RPi 4 router & Mikrotik as AP setup

Installing and Using OpenWrt
1

Caveats

I've done my best to scour the interwebz to ensure I'm not duplicating a question, but couldn't find an answer, but apologies if it is a duplicate! I'm new to using OpenWRT but I've found it fairly intuitive and there's an awesome amount of support, tutorials, etc. I'm an amateur (but hopefully not completely oblivious) when it comes to networking.

What I'm trying to achieve

  • Raspberry Pi 4 Model B running OpenWRT as the router (no modem needed)
  • Mikrotik HAP AC2 running OpenWRT as the access point
    • Home network/SSID (both at 2.4 and 5GHz)
    • Guest network/SSID (both at 2.4 and 5GHz)
    • IoT network/SSID (both at 2.4 and 5GHz)
  • Above networks properly segmented/firewalled

Something like this:
Network(5)

What I've done so far

  • Using this guide I set up the RPi 4
  • Using this YouTube guide I've set up the router with the required interfaces, firewall and traffic rules, etc.
  • And using the official OpenWRT guidance, I've set up the Mikrotik with OpenWRT, plus I've set up the various WiFi SSIDs noted above, currently not linking to any interface or device
  • Set up the Mikrotik as a dumb AP using the OpenWRT guidance

As far as I can tell, this has all worked well enough.

The question (finally)

I'm now at the point where I need to associate wireless interfaces (i.e. SSIDs on the Mikrotik) to the respective networks (i.e. on the RPi router), but I can't work out how to 'discover' (or whatever the right word is) the AP from the Router or vice versa.

I wondered if it might be the case that, once I'd set up the dumb AP, it would somehow automagically become available from the router, but it didn't ("obviously", I hear you think).

I originally went down a VLAN rabbit hole and came back out off the back of a few other forum posts that suggested that the OP was overcomplicating things, which I thought might be the case for me too. However, I'm wondering if I need to jump back into that rabbit hole and use VLANs to communicate across the two devices?

I hope this is enough info. Let me know if not. Thanks in advance for any help!

2

you haven't actually asked any questions, but these links should provide most of the info you seek :wink:

3

Sorry about that false start! But thanks for trying to help anyway :smiley: Hopefully the above is now more useful than the nothing that I provided before :see_no_evil:

4

is you sketch accurate ?

shouldn't all traffic go to the HAP, and then via RPi ?

you actually have any IoT devices requiring 5Ghz ?
In not, use 2.4 for IoT, 5 GHz for guests.

5

Possibly not, to be fair, but I'm not sure if that would solve the problem. The issue is that I can't 'see' my AP from my router (and vice versa) and therefore can't map SSID/WiFi interfaces to zones on my router.

Unless I've misunderstood the guide/advice?

6

define 'see' ?

I assume your RPi4 have two ethernet ports ?
the built in, plus something USB based, or some daughter board.

7

Yep, so the various links above get you to the point where the actual ethernet port is the LAN port, and then a USB-to-ethernet adapter is the WAN port (which, in my case, goes straight to the internet without needing a modem).

When I say 'see', I mean that I don't know how to route traffic from each of the SSIDs/wireless networks on the AP (Mikrotik) to their respective interfaces on the router (RPi)

8

Please connect to your OpenWrt devices using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
9

Here ya go - enjoy! (Hidden as spoilers, as it's a bit much)

RPi router

Summary 
root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 3",
	"model": "Raspberry Pi 4 Model B Rev 1.5",
	"board_name": "raspberrypi,4-model-b",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "bcm27xx/bcm2711",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd6b:05dc:1186::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'WAN'
	option proto 'pppoe'
	option device 'eth1'
	option ipv6 'auto'
	option username '***'
	option password '***'

config interface 'GUEST'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'IOT'
	option proto 'static'
	option ipaddr '192.168.107.1'
	option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'GUEST'
	option interface 'GUEST'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'IOT'
	option interface 'IOT'
	option start '100'
	option limit '150'
	option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'WAN'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'GuestZone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'GUEST'

config zone
	option name 'IoTZone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IOT'

config forwarding
	option src 'lan'
	option dest 'IoTZone'

config forwarding
	option src 'GuestZone'
	option dest 'wan'

config rule
	option name 'Guest DHCP & DNS'
	option src 'GuestZone'
	option dest_port '53 67 68'
	option target 'ACCEPT'

Mikrotik AP

Summary 
root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.134",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "MikroTik hAP ac2",
	"board_name": "mikrotik,hap-ac2",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "ipq40xx/mikrotik",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7a:4ff0:734f::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr 'dc:2c:6e:70:de:0d'

config device
	option name 'lan2'
	option macaddr 'dc:2c:6e:70:de:0d'

config device
	option name 'lan3'
	option macaddr 'dc:2c:6e:70:de:0d'

config device
	option name 'lan4'
	option macaddr 'dc:2c:6e:70:de:0d'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config device
	option name 'wan'
	option macaddr 'dc:2c:6e:70:de:0c'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option auto '0'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Home'
	option encryption 'psk2'
	option key '*****'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Home'
	option encryption 'psk2'
	option key '*****'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Guest'
	option encryption 'psk2'
	option key '*****'

config wifi-iface 'wifinet5'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Guest'
	option encryption 'psk2'
	option key '*****'

config wifi-iface 'wifinet6'
	option device 'radio0'
	option mode 'ap'
	option ssid 'IoT'
	option encryption 'psk2'
	option key '*****'

config wifi-iface 'wifinet7'
	option device 'radio1'
	option mode 'ap'
	option ssid 'IoT'
	option encryption 'psk2'
	option key '*****'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall
config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option dest		wan
#	option proto	tcp
#	option target	REJECT

# block a specific mac on wan
#config rule
#	option dest		wan
#	option src_mac	00:11:22:33:44:66
#	option target	REJECT

# block incoming ICMP traffic on a zone
#config rule
#	option src		lan
#	option proto	ICMP
#	option target	DROP

# port redirect port coming in on wan to lan
#config redirect
#	option src			wan
#	option src_dport	80
#	option dest			lan
#	option dest_ip		192.168.16.235
#	option dest_port	80
#	option proto		tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#	option src		wan
#	option src_dport	22001
#	option dest		lan
#	option dest_port	22
#	option proto		tcp

### FULL CONFIG SECTIONS
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port	80
#	option dest		wan
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
#	option target	REJECT

#config redirect
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port		1024
#	option src_dport	80
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
10

All traffic should go through the AP then the RPi, yes. That's what I was trying to show in the diagram, but perhaps not successfully..? I was trying to show below each of the two devices (RPi and MT HAP AC2) how they're configured.

11

Do you have any other wired devices on your network? If so, what are they and how are they connected?

12

Currently, no. This is a brand new, fresh network. I'm currently connected to the AP via LAN (ethernet), in order to get the above terminal output, so I suppose my computer is connected, but only temporarily.

13

Ok, the most straightforward approach is probably to use VLANs and a trunk between the RPi4 and the AC2.

Before doing anything backup your configs from both devices and check you know how to reset them.

On the RPi4 in the network config remove:

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

Change

config interface 'lan'
	option device 'br-lan'

to

config interface 'lan'
	option device 'eth0.10'

Under config interface 'GUEST' add option device 'eth0.20' and under config interface 'IOT' add option device 'eth0.30'

You'll need to run /etc/init.d/network reload after making the changes, but be aware you will briefly lose connectivity to the RPi4 until you have made the changes on the AC2 to set up the trunk.

On the AC2 ensure the cable between the two devices is connected in the WAN port. Change the contents of the network config to:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config device
	option name 'lan1'
	option macaddr 'dc:2c:6e:70:de:0d'

config device
	option name 'lan2'
	option macaddr 'dc:2c:6e:70:de:0d'

config device
	option name 'lan3'
	option macaddr 'dc:2c:6e:70:de:0d'

config device
	option name 'lan4'
	option macaddr 'dc:2c:6e:70:de:0d'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config device
	option name 'wan'
	option macaddr 'dc:2c:6e:70:de:0c'

config device      
        option type '8021q'
        option ifname 'br-lan'
        option vid '10'
        option name 'br-lan.10'
        option promisc '1'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '20'
        option name 'br-lan.20'

config device
        option type '8021q'
        option name 'br-lan.30'
        option vid '30'
        option ifname 'br-lan'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        list ports 'wan:t'
        option vlan '20'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'wan:t'

Run /etc/init.d/network reload and then check you have connectivity with the RPi4 again. If that's working then we can look at adding interfaces for the wifi networks.

14

Thanks for taking the time to write such a comprehensive reply! I'll give it a go shortly. Before I do, could I confirm, where you've said add/replace the br-lan with br-lan.10 (and ditto the other networks) on the RPi, should I leave the static IP and subnet masks in? Or remove those?

15

Leave them in. It's just the option device bit that needs changing or adding to the relevant stanzas.

1 Like
16

Ok, all done and I have connectivity with both devices still :tada:

17

Ok, on the AC2 add the following to the bottom of the network config:

config interface 'GUEST'
        option proto 'none'
        option device 'br-lan.20'

config interface 'IOT'
        option proto 'none'
        option device 'br-lan.30'

In the wireless config delete

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

and

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

In the remaining wifi-iface stanzas add option network followed by the relevant network interface (i.e. lan, GUEST, or IOT). So, for example, in config wifi-iface 'wifinet2' you'd add option network 'lan'.

Having made those changes run /etc/init.d/network reload.

18

Done - looks (on LuCI) like it all worked!

Should that all be done now? I've just had a trawl through some of the settings and it looks good, but I clearly don't know everything I'm looking at/for, so... :smiley:

19

Only way to tell is to connect to the wireless networks and test that you're getting the required/expected connectivity. It looks like the firewall config on the RPi4 only has a rule for DHCP & DNS for the guest zone, so if it's intended for devices connected to the IOT network to have DHCP & DNS you'll need to add a similar rule.

1 Like
20

Amazing! Thank you so much :slight_smile: I'll give it a go later this evening and head back if it doesn't work, but for now I'll mark your explanation's first part as the solution :+1: