, but that shouldn't really affect the functionality.

What port is connected on the AP (going to the upstream network)?
If you unplug the AP and connect that cable directly to a computer, does it get an IP address via DHCP?

Now all is good, I'm sure it was because of the firewall rules, how to completely disable the firewall?

Ok now I need to configure a guest wifi to be in a specific VLAN 192.168.9.x

I already configured the opnsense router with VID 9 and the managed switch as well, any available guides or can you help me out how to do this on openwrt?

I can only find videos on yourtube but i think with a totally different versions of Openwrt...

Thanks for your help

You need to setup bridge-VLANs. I can help with that, but you still haven't mentioned which port is used to uplink to the main router.

Thank you so much, its LAN 2.

Create bridge VLANs by adding this to your /etc/config/network file:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'
        list ports 'lan5:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '9'
        list ports 'lan2:t'

Edit the lan interface to use br-lan.1:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.4.70'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.4.1'
        option broadcast '192.168.4.255'
        option defaultroute '0'

and add an unmanaged interface for the guest network:

config interface 'guest'
        option device 'br-lan.9'
        option proto 'none'

Finally, create a new SSID for your guest network and then restart the router. Test both networks.

Thank you, ok to do this once and for all i'd appreciate helping in the following setting:

The main LAN to my router (Port 2) needs to be in VLAN 20 (subnet 192.168.2.x) so any wifi device connected needs to go to 192.168.2.x

Guest WIFI needs to be in VLAN 9 (192.168.9.x)

Question, Must i connect another LAN cable (Say port 3) to my switch for VLAN 9? or its done via Wifi bridging? because If 2 cables are connected from the asus router (openwrt) to the switch I lose all connections..how to fix that?

Thanks a lot

These settings / configurations crashed the router..

Maybe because i disabled the firewall & rebooted?

I'm not at home, will check ASA i get home.

is there anyway i can re-enable the firewall without resetting?

Hello,

All is good here, I did several modifications as follows (I had to use different LAN ports for each subnet), I've got a question, Can't I use all the 3 subnets on just 1 LAN port?

cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd41:d1b3:d404::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan5'

config device
	option name 'lan1'
	option macaddr '10:7c:61:a0:82:66'

config device
	option name 'lan2'
	option macaddr '10:7c:61:a0:82:66'

config device
	option name 'lan3'
	option macaddr '10:7c:61:a0:82:66'

config device
	option name 'lan4'
	option macaddr '10:7c:61:a0:82:66'

config device
	option name 'lan5'
	option macaddr '10:7c:61:a0:82:66'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.4.70'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.4.1'
	option broadcast '192.168.4.255'
	option defaultroute '0'

config device
	option name 'eth1'
	option macaddr '10:7c:61:a0:82:66'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan5:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '9'
	list ports 'lan3:u'

config interface 'guest'
	option device 'br-lan.9'
	option proto 'none'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan4'

config interface 'vlan20'
	option device 'br-lan.20'
	option proto 'none'

Yes, provided that at least 2 of them are tagged.

I see quite a few potential issues with your configuration. I can help you resolve them, but I need to know what the intent is for each port -- port-vlan membership, tagging status for each vlan per port, and which port is the uplink to the main router.

For example (making this up):

• port lan 1 - uplink to the main router, VLAN 1 untagged + VLANs 9 and 20 tagged
• port lan 2 - access port for VLAN 1 (untagged)
• port lan 3 - access port for vlan 9
• port lan 4 - trunk to a downstream managed switch, all VLANs tagged.

Ok, 1 cable from switch to WAN (DHCP subnet 192.168.4.x)
port lan 2 to switch port 22 (untagged on switch enter VLAN 192.168.4.x (default))
port lan 3 to switch port 23 (untagged on switch VLAN 9 but using port using its PVID)
port lan 4 to switch port 21 (tagged on switch VLAN 20 but port using its PVID)

Check attachments

Screenshot 2024-10-14 at 9.25.31 AM1920×1200 110 KB

Screenshot 2024-10-14 at 9.26.53 AM1920×1200 121 KB

Screenshot 2024-10-14 at 9.28.06 AM1920×1200 138 KB

So if I understand your description, you have 4 cables connecting between the switch and the ap. Is that correct?

If so, you should reconsider the design here. All of those networks can run over a single cable by setting up a trunk port on the switch and a corresponding one on the ap.

I have the trunk port set to port 2 on the switch which is the cable coming from the opnsense router.

Right. You can do the same to connect the ap with a single cable.

Could you elaborate on how the settings would be?

Start by creating a trunk port on the main switch. Then, put all ports on the ap back into br-lan. Create bridge VLANs to build the trunk on the ap, and optionally define the port-vlan membership of the other ports on the ap.