Relay wireless WPA-2 Enterprise connection

Context

I reside in university dorms. We utilize the "eduroam" network. This network is a WPA-2 enterprise network. I am unable to connect my IoT devices to this network unless I create a personal hotspot from my Windows 10 computer. There 2 main issues with this solution: 1) I am limited to the selection of broadcasting either a 2.4 GHz hotspot or 5 GHz, 2) My computer must remain on at all times.

I have purchased a Netgear EX3700 wireless range extender and flashed it with the latest release of OpenWRT (19.07.7). While this device does have an ethernet port, the dorm has only WiFi available so I am unable to utilize it to establish a connection with eduroam. I am therefore wanting to connect wirelessly to eduroam and bridge that connection with a 2.4 GHz and 5 GHz network being broadcasted from the device.

Problem
I have successfully connected OpenWRT to my PC's hotspot (which is obviously connected to eduroam) to update the package list and remove "wpad-basic" and install "wpad". I primarily do this through SSH however all configurations mentioned below have been done through LuCI because I am not too familiar with the CLI.

Next, I have connected to eduroam using WPA2-EAP + PEAP + PEAPMSCHAPV2 and removed the connection to my PC hotspot. I have used the network diagnostic function on LuCI to see that the device has successfully connected and has been granted internet access.

My problem arises from this point onwards. I am not sure how I can broadcast a dual band network from my device that is bridged with my client network (eduroam). I have followed this tutorial which utilizes the package "relayd" to create a network bridge. I have been successful in doing so but only when my client network is set to my PC hotspot. When my client network is set to eduroam, connecting to the broadcasted wireless network shows as "No internet access" or "No IP address" on my devices (such as my iPhone, iPad, etc.).

I do apologize for my inappropriate use of the terminology around this topic as I am very new to networking. Please could someone help point me in the right direction while bearing that in mind. Thank you.

A regular (non WDS) wifi client can't be in a bridge. You will need to route and NAT the devices into the single IP address you get from the college network. Set up a wan network named exactly 'wan' (since that name, lower case, is already in the default firewall) of type DHCP Client and attach the wifi client to it. The Ethernet port and wifi APs will be in the existing lan network.

Thanks for your reply. I have a few questions:

• What do you mean by setting up a "wan network"? Do I create a new interface named "wan" with protocol "DHCP client"?
• If that is the case, does this interface become the bridge? - what interfaces do I bridge between? I would assume my Client and eth0 (lan) interface?

Default configuration of a router with one Ethernet port doesn't include a wan network. You're going to add one to make it like a standard home router with a dedicated WAN port, only here the wan connection will be wireless and the single Ethernet port will continue to be lan.

Lan is a bridge by default so it can have multiple physical interfaces (such as Ethernet and a wifi AP on each band). wan will not be a bridge it only has the single wifi STA which connects to the upstream network.

The process by which a lan device can retrieve data from the Internet is not a bridge, it is routing and forwarding. This is controlled by the firewall not the network setup. Since the use case here is just like a standard home router except the physical WAN is wireless instead of wired, the default firewall can be used as it is.

I apologize but I do not understand much of this as I am a beginner in the networking field. From what I have gathered from this I have setup the following:

I have created my "wan" interface as my DHCP client on its own wan firewall zone. I have successfully managed to setup my 2.4 GHz band such that my devices can connect to it and access the internet. I am unable to broadcast my 5 GHz band for some reason. I hope the following extracts can be used to help me resolve the issue:

root@OpenWrt:~# cat /etc/config/network 
 
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
 
config globals 'globals'
	option ula_prefix 'fd39:f374:b0e8::/48'
 
config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
 
config device 'lan_eth0_dev'
	option name 'eth0'
	option macaddr '08:36:c9:eb:8c:62'
 
config interface 'wwan'
	option proto 'dhcp'
 
config interface 'wan'
	option proto 'dhcp'

root@OpenWrt:~# cat /etc/config/wireless 
 
config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option channel '36'
 
config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
 
config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/10180000.wmac'
	option htmode 'HT20'
 
config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option encryption 'none'
	option ssid 'OpenWrt 2.4'
 
config wifi-iface 'wifinet2'
	option ssid 'eduroam'
	option device 'radio0'
	option mode 'sta'
	option password 'MY PASSWORD'
	option encryption 'wpa2'
	option eap_type 'peap'
	option identity 'MY USERNAME'
	option auth 'EAP-MSCHAPV2'
	option network 'wwan wan'
 
config wifi-iface 'wifinet3'
	option ssid 'eduroam'
	option device 'radio1'
	option mode 'sta'
	option network 'wwan'
	option password 'MY PASSWORD'
	option encryption 'wpa2'
	option eap_type 'peap'
	option identity 'MY USERNAME'
	option auth 'EAP-MSCHAPV2'

root@OpenWrt:~# cat /etc/config/firewall 
 
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'
 
config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wwan'
 
config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
 
config forwarding
	option src 'lan'
	option dest 'wan'
 
config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
 
config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
 
config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
 
config include
	option path '/etc/firewall.user'

For best wifi results, set radio option country to your country code. Do this on both radios.

Don't try to make two connections to the college AP-- this will not work since they don't support combining them. If the 5 GHz signal is strong use it, otherwise 2.4.

Simultaneous AP and STA may also require explicitly configuring the radio HT/VHT mode and bandwidth to match the college AP, and also explicitly configuring the channel to match the one the AP uses. Use option bssid to force a connection to a particular AP.

This is very wrong you can only specify one network. If you've already created the network wwan and it is in the wan firewall zone, you don't need a network named wan at all you can take that out of the configuration.