Questions regarding full isolation for guest wifis & wireless mesh networking when running several APs

Hello,

I've got three new devices (T-MB5EU-V01) running OpenWrt (snapshot by necessity, from yesterday) as APs for my wired network.

Via single cables, two are connected to a Zyxel GS1900-24HP, the other to a Netgear GS1080PE switch. Both switches are connected to another; the Zyxel further connects to the gateway.

What I need to do:

  1. [Done:] Configure each as pure/dumb AP, each having two wifis (ESSIDs "foo" & "foo-guest" here for convenience) for both bands (2.4/5). So in total, four ESSIDs per device and each ESSID used six times across the three.

    I followed the wiki page "Dumb Access Point" except for the optional part.
    [Tbh, I would rewrite the LuCI section to be less wordy and more direct.]

    "foo-guest" so far only differs from "foo" in password and the "Isolate Clients" option being activated. Each band's device uses the same settings across the APs (frequency, …).

  2. Fully isolate these total six "foo-guest" ESSIDs — so it's not (as currently) that their clients are just isolated from talking with/seeing others within the same AP's ESSID, but within the network as a whole.

    I'm not sure how to proceed here. I'm aware of the relevant terms (particularly thanks to the little schema in Basic Networking), but not fully of their meanings and how they need to be configured.

    After searching for tutorials and past threads, the "Guest Wi-Fi basics" seems not relevant to my case as it further seems to rely on the APs directly connecting to the internet themselves? (I also don't understand how Part 1. there can skip assigning a bridge port for the new bridge it creates.)

    So the most promising seems an ebtables solution, like in either Malakai's forum post or Matthias Larisch's blog post. Both rely on differing sets of rules; I don't know if they're both correct nor if/which one is better.

    But most confusing to me is: Both assume there's already a br-guest bridge ready. I don't know how to set that up:

    ⓐ Do I just 1:1 copy the "br-lan" one with "br-guest" as new name?

    ⓑ Do I also need to configure & assign a new interface?

    ⓒ Is ⓐ even possible given they would have the same bridge port and/or MAC? Or – given Guest Wi-Fi basics skips that – do I just not assign those?

    ⓓ If ⓐ is not possible, is ebtables actually the way to do this for APs meant to offer both isolated and non-isolated wifi?

  3. Combine the three APs' separate "foo" & "foo-guest" wifis into a shared/mesh wifi so clients can physically move between them.

    Since all APs are wired, I suppose the most straightforward way to do this is as described in the "802.11s based wireless mesh network" wiki page.

    I've installed wpad-wolfssl (note: on snapshot, one currently has to do that before installing luci, otherwise opkg will throw an apparently unresolvable dependency conflict).

    Am I understanding it correctly that the required changes are:

    ⓐ Change each AP's four configured wifi-ifaces' option network 'lan' to option network 'mesh'.

    I'm assuming lan and mesh here refer to interfaces. But mesh was never actually defined as one?

    I also don't know how what the following part means and how it's to be implemented: "Access by client devices is achieved by bridging the 'ap' and the 'mesh' interfaces."

    ⓑ Change each AP's four configured wifi-ifaces' option mode 'ap' to option mode 'mesh'.

    ⓒ Add the same option mesh_id '$ID' to the same-named ESSIDs (including within each AP for both bands' wifi-ifaces – or does each band need a separate $ID?).

    ⓓ The part option encryption 'psk2/aes' also is confusing: For one, with regular AP the current value for WPA2-PSK is just psk2. For another, there's no WPA3 or WPA2/3 mixed mode (sae-mixed) possible?

Sorry for this large amount of questions. Any help is greatly appreciated!

  1. you bridge the incoming VLAN to your AP interfaces/ BSSIDs (the AP does not need to have an IP on these networks, e.g. proto=none; you do want to retain one management interface).
  2. With wired backhauls, you don't want meshing, just dumb APs with multiple BSSIDs.
1 Like