Need help with dumb AP settings

catdogmaus · January 17, 2023, 7:27pm

I'm trying to expand my network with a dumb AP point. The goal is for the router to grant all the necessary permissions. Unfortunately, it's complicated by the fact that I have three different networks, for me, for guests, and IoT, plus of course I have a very vague idea of the correct setup. I had a good guide on how to do it with the previous version of openwrt, unfortunately, several things have changed, the swich page has disappeared altogether, and now I am lost.
Maybe someone will take the trouble to correct and find the right settings.
thanks.

Here are the current router settings that obviously don't work
(ok, they work generally but not for AP point.)

root@WRT1900ac:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd27:f9b5:7706::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr '94:10:3e:xxx'

config device
        option name 'lan2'
        option macaddr '94:10:3e:xxx'

config device
        option name 'lan3'
        option macaddr '94:10:3e:xxx'

config device
        option name 'lan4'
        option macaddr '94:10:3e:xxx'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan.1'

config device
        option name 'wan'
        option macaddr '94:10:3e:xxx'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'Quest'
        option proto 'static'
        option ipaddr '10.20.30.40'
        option netmask '255.255.255.0'
        option device 'br-quest'

config interface 'IOT'
        option proto 'static'
        option ipaddr '172.16.0.1'
        option netmask '255.255.255.0'
        option device 'br-lan.10'

config device
        option type 'bridge'
        option name 'br-quest'

config device
        option type 'bridge'
        option name 'br-iot'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:t'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1:t'
        list ports 'lan4'

Here are the current AP settings

root@TPlinkAP:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd01:e906:6b03::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'

config interface 'IOT'
        option proto 'dhcp'
        option device 'br-lan'

config interface 'QUEST'
        option proto 'dhcp'
        option device 'br-lan'

darksky · January 17, 2023, 7:32pm

Have you read: https://openwrt.org/docs/guide-user/network/wifi/dumbap

There are some videos linked there that are really good as well.

catdogmaus · January 17, 2023, 8:19pm

Unfortunately, those videos are great but mostly irrelevant bcs they are outdated. I actually have seen them before. Also, the guide is not great help bcs I have 3 different networks to manage and it does not cover how to set up more than one network. One of the videos out there does this but as already stated it is out of date.
As far as I understand it is not enough to just disable AP DNS. If more than one network exists but there is only one cable, a little more setup is required. Unfortunately, this is where my knowledge ends.

darksky · January 17, 2023, 8:43pm

Conceptually they are current. When you says you have 3 networks.... are VLANs not an option?

psherman · January 17, 2023, 8:44pm

This doesn't need to be all that hard to setup. Maybe start with this:

Are all three networks handled by a single main router? Or are you using multiple routers to do this?
Do they all exist on a single trunked port?
Are there any switches or other devices between the main router and your dumb AP? If so, what are they?

A diagram can be useful here, then we can ask more questions as needed.

catdogmaus · January 17, 2023, 9:21pm

My router actually works well. One router one AP. All current network settings are added in first post.
My br-lan bridge device uses vlan filtering. Vlan filtering is not exactly my strength so I used some help with that part. Unfortunately, I need probably to make some changes exactly there. In fact, I have the main network working over the AP even now. I think it needs some tagged traffic to get it all to work together. I did try something but it was more like a trial-and-error method than something meaningful.
In addition to the router, I have one unmanaged swich, but I can use one of the router ports for AP if needed.

psherman · January 17, 2023, 10:07pm

Your current ap config seems incomplete. What device is it? You haven’t setup the actual VLANs here, but the important factor is if it is dsa or swconfig.

catdogmaus · January 17, 2023, 10:27pm

https://firmware-selector.openwrt.org/?version=22.03.3&target=ath79%2Fgeneric&id=tplink_re450-v3

psherman · January 17, 2023, 10:35pm

So that will be fairly simple. The iot network will work like this:

config device
        option name 'br-iot'
        option type 'bridge'
        list ports 'eth0.10'

config interface 'IOT'
        option proto 'none'
        option device 'br-iot'

Quest cannot work currently because it is not connected to Ethernet on your main router.

catdogmaus · January 17, 2023, 11:36pm

Quest wifi in router was that moment deliberately switched off. Anyway, I can now connect to all networks from AP.

Now I need to deal with router settings
With these router settings, I can access thru AP everywhere from whatever network.

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1:u'
        list ports 'lan4:u'

I have no idea how filtering works, I suppose that some of this must be tagged and some stay untagged. Maybe some additional changes?

psherman · January 18, 2023, 1:01am

You can only have a single network untagged on a port. You have both VLANs 1 and 10 untagged on port lan1.

What is it that you want to achieve with the setup here? What will be connecting to each of the ports?

catdogmaus · January 18, 2023, 11:57am

There is no point in an AP if it doesn't work with a router. If I have a dumb AP set up, obviously the router has to share the network and set the firewall rules. At the moment, it doesn't matter which network I connect the AP to - everything is open. Obviously, the router needs to understand which network the traffic is coming from. If my AP is behind lan3 it should be possible.
Before setting up, I watched https://www.youtube.com/watch?v=4t_S2oWsBpE for general knowledge, this video is also somewhere on the openwrt wiki. Unfortunately, it is also not up-to-date and probably should be updated as it shows the configuration of an old version. So, it gives knowledge of what should be done, but in terms of how to do it, it rather increases the confusion.

pavelgl · January 18, 2023, 12:11pm

See if that helps.

Router:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:t'
        list ports 'lan2'
        list ports 'lan3'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1:t'
        list ports 'lan4' # Untagged port for wired IoT devices
		
config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan1:t'
		
config interface 'lan'
        ...
        option device 'br-lan.1'
		
config interface 'IOT'
        ...
		option device 'br-lan.10'
		
config interface 'Quest'
        ...
		option device 'br-lan.20'

AP:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'
		
config device
        option name 'br-iot'
        option type 'bridge'
        list ports 'eth0.10'
		
config device
        option name 'br-quest'
        option type 'bridge'
        list ports 'eth0.20'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'

config interface 'IOT'
        option proto 'none'
        option device 'br-iot'

config interface 'QUEST'
        option proto 'none'
        option device 'br-quest'

catdogmaus · January 18, 2023, 6:55pm

Thanks.
To do this was actually tricky, when u make changes first in the server u will lose connection to AP. When u start from AP and ignore warnings about connectivity loss, there is always a possibility that when u made some error u will in the end really lose access to AP.

pavelgl · January 18, 2023, 7:13pm

It would be much easier if vlan 1 was left untagged, but I wasn't sure how the AP would handle tagged and untagged frames on the same port...

system · January 28, 2023, 7:14pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.