Routed access point

Hello I have an access point on OpenWRT 19.07.04 and I want to setup something like that: https://openwrt.org/docs/guide-user/network/wifi/routedap
But if follow that notes I end up with an unrechable wifi signal (cant connect to wifi, doesnt even ask for password).
What I want to achieve is that the AP have an own subnet with own DNS, different from router's one.
Any help appreciated
Thanks in advance

Post your configuration redacting the private parts:

uci show network; uci show wireless; uci show dhcp; uci show firewall

Here are the config files:

---- network -----

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd1e:856e:4bf2::/48'

config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '1.1.1.1'
list dns '1.0.0.1'
option gateway '192.168.1.1'

---- wireless ----

config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'platform/soc/a000000.wifi'
option htmode 'HT20'
option channel 'auto'

config wifi-iface 'default_radio0'
option device 'radio0'
option network 'wifi'
option mode 'ap'
option ssid 'OpenWrt'
option wpa_disable_eapol_key_retries '1'
option key 'zzzzzzzzz'
option encryption 'psk2+ccmp'

config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11a'
option path 'platform/soc/a800000.wifi'
option htmode 'VHT80'
option channel 'auto'

config wifi-iface 'default_radio1'
option device 'radio1'
option network 'wifi'
option mode 'ap'
option ssid 'OpenWrt'
option wpa_disable_eapol_key_retries '1'
option key 'zzzzzzzzzzzzz'
option encryption 'psk2+ccmp'

---- dhcp -----
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'

config 'dhcp' 'wifi'
option 'interface' 'wifi'
option 'start' '100'
option 'limit' '150'
option 'leasetime' '12h'

---- firewall -----
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config zone
option name wifi
list network 'wifi'
option input ACCEPT
option output ACCEPT
option forward REJECT

config forwarding
option src 'lan'
option dest 'wan'

config forwarding
option src 'wifi'
option dest 'wan'

config forwarding
option src 'lan'
option dest 'wifi'

config forwarding
option src 'wifi'
option dest 'lan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'
1 Like

The gateway is outside of the address/netmask scope.

The network wifi is undefined, you can create it like this:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan#network

1 Like

The page you linked describes what is commonly known as a guest network. Users of the wifi will have access to the Internet but won't be able to log into the router itself.

I suggest getting the basic lan-->wan routing working first then switch it to a guest network.

In your config there isn't a network named 'wan' either. The simplest routing is to route from lan to wan since those firewall zones and rules are already defined.

Attach the wifi APs to lan. Put the gateway and dns settings in wan.

After seeing that work add the 'wifi' network and firewall zone to change it to a guest network. Note that you need to leave some way for yourself to log in via the lan, such as an additional AP which remains connected to lan.

Let me explain better.
1 - I have a modem/router from intenret provider (i'll call it (A))
2 - I want to disable WIFI on that one
3- I want to connect by cables two openwrt access points to (A)
4- I want the openwrt access points to manage IPs (DHCP thing) and (possibily) DNS

NOTE: If I install openwrt I have one default interface named "LAN". This interface "bridges" to (A), so for any connection to the AP I will have one connection on (A). I dont want this, I want to have one connection between (A) and the AP and all the connected devices to have IP/DHCP managed by the AP (on a different subnet I guess).
I dont know if i need extra security (firewall zones?) for that but I must be able to connect (to reach) to the AP and (A) from the AP wifi.

I've found this other link that seemed promising, but I dont know something didnt work and I have to reset the access point to get back running:
https://gremaudpi.emf-informatique.ch/create-a-routed-access-point-with-raspberry-pi-and-openwrt/ from what I understood I must:
1- configure AP LAN interface with static ip (IPv4 address will be like 192.168.1.50)
2- IPv4 netmask will be 255.255.255.0
3- IPv4 gateway 192.168.1.1 [this is (A)]
4- Disable DHCP server
5- Create a new interface (to be linked to the wireless)
6- Name "AP"
7- Enable DHCP
8- Here openwrt let me choose the interface, not sure what is correct to choose... (bridge br-lan, ethernet adapter, wireless network..)
9- Assign static address like 192.168.5.1 to the new interface
10- enable dhcp
11- link the new interface to wireless
12- firewall configuration (not sure if it's correct or not what proposed)

Thanks in advance for any help

What device are you using? Have you reset it to default or have you made changes to the config files? Do you have working LAN access to the device?

It's a Netgear ex6150.
I've reset it back to default.
Now I can access it back by LAN.
thanls

So where does it go wrong when you follow https://openwrt.org/docs/guide-user/network/wifi/routedap?

After following the guide the AP is up but doesent allow wifi connections. I can reach it btw.
I need to reset/reinstall openwrt everytime I try that.

DHCP:


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'ap'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'ap'

firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
        option src        'ap'
        option dest       'wan' 

config forwarding
        option src        'lan'
        option dest       'ap' 

config forwarding
        option src        'ap'
        option dest       'lan' 

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option input 'ACCEPT'
	option forward 'REJECT'
	option name 'ap'
	option output 'ACCEPT'

Network


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2d:af7b:3cae::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option ipaddr '192.168.1.50'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'ap'
	option ifname 'eth0'
	option proto 'static'
	option ipaddr '192.168.5.1'
	option netmask '255.255.255.0'

wireless


config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/soc/a000000.wifi'
	option htmode 'HT20'
	option channel 'auto'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'ap'
	option mode 'ap'
	option ssid 'OpenWrt'
	option wpa_disable_eapol_key_retries '1'
	option key 'xxx'
	option encryption 'psk2+ccmp'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'platform/soc/a800000.wifi'
	option htmode 'VHT80'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'ap'
	option mode 'ap'
	option ssid 'OpenWrt'
	option wpa_disable_eapol_key_retries '1'
	option key 'xxx'
	option encryption 'psk2+ccmp'

1 Like

Remove the ifname option.

I did it and restarted but I still cant connect to wifi

Can you not connect to the WiFi? Or are you able to connect to the WiFi but not access the internet?

I was not able to connect to wifi. Now I modified the ap interface like this:

config interface 'ap'                 
        option proto 'static'         
        option ipaddr '192.168.5.1' 
        option netmask '255.255.255.0'
        option type 'bridge' 

And finally i can connect to the wifi but not to the internet.

You haven't followed the guide properly. You need to add list network 'ap' to

config zone
	option input 'ACCEPT'
	option forward 'REJECT'
	option name 'ap'
	option output 'ACCEPT'
1 Like

Now I cant connect anymore to the AP via ssh or http. Btw internet is working... but I need to access my AP...

You need to be more specific. Where can you not connect from? Your lan? A wifi connected device? Both? What device is the internet working on?

I changed the config zone on the AP as you said. Now, when i connect to the AP's wifi (wich works after my changes as per messages before) I am able to reach the internet, BUT i'm not able anymore to reach Luci or the AP with ssh.

The image shows the only change to the guide i made. If I dont select "Bridge interfaces" plus the two wireless networks I cant connet to Wifi. If I add eth0 I can reach the internet BUT:
1- cant reach luci or openwrt via ssh anymore
2- my settings (like dns i.e.) are ignored

Screenshot at 2020-10-03 15-48-23

Since this is a single Ethernet port device some of the assumptions in the guest network instructions are not in place yet. Particularly the single port device starts out with only a lan network no wan. So first you should start routing from lan to wan.

Start from default settings.
(Only if your main router is 192.168.1.X): Change the LAN IP from 192.168.1.1 to something else like 192.168.5.1. If you do this via the LuCI GUI wait until the "settings rolled back" page appears then click the red "Apply Unchecked" button. After completing the change you will need to disconnect and reconnect your PC then log in to 192.168.5.1.
Create an AP attached to LAN. This will be used to log in to the router from here on out.
Disconnect the Ethernet cable and connect your PC via wifi to the new AP. Log in again.
On the lan physical settings remove eth0. Leave lan as a bridge even though it only contains the one wifi now.
Create a new interface called exactly 'wan'. Use lowercase (it will appear as upper some places in LuCI). Protocol is DHCP client and the physical interface is eth0.
Connect the Ethernet port to your main router.
You should now have Internet access via LAN and your administrative AP.

Optionally you can open ports 22 and 80 TCP on the wan interface to be able to log in from a computer connected to the main router's network. You will need to check the main router DHCP status to find the IP of the OpenWrt router.

Then pick up and follow the instructions to add a guest network.

1 Like