Netgear WAC104 setup help

I've got a Netgear WAC104 that's running OpenWrt 23.05.4 that I'm struggling to configure. I'm trying to set it on my my existing LAN with a static IP. I'd like to have two separate SSIDs on it with different IP ranges than my LAN. One that can see my LAN and the internet and one that can only see the internet. I was able to set the static IP but can't seem to get DNS to work. I've added them under interfaces->lan->Advanced Settings->Use custom DNS servers and they show up in the logs saying 'using nameserver ip address' but when I ping under network->diagnostics it times out. It also times out on the command line. Any ideas?

Thanks

Does your main router run OpenWrt? Or another VLAN aware firmware?

For your AP, let's see the complete config (and please let us know which port on the WAC104 is used to connect it to the upstream router/network).

If your main router is also running OpenWrt, let's see the same info:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

My main router is a Linksys EA6500v2 running FreshTomato 2024.2. This is my first foray into OpenWRT and maybe it's showing. :slight_smile: The WAC104 is connected to the LAN1 port. There's only LAN ports on this device.

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.162",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Netgear WAC104",
        "board_name": "netgear,wac104",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.227'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'
        option ipv6 '0'
        list dns '192.168.1.1'
        list dns '208.67.222.222'

config interface 'lan2'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option device 'eth0'

config interface 'lan3'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option device 'eth0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid ''
        option encryption 'psk2'
        option key ''
        option network 'lan2'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid ''
        option encryption 'psk2'
        option key ''
        option network 'lan2'

config wifi-iface 'wifinet4'
        option device 'radio1'
        option mode 'ap'
        option ssid ''
        option encryption 'psk2'
        option key ''
        option network 'lan3'

config wifi-iface 'wifinet5'
        option device 'radio0'
        option mode 'ap'
        option ssid ''
        option encryption 'psk2'
        option key ''
        option network 'lan3'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'lan2'
        option interface 'lan2'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'lan3'
        option interface 'lan3'
        option start '100'
        option limit '150'
        option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Thanks for the help.

Just looking for some help after my settings post.

Thanks

Can anyone help with this? @psherman

Probably set up as a Bridged AP: https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedap
Reset to defaults first.
Connect with LAN port to LAN port of ISP router, do not use the WAN port (if you are a port short we can later assign the wan port to br-lan).

If that works you can setup a guest wifi which you can isolate from the rest of your network, see:https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

I tried your first link but the following doesn't seem to work. I can't ping or ssh to the device.

config interface lan
        option ifname eth0
        option type bridge
        option proto static
        option ipaddr 192.168.1.2
        option netmask 255.255.255.0
        option gateway 192.168.1.1
        option dns 192.168.1.1

I think the issue is this WAC104 device is an AP only. The default config looks like this.

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

I'm not sure what I'm supposed to do with the eth0 in the bridged AP example when the default for this device is br-lan.

Where did this syntax come from? There are many problems with it, making it entirely invalid for use with modern OpenWrt.

It came from the first link in the post just above mine from egc.

Probably set up as a Bridged AP: https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedap

I did try it with quotes around all the values like the default config has.

Yikes... that needs to be edited! Glad I asked. Thanks for pointing me to the right place.

Yeah, the problem is that ifname is no longer valid syntax, and the bridge line will actually break the interface. So those two issues, plus the quotes that you pointed out all need to be fixed.

Let's see your current network config file.

I'm back to just the default which I posted just above your response.

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

Ok... so taking a quick step back...

have you setup additional networks here?

Typically, the best topology for multiple networks is to implement them all in the main router, and then use VLANs to get them over to the other equipment via ethernet. This way, your AP (WAC104) will be purely a bridged AP, not tasked with any routing. This is most efficient because all the routing happens in the main router, and you can set firewall rules in one place to meet your goals for what is allowed/prohibited on each network.

Normally I'd agree but the network I'm adding it too doesn't allow that. I have to set a static IP for the AP and then I need two wireless SSIDs off of it managed by the AP. So firewall and routing would need to be done on the AP. And I'd need to manage the AP from the existing network.

Why not? Your main router does have the capability (fresh tomato supports multiple networks and VLANs).

Also, if you need it to go to other APs, you'll need a managed switch in the network. Do you have that already?

The Tomato router is just my home network used for testing. It's not going into that network for daily use. I don't have control over what it's being plugged into.

Ok... I see.

If that's the case, it's easy enough to setup an AP with additional networks broadcast by the same local radio hardware, but sending those to any other devices will require specific coordination with the upstream network.

Backing up some more... what is the intent of this AP and its networks? Is it a travel router? Or something else?

I guess a travel AP would be close. One wireless network would see the upstream network and the internet. The second would only see the internet.

Is the upstream network considered trusted? Will administration of the AP be desired/required from the upstream network or can it be limited to one of the downstream networks?

You had mentioned that there would be another AP... is that still the case? If so, would it be directly connected to the WAC104, or somewhere else on the upstream network?

Yes, the upstream network is trusted and admin of the AP from the upstream network will be required.

Yes, there are other AP's, but all upstream, nothing connected to the WAC104.

In this case, there are two options:

  1. the router gets an address from the upstream DHCP server
  2. the router is given a static IP address in the subnet of the upstream network.

If you go with option 1, it will make the AP harder to locate on the network since you'll have to probe the network, look at the DHCP leases table, or login from another administrative network on the AP itself.

If you go with option 2, you need to know the subnet, subnet mask/size, the gateway address, dns server address, and an available address within that network that is not used by any other device and is outside the DHCP pool.

Which way do you want to go?