What is the central device? What are the AP's?
Here is an example assuming the central device is on DSA and the dumb AP's are on switch config: openwrt-router-3-dumb-access-points-vlan-setup
1 Like
Will be a N600 (supercharged with openwrt 21.02)
Mixed but the one with 5Ghz back-haul will be a Fritz Repeater 1750E (openwrt 21.02) and the wired ones will be CPE210/220 (openwrt 21.02) . The more remote repeaters with 2,4Ghz back-haul will be some 4/32 RT305x ones I guess, not sure if they are capable of running a more recent 21.02 (flash is tight 
) even when heavily stripped down.
This mainly depends on the version of openwrt running on the device - right? So most likely all will run on openwrt 21.02, only the good old 4/32 RT305x ones will probably be stuck on a older version....
This is how the good old 4/32 RT305x look like btw: a5-v11
not that bic 
Sort of. Some OpenWrt devices have been converted from swconfig to DSA as of 21.02, others have yet to be, and some probably never will be. VLANs set up a bit different on DSA devices. Your devices are all still on swconfig, so you can ignore DSA directions for now.
The general answers to your questions are yes, there is a way to have all configuration on a central device - this is the best approach. And yes, VLANs are about the only thing that makes sense for your use case.
As a general comment, you are embarking on setting up a complicated network with low capability hardware. It will be a great learning experience, but if you have decently fast ISP speeds you may not be happy with performance long term.
In particular, regarding your N600 from the toh: "On some hardware revisions of the router, the switch driver refuses to configure a port with tagged and untagged VLANs. (There is reported success with hardware revision 1.5 enabling both tagged and untagged VLANs simultaneously on the same port.)"
1 Like
There a couple packaged solutions, OpenWISP and RadiusDesk. These will need to be installed in a dedicated PC however and not on the central device if your central device happens to be another OpenWRT device.
I use RunDeck/SSH on my workstation to manage my APs mainly because RunDeck is agentless. I save my UCI scripts such as changing SSID passwords into a RunDeck job. RunDeck will report back to me which APs have succeeded and which have failed and I can go in and manually update the failed APs which is a rare occasion. There's not really a lot I need to do with the APs other than change the passwords or add a new SSID or get a status report. The APs themselves have a h/w watchdog so if they happen to crash the h/w watchdog will automatically reboot the APs although I have never seen a single crash on my APs yet.
All my OpenWRT APs are powered by a cisco POE switch which has also been extremely reliable. I will say that at build-out there was an issue with the cabling which caused reliability problems and nailed it down to the quality of the RJ45 jacks but after installing more expensive higher quality jacks on the ends of the cables never had a problem since. If you're asking how do I know which jacks are of higher quality I observed the better quality jacks have much thicker gold pins and when you insert the RJ45 jack into the AP they fit snuggly. No jiggle or movement. Absolutely zero tolerance.
I'm aware of that but due to the lack of high capability hardware (server and client side) it's not a limiting factor. In fact I'm even running older hardware at the moment.
Most of my clients are limited to 2,4GHz (max 72Mbit/s) and I have essentially the whole band/air exclusively for me.
No decent and certainly no fast ISP available here 
Does this config also includes the WIFI/SSID's setting? For dumb AP's they always need to be configured on the device itself so far.
Good point and thank's for giving the heads up. Just tried to find out the revision of my unit without opening it, but guess that's not possible? In openwrt it shows:
but guess that's not helpful information regarding the revision?
So just to confirm, all my devices will be "stuck" on swconfig even if I do a clean flash and factory reset with the most recent openwrt (21.02.2) - is that correct?
Considering your hardware, it bodes well for you that your ISP service is not good
On a serious note, you will learn a lot from this project when you are done. So it will be worth it regardless of your ISP and hardware!
If the N600 is going to be your main gateway, and assuming it is capable of it, I would set up all your networks (default, limited, guest, etc.) on the N600 as separate VLANs, each with its own DHCP server. I have no idea if VLAN's can be sent via WiFi - my guess would be no - but I have never set up a repeater before. But you can certainly send tagged VLAN's down your wired back-haul, and then pick which VLAN to assign a WiFi interface to.
Read through the thread I gave you a link to for information on how to generally set up VLANs, DHCP, and firewall rules for your individual VLANs. In that example, the gateway was DSA, but you can also see how it is mirrored on the dumb AP's in that example, which are swconfig. The differences between swconfig and DSA are limited to the network configuration file. Setting up VLAN's is a learning process. Since you are running on older hardware, pay particular attention to the use of "option vid 'n'". Also be careful not to create and designate VLAN's with id's already in use for your lan and wan.
It might be listed on the label on the bottom? Or try TP-Link's web-site for clues?
Yes, but I wouldn't call it "stuck" on swconfig. This is probably a good thing. Conversion of my main gateway (a MT7621 ramips target) from swconfig to DSA was not painless - for me or the developers LOL - more a matter of "you have to break some eggs to make an omelette." Your devices are ath79 targets, which are still on swconfig in 21.02 and will remain so even in the next stable 22.03 version when it is released. The stable version after 22.03 is likely to move some more targets to DSA. Time will tell.
1 Like
Hi,
I've created a lightweight shell script for this use case. It works like this: you write templates for your radios and ssids, then say in each template to what radio or device it corresponds and the script generates the config for all your APs. After it created them, it can also upload and apply them to your OpenWrt devices if SSH pubkeyauth is set-up. An example template is on the repo. The script requires bash, so can run from an Openwrt "primary" device or a central Linux management server.
Kind regards,
Catfriend1
1 Like
That actually sound great 
Can you elaborate it a little more? I'm new and never used config files in openwrt yet. Also I don't have any experience setting up vlans (not in gui or console) which will be another task.
I think all my units (beside the ones with 5GHz) only have one radio but can have multiple SSIDs (on the same channel). So essentially your script helps me on deploying the "dumb AP's" centrally and not by hand individually - is that right?
1 Like
Yes, I think so. To start, better use a common Windows PC with VirtualBox, install Debian from netinst.iso there and put the wifimgr.sh script including the sample there... it will generate you a /etc/config/wireless file you can then compare to your "wished" config on your prod router and adjust the template until the script generates what you need. So far, you can then use openwrt's ssh howto to let your mgmt VM send the config to your device.
ref # A "KISS" wifi manager script to push /etc/config/wireless using a central mgmt server
1 Like
What I'm still "missing" in my head is how to "connect" the different SSIDs on the devices (AP's)(default,limited,guest, ...) with the corresponding VLANs configured on the main openwrt device.
I'm planning deploy the network at once because I use hardware already in use in my present network. So once I start the "journey" there is no (easy) way back.
I wonder if I could somewhat deploy it in smaller steps, so to have a "working" core (like the default vlan with no restrictions) and than extend the network?
So essentially this is what I'm trying to achieve:
default,guest,limited are all 2,4GHz AP's and should be "routed" as their dedicated VLAN's to the main router managing them all.
For that reason it's not enough to only set a certain ethernet port to a fixed VLAN but some extra layer is needed?
I think I need to do small steps, some one who could help me set up this basic "core" network here?
All devices are on 21.02.2
Hey there.
First: I think you will have a problem with client mode of at least some of your devices..
My guess is:
You will only be able to put your 2.4GHz radio either in access point mode or in client mode, but not in both at the same time. The same holds true for your 5GHz radio.
- You can put your lower right access point in access point mode for both, 5GHz and 2.4GHz.
- This means you need to put your lower left access points 5GHz radio in client mode. This, in turn, means your lower left access point will only be able to send out 2.4GHz wireless itself since its 5GHz is used ab for the connection to the left.
- You can put your both upper middle access points in access point mode because they are cable wired.
This means they will both be able to send wifi out (SSIDs default, guest and limited).
This means you need to put your upper right access point in client mode.
Which, in turn, means the thing that is labeled "external" will not be able to provide 2.4GHz wifi itself since the 2.4GHz radio is used up for the client connection to the left.
Do you see the problem I'm trying to explain here?
Second: vlan tagged wireless uplink
My guess is: That's doable, but it will break your neck as for using the script Catfriend1 provided because 50% of that will not be covered.
Let's assume you have a single "vlan aware bridge device" "br0" which is briedged to eth0, so you have br0.1 for LAN and br0.2 for WAN.
That should by close to default settings after flashing OpenWRT. If not, that's what you can easily configure.
Going from your lower right AP, you can set up four different SSIDs: "default", "guest", "limited" and "external".
Let's put them on VLANs 1, 3, 4 and 5 (because vlan 2 is traditionally used for WAN).
So SSID "default" is connected to br0.1, "guest" is connected to "br0.3", "limited" is connected to "br0.4" and "external" is connected to "br0.5".
You can set up a fifth SSID "trunk".
Instead of binding br0.1, br0.3, br0.4 and br0.5 (those interfaces used for the other four SSIDs) to "trunk", you could simply connect "trunk" directlry to "br0".
This will make the "trunk" SSID transport every vlan.
It's mandatory to use a bridge device "br0" instead of directly going through "eth0".
The same goes for the reverse direction: Make a wifi client on your lower left AP connecting to "trunk" and bind it to "br0".
Now you can go wired br0.1, br0.3, br0.4 and br0.5 on your lower left AP.
Once you've done that, you can set up a 2.4GHz wifi on your lower left AP exposing "defaut", "guest" and "limited".
But as I mentioned in my first section, 5GHz will not be available for providing AP wifi because the 5GHz radio is in client mode.
Summary
My overall suggestion is to drop the idea of a wireless backbone for multiple SSIDs and run wires from one AP to the other. You can go default "dumb AP" documentation from there and use the script Catfriend1 provided.
Regards,
Stephan.
2 Likes
That's actually correct, my drawing is wrong. The external will actually only be a access point on the wired ap. The external (1km away) device will connect in client mode 
Not quite. I think you perfectly explained my scenario Missing 5Ghz is no problem because 2,4Ghz is completely unoccupied and most of my devices are only capable of 2,4GHz wifi anyway.
I would really love to do this but it's not possible at the moment, it's quite a big area this network covers.
So from reading it sounds doable to me even though I never worked with vlans before. 
At the moment I fight with a device I just upgraded from 19.x to 21.x and now it doesn't save settings over a restart 
Although I love OpenWrt and am not trying to sell you on other solutions/products, I think your network architecture is going to be really hard to achieve with this platform. Specifically, the wireless backhaul with VLANs is particularly tricky to achieve - it can be done with gre-tap type encapsulation and/or relayd, but this is not trivial to setup and manage.
I think you will be better served by using products specifically designed for this task. Ubiquiti has the airmax and unifi bridge products that do exactly this in a way that is easy to configure and manage. And they also have long range radio systems. I’m sure there are other companies that have similar devices, so you can look around for those. But the point is that these are purpose built devices that will be significantly better suited to the task.
1 Like
Now that I know were the trouble is located I may rebuild the network structure in my head...
If I would only have one SSID on the AP's with wired backhaul (essentially a WDS repeater then?) will the rest more or less be trouble free? Like using multiple SSID's on the wired AP's for example?
I'm not planning in buying any (new) hardware - usually I give old (working) hardware a second live and avoid buying new stuff were possible (for socks is tricky 
)
based on your suggestion, would this here easier to set up and maintain?
For the wifi repeater I would just go with wds then, fast and furious
Or should I even consider mesh? Never used that before...
@newwrter mesh might be easier to configure because one 802.11s mesh ssid can transport multiple vlans at once by using batman-adv. I've also used batman for my internal, guest, iot wifi ssid to transport them "over wireless" from one ap to another. And yes, mesh/batman interfaces in /etc/config/wireless can also be written by my script. ... but you I'd suggest you first start with a single wifi ssid without vlan stuff and get the wireless conf file right working before you start digging into my script and then later start batman-adv learning. I remember I've also posted about batman mesh in the past here...
1 Like
this is the state I have now:
No vlan's or something yet.
What I have troubles is with at the moment, I can't reach the luci webpages for the two AP's connected as WDS clients, is this normal? The hosts (hostname or ip) are also not reacting to pings
EDIT: Looks like the reception for the 5ghz AP (down left on the picture) is just to weak to keep it established.
For the one up right I can actually ping the client which is connected to the ethernet port successful - but the AP itself is not reachable