I've got a Netgear WAC104 that's running OpenWrt 23.05.4 that I'm struggling to configure. I'm trying to set it on my my existing LAN with a static IP. I'd like to have two separate SSIDs on it with different IP ranges than my LAN. One that can see my LAN and the internet and one that can only see the internet. I was able to set the static IP but can't seem to get DNS to work. I've added them under interfaces->lan->Advanced Settings->Use custom DNS servers and they show up in the logs saying 'using nameserver ip address' but when I ping under network->diagnostics it times out. It also times out on the command line. Any ideas?
Does your main router run OpenWrt? Or another VLAN aware firmware?
For your AP, let's see the complete config (and please let us know which port on the WAC104 is used to connect it to the upstream router/network).
If your main router is also running OpenWrt, let's see the same info:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
My main router is a Linksys EA6500v2 running FreshTomato 2024.2. This is my first foray into OpenWRT and maybe it's showing. The WAC104 is connected to the LAN1 port. There's only LAN ports on this device.
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.162",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Netgear WAC104",
"board_name": "netgear,wac104",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "ramips/mt7621",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.227'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.1'
option ipv6 '0'
list dns '192.168.1.1'
list dns '208.67.222.222'
config interface 'lan2'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option device 'eth0'
config interface 'lan3'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option device 'eth0'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid ''
option encryption 'psk2'
option key ''
option network 'lan2'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid ''
option encryption 'psk2'
option key ''
option network 'lan2'
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option ssid ''
option encryption 'psk2'
option key ''
option network 'lan3'
config wifi-iface 'wifinet5'
option device 'radio0'
option mode 'ap'
option ssid ''
option encryption 'psk2'
option key ''
option network 'lan3'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'lan2'
option interface 'lan2'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'lan3'
option interface 'lan3'
option start '100'
option limit '150'
option leasetime '12h'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
Yikes... that needs to be edited! Glad I asked. Thanks for pointing me to the right place.
Yeah, the problem is that ifname is no longer valid syntax, and the bridge line will actually break the interface. So those two issues, plus the quotes that you pointed out all need to be fixed.
Typically, the best topology for multiple networks is to implement them all in the main router, and then use VLANs to get them over to the other equipment via ethernet. This way, your AP (WAC104) will be purely a bridged AP, not tasked with any routing. This is most efficient because all the routing happens in the main router, and you can set firewall rules in one place to meet your goals for what is allowed/prohibited on each network.
Normally I'd agree but the network I'm adding it too doesn't allow that. I have to set a static IP for the AP and then I need two wireless SSIDs off of it managed by the AP. So firewall and routing would need to be done on the AP. And I'd need to manage the AP from the existing network.
The Tomato router is just my home network used for testing. It's not going into that network for daily use. I don't have control over what it's being plugged into.
If that's the case, it's easy enough to setup an AP with additional networks broadcast by the same local radio hardware, but sending those to any other devices will require specific coordination with the upstream network.
Backing up some more... what is the intent of this AP and its networks? Is it a travel router? Or something else?
Is the upstream network considered trusted? Will administration of the AP be desired/required from the upstream network or can it be limited to one of the downstream networks?
You had mentioned that there would be another AP... is that still the case? If so, would it be directly connected to the WAC104, or somewhere else on the upstream network?
the router gets an address from the upstream DHCP server
the router is given a static IP address in the subnet of the upstream network.
If you go with option 1, it will make the AP harder to locate on the network since you'll have to probe the network, look at the DHCP leases table, or login from another administrative network on the AP itself.
If you go with option 2, you need to know the subnet, subnet mask/size, the gateway address, dns server address, and an available address within that network that is not used by any other device and is outside the DHCP pool.