Question: Configure networks ( new lan devices, f/w, routing ) on TP-Link RE650 / openwrt 23

Hi,

I flashed openWrt 23 onto my new TP-Link RE650.
This is sold as a network extender and defaults into a network proxy ( Mac Proxy/IP proxy etc ) type set-up when I plug in the WAN cable.
It is not exactly what I want, but I don't mind the abstraction, but does it stop me from remotely administering the device when it is connecting to the upstream Ubiquiti Edge Router so I have to change much of this.

What I would like to have:

• Access point that DHCPs an IP for the wan NIC from my Edgerouter.

• 4 APs configured ( 4 x SSIDs) with inter SSID traffic client connections permitted.

• No SSID traffic may communicate with other SSIDs.

• Firewall on each SSID.

I think the TP-Link will need some NAT as well for this unless the upstreamEdgeRouter is better off doing this. I wonder if it is faster than the consumer Linksys device, and it seems extra over head to have the TP-Link RE650 do NAT and then EdreRouter then do NAT on top of this.

I am not and never have been a network admin., My network knowledge is quite limited.

So, here is what I have managed to date:

I created 4 SSIDs ( 2 for each radio 2.4ghz and 5ghz ), and these APs can all be connected with).

However, I saw that clients on one SSID can communicate with clients on other SSIDs.

I suspect that this is because each SSID has been assigned to the device lan.

I do not wish to have Isolate Clients enabled because I have to have clients within each SSID able to communicate with each other, but not have clients from one SSID communicate with clients from other SSIDs.

To solve this, will this work:

Should I create a new set of devices called something like:

lan-ssid-1
lan-ssid-2
lan-ssid-3
lan-ssid-4

Then I can assign each new network device each to their respective SSIDs

e.g

lan-ssid-1 -> ssid1,
lan-ssid-2 -> ssid2
lan-ssid-3 -> ssid3
lan-ssid-3 -> ssid4

Will I have to configure a DHCP server for each device?

lan-ssid-1 10.1.1/24
lan-ssid-2 10.1.2/24
lan-ssid-3 10.1.3/24
lan-ssid-4 10.1.4/24

How will I create the Firewall settings?

How can I get the routing to work? e.glan-ssid-1 -> wan

Can I enable some bandwidth control per SSID or LAN device such max-upstream=15Mbits and max-downstream=30Mbits

How can I stop the TP-Link from turning itself into a network proxy and losing all access to the Linksys box when plugged into an upstream router.

Help !

Looped in @brada4

there's a TP-Link RE650, and a Linksys RE6500, which one do you actually own ?

oh.

TP-Link. I shall edit my post

IMO, the most efficient method is to configure the system such that:

• the multiple networks should be setup on the ER-X where all the routing and firewall functions are handled on a single device.
• the RE650 operates as a basic bridged AP with VLANs to enable the other networks and SSIDs.

Is the ER-X also running OpenWrt?

The following will not work and will break all routing:

You should work with /24 networks unless there is a reason you need to work with something larger. The /8 encompasses the entire 10.x.x.x space, which means that all 4 of your networks would be overlapping and would fail to route.

Sorry the 10/8 was a typo. I had meant to write 10.n.n/24. I have corrected my initial post.

The ER-X runs EdgeOS. I will stick with EdgeOS anyway.

Bridged AP: I really do not want this. It will be very problematic for segregating users and applying bandwidth controls etc.,

Doing Bridged AP could open me up to complaints on bandwidth and communication between tenants in my house that I am mixing up their traffic with other tenants.

The default OpenWRT setup on the RE650 is in Bridged AP mode. Is there a way to undo this?
Can I simply remove this line from the /etc/config/network:

config interface lan
...
option type bridge
...

Should I replace this "option type bridge" with something else?

Hi,

I read one of the tutorials ( see next URL ) to create a guest SSID and came up with this for two SSIDs, but this makes communication between 2.4Ghz and 5Ghz difficult because I cannot see how it differentiates between the 5Ghz and 2.4 Ghz.
Devices on SSID 0751 (5Ghz) and 0721 (2.4Ghz ) should be able to communicate.
Devices on SSID 0752 (5Ghz) and 0722 (2.4Ghz ) should be able to communicate.
But I do not see how to do this except in the GUI.

Guest Wifi tutorial : https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan

I don't know if it will create the SSID on 2.4Ghz or 5Ghz:
I need to group those together
e.g
Guest SSID 0751 (5Ghz) and 0721 (2.4Ghz) and let devices communicate between both.
Guest SSID 0752 (5Ghz) and 0722 (2.4Ghz) and let devices communicate between both.

But this is what I could do: How can I get the different 5Ghz and 2.4 Ghz SSIDs defined and map these together as one network? Perhaps these ought to share the same lan interface ( however this works)

# SSID 0751
uci -q delete network.0751_dev
uci set network.0751_dev="device"
uci set network.0751_dev.type="bridge"
uci set network.0751_dev.name="br-0751"
uci -q delete network.0751
uci set network.0751="interface"
uci set network.0751.proto="static"
uci set network.0751.device="br-0751"
uci set network.0751.ipaddr="192.168.1.1/24"
uci commit network
service network restart

WIFI_DEV="$(uci get wireless.@wifi-iface[0].device)"
uci -q delete wireless.0751
uci set wireless.0751="wifi-iface"
uci set wireless.0751.device="${WIFI_DEV}"
uci set wireless.0751.mode="ap"
uci set wireless.0751.network="0751"
uci set wireless.0751.ssid="0751"
uci set wireless.0751.encryption="none"
uci commit wireless
wifi reload

uci -q delete dhcp.0751
uci set dhcp.0751="dhcp"
uci set dhcp.0751.interface="0751"
uci set dhcp.0751.start="100"
uci set dhcp.0751.limit="150"
uci set dhcp.0751.leasetime="1h"
uci commit dhcp
service dnsmasq restart


uci -q delete firewall.0751
uci set firewall.0751="zone"
uci set firewall.0751.name="0751"
uci set firewall.0751.network="0751"
uci set firewall.0751.input="REJECT"
uci set firewall.0751.output="ACCEPT"
uci set firewall.0751.forward="REJECT"
uci -q delete firewall.0751_wan
uci set firewall.0751_wan="forwarding"
uci set firewall.0751_wan.src="0751"
uci set firewall.0751_wan.dest="wan"
uci -q delete firewall.0751_dns
uci set firewall.0751_dns="rule"
uci set firewall.0751_dns.name="Allow-DNS-0751"
uci set firewall.0751_dns.src="0751"
uci set firewall.0751_dns.dest_port="53"
uci set firewall.0751_dns.proto="tcp udp"
uci set firewall.0751_dns.target="ACCEPT"
uci -q delete firewall.0751_dhcp
uci set firewall.0751_dhcp="rule"
uci set firewall.0751_dhcp.name="Allow-DHCP-0751"
uci set firewall.0751_dhcp.src="0751"
uci set firewall.0751_dhcp.dest_port="67"
uci set firewall.0751_dhcp.proto="udp"
uci set firewall.0751_dhcp.family="ipv4"
uci set firewall.0751_dhcp.target="ACCEPT"
uci commit firewall
service firewall restart

# SSID 0752
uci -q delete network.0752_dev
uci set network.0752_dev="device"
uci set network.0752_dev.type="bridge"
uci set network.0752_dev.name="br-0752"
uci -q delete network.0752
uci set network.0752="interface"
uci set network.0752.proto="static"
uci set network.0752.device="br-0752"
uci set network.0752.ipaddr="192.168.2.1/24"
uci commit network
service network restart

WIFI_DEV="$(uci get wireless.@wifi-iface[0].device)"
uci -q delete wireless.0752
uci set wireless.0752="wifi-iface"
uci set wireless.0752.device="${WIFI_DEV}"
uci set wireless.0752.mode="ap"
uci set wireless.0752.network="0752"
uci set wireless.0752.ssid="0752"
uci set wireless.0752.encryption="none"
uci commit wireless
wifi reload

uci -q delete dhcp.0752
uci set dhcp.0752="dhcp"
uci set dhcp.0752.interface="0752"
uci set dhcp.0752.start="100"
uci set dhcp.0752.limit="150"
uci set dhcp.0752.leasetime="1h"
uci commit dhcp
service dnsmasq restart


uci -q delete firewall.0752
uci set firewall.0752="zone"
uci set firewall.0752.name="0752"
uci set firewall.0752.network="0752"
uci set firewall.0752.input="REJECT"
uci set firewall.0752.output="ACCEPT"
uci set firewall.0752.forward="REJECT"
uci -q delete firewall.0752_wan
uci set firewall.0752_wan="forwarding"
uci set firewall.0752_wan.src="0752"
uci set firewall.0752_wan.dest="wan"
uci -q delete firewall.0752_dns
uci set firewall.0752_dns="rule"
uci set firewall.0752_dns.name="Allow-DNS-0752"
uci set firewall.0752_dns.src="0752"
uci set firewall.0752_dns.dest_port="53"
uci set firewall.0752_dns.proto="tcp udp"
uci set firewall.0752_dns.target="ACCEPT"
uci -q delete firewall.0752_dhcp
uci set firewall.0752_dhcp="rule"
uci set firewall.0752_dhcp.name="Allow-DHCP-0752"
uci set firewall.0752_dhcp.src="0752"
uci set firewall.0752_dhcp.dest_port="67"
uci set firewall.0752_dhcp.proto="udp"
uci set firewall.0752_dhcp.family="ipv4"
uci set firewall.0752_dhcp.target="ACCEPT"
uci commit firewall
service firewall restart

That's fine. Do you know how to setup multiple networks on EdgeOS with VLANs? Assuming yes, you'll also need to adjust the firewall to add isolation -- it will, by default, route between all the connected subnets.

This is an incorrect statement and interpretation of a bridged AP.

A bridged AP is talking about ethernet > wifi, not bridging networks. The networks will remain isolated based on the VLANs (they will not be routed or otherwise 'mixed' together) on the OpenWrt side. The EdgeOS side will be responsible for the routing and isolation.

No, this will break things.

But to be clear, see my statement above. This is not going to bridge networks together.

The best place for you to setup the additional networks is on the router itself.

Hi,

Thanks for your replies.

I started using EdgeOS last Friday. I had never touched a router before bar an old Cisco Pix 501 in around 2007. VLANs are new fangled stuff for me.

I think I have exceeded the limited of my knowledge.

Should I replace this "option type bridge" with something else?
No, this will break things.

So I cannot use my TP-Link RE650 as a router? Then I have to buy a real AP that I can use as a router. I had mislead myself into thinking I could buy an RE650, install OpenWrt, and then use it as a proper router.

The ER-X can run EdgeOS or OpenWrt. Both work well, but they are very different environments.

I used to be really good with EdgeOS and it is the system I first used when I was learning VLANs.

While there is nuance, VLANs are ethernet specific methods of transporting multiple subnets. Fundamentally, the network interfaces (and firewalls rules) are the same regardless if you're using them just for wifi or if you're also putting them on a wire. VLANs (specifically the 802.1q tags) are what differentiate one network from another when they are on a trunk (i.e. a single port/cable that carries multiple networks).

I never said that. Yes, you can use it as a router. I was recommending against it, though, as it's good to have all routing/firewall features on the main router and then the AP can be just an AP. This makes management easier and more efficient rather than having two or more devices performing routing. It's best practice with respect to network topology, not specific to the hardware itself.

Thank-you for explaining this. It is starting to make sense.

This also makes sense.

Does this mean that I have to:

Set up a VLAN for each network/SSID on both the AP and the EdgeRouter?

eg.

create a VLAN100 on the AP and a VLAN100 on the Edgerouter for my two SSIDs 0750 and 0720. Enable tagging.

create a VLAN100 on the AP and a VLAN100 on the Edgerouter for my two SSIDs 0751 and 0721. Enable tagging.

Clearly the OpenWrt AP can do this. Can the EdgeRouter-X do this?

Yes, basically.

You'll setup additional networks on your ER-X. By enabling VLAN aware mode on the ER-X switch, you can create the VLAN under the switch and give that an address, DHCP server, and configure the firewall appropriately. You'll then set the port that connects to the AP such that you have your networks tagged (you can optionally have one network untagged (PVID), the rest must be tagged (VID).

Then, on the AP, depending on the details of the device, you'll either setup individual bridges for each of the VLANs or you'll use bridge-VLANs. All of the networks will be unmanaged except for the one that is used to manage the AP itself... this means that the other networks will simply pass through the AP, but will not interact with it in terms of accessing the administrative functions or similar.

I'd recommend that you do this just one network at a time so that you can learn and fix errors, then repeat the recpie to get the rest.

Hi,

Unfortunatly, I made a mistake with the configuration that I cannot see how to undo.

Before I read your replies, I had already set up a lan1 with DHCP running on it with a different subnet, but had not thought that it would automatically be used. Well, I was wrong.

The clients now connect to lan1 instead of the default lan interface. If I delete the lan1 then lose access to the TP-Link AP. As far as I know the TP-Link cannot be reset to OpenWrt defaults except if I log in, which I could not do if I delete lan1.

Oddly, the wireless options have got lan set, and do not mention lan1 anywhere.

How can I get the clients connecting on the AP to use the lan interface instead of lan1?

If I can do this, then I can delete lan1 interface and get back to the start of fixing this as you suggested with the VLANs.

# grep 'option network' wireless 
	option network 'lan'
	option network 'lan'
	option network 'lan'
	option network 'lan'
	option network 'lan'
	option network 'lan'
	option network 'lan'
#

# cat network 
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb6:c388:fdde::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'lan1'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

# cat dhcp 
config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'lan1'
	option interface 'lan1'
	option start '100'
	option limit '150'
	option leasetime '12h'

This is the message I got when I tried to delete lan1:

Screen Shot 2024-08-22 at 3.38.59 AM840×454 42.9 KB

Since you appear to be connected to the RE600 currently, I'd recommend simply resetting to defaults now and then connecting it directly to your computer via ethernet to do the configuration.

The basic problem is that you have assigned two networks to the same bridge, and that's going to cause problems. It's easier to start from scratch.

Thanks. This is sound advice. I shall do this.

Hi,

I reset the router and started again.

I added two SSIDs.

I tried to add a new interface called eth0.100 but I do not know this is the right place, and expect to lock myself out without means to login and reset it.

I plan to add these:
eth0.[1-4] with tags of vlan[1.2.3.4]00

IMG_0551640×853 127 KB

let's see the default network config file:

cat /etc/config/network

In general, you can use the "custom" field at the bottom to create eth0.100 (or eth0.x), but if you want to use wifi + ethernet, you need to make a bridge with that first.

Looking at your network config, though, will be the best way for me to help you.

Hi,

I found a screen shot that was small enough to post here. Phew.

IMG_0551640×853 127 KB

I will post the network config tonight

### network ###

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxx:xxx:xxx::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

### dhcp ###

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

### wireless ###

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option txpower '20'
	option country 'PA'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid '0_nomap'
	option encryption 'sae-mixed'
	option key 'xxxxxxxxxx'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option txpower '27'
	option country 'PA'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid '1_nomap'
	option encryption 'sae-mixed'
	option key 'xxxxxxxxxx'

I'm going to assume that you have created at least one new network on your ER-X (and verified functionality).

We'll therefore just create bridge-vlans and unmanaged interfaces for them.
I'm also making the assumption that VLAN 100 is untagged and is the management network. If this isn't the case, we'll modify stuff.

Start by adding bridge-VLANs:

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'lan:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '200'
	list ports 'lan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '300'
	list ports 'lan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '400'
	list ports 'lan:t'

Now, edit the lan to use br-lan.100 and set its address for the VLAN 100 subnet (I'm guessing at an available address that is not within the DHCP pool... modify as required):

config interface 'lan'
	option device 'br-lan.100'
	option proto 'static'
	option ipaddr '10.1.1.2'
	option netmask '255.255.255.0'
	option ip6assign '60'

Now we can add interfaces for the other VLANs -- these will all be unmanaged:

config interface 'vlan200'
	option device 'br-lan.200'
	option proto 'none'

config interface 'vlan300'
	option device 'br-lan.300'
	option proto 'none'

config interface 'vlan400'
	option device 'br-lan.400'
	option proto 'none'

Create SSIDs for each of the networks and then connect those SSIDs with the respective network (vlan100 - vlan400).

Finally, don't forget to disable the DHCP server on the lan interface... edit the DHCP file so that the lan serer looks like this:

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'

Restart and test. This all assumes the ER-X is properly configured and that my guesses were correct about the management VLAN and the other stuff.

The ERX is a bit tricky. I did the wizard which was meant to create the uplink to the fibre ONT, which it did, and two networks with two different DHCP servers. These work, and I can get to the ERX when I plug in my notebook into the eth2 or eth3, and also my TPLink will extend the networks from the ER-X onto it.

The snips for networks and dhcp:

Do these all go into the /etc/config/networks file, or does part go into the /etc/config/networks file, and another part into /etc/config/lan as in this:

Now, edit the lan to use br-lan.100

do you mean:

# cat <<EOF> vlan200
config interface 'vlan200'
	option device 'br-lan.200'
	option proto 'none'
EOF

# cat <<EOF> vlan300
config interface 'vlan300'
	option device 'br-lan.300'
	option proto 'none'
EOF

# cat <<EOF> vlan400
config interface 'vlan400'
	option device 'br-lan.400'
	option proto 'none'
EOF

# cat <<EOF>lan
config interface 'lan'
        option device 'br-lan.100'
        option proto 'static'
        option ipaddr '10.1.1.2'
        option netmask '255.255.255.0'
        option ip6assign '60'
EOF

# cat <<EOF>dhcp
config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'
EOF