What I set out to do is attach a second OpenWRT device (MR8300, running version 24.10) to my main OpenWRT device (XR500, running 23.05.3) over wifi and then allow devices to connect via wifi to the MR8300. The MR connects to the XR via the "Connect to client Wi-fi network" instructions. The devices should connect to the MR's wifi under guest wifi conditions.
I followed the steps and everything is working as expected (praise be to the OpenWRT devs). There were just a few things I wasn't sure of that I wanted to check:
During the wifi setup step, the MR had no "Enable KRACK countermeasures" button under Wireless Security like there is on my XR's version of the page. There was also no "Isolate clients" button. Is this normal? Additionally, there was an "Operating Channel Validation" button there instead. Should I enable this? I searched the forums, but there was not much info. Below is from the MR:
The MR is connected under one of my XR's 2.4 ghz SSIDs. Should/could I make this SSID available in a way that devices could connect to the MR's version, or would that be a wifi extender/repeater at that point? I guess I'm a bit confused on what's actually going on when you connect a router in client mode to another router like this.
My current plan is to enable one of the MR's 5 ghz radios and make a normal guest wifi network there. Is that correct for this situation?
In this case I would strongly suggest to upgrade this device to 24.10.0 first, because that moves your ipq806x to the DSA switch infrastructure as well, meaning that both of your devices will have the same switch config syntax in 24.10.x.
As both of your system are running OpenWrt, you can (and should) follow WDS/ 4addr to set up a repeater. Choose one of the 5 GHz radios as uplink/ wireless backhaul to your existing xr500, use the other and the 2.4 GHz radio as AP interfaces.
Thank you for the response. I will be upgrading the XR500 to 24.10 when I get the chance, as it's currently the main router for our household.
I should have specified that I intended this wifi extension to be a very simple approach for only one device. Basically, I have to bend the signal around a brick wall and chimney to reach a stationary Appletv. Everywhere else in the house has fine reception with only the XR500 active. I chose this approach because it's easy, and apparently the XR500's drivers have issues with mesh and maybe even WDS.
I may test WDS later if I have time, but (assuming I upgrade the XR500, which I will) would you consider this setup basic setup (with the client MR8300 running a guest wifi off one of its 5 ghz radios) at least workable? Speed is not really much of a focus.
I guess I'd also like to lock the MR's physical lan ports to only one device, which might be as simple as changing the output from 'accept' to 'reject' on the lane->wan zone forwards? I'm not really sure.
WDS/ 4addr is the easiest approach to this (and most of all, it's the one that actually works for -kind of- bridging wired ethernet to a wireless STA connection) - and it does works with ipq806x and ipq40xx.
Gotcha, thank you again. I will definitely look into it.
Just to clarify, WDS works by sharing one of the access points from the main router to the secondary router? How does it handle things like firewall flows and guest isolation? Does the secondary router then just mimic everything from the main router's access point (and thus interface)? I have a guest SSID and a few others on my the XR500 that have their flows controlled by firewall zones, and I don't know if they'd be preserved when using a WDS setup.
4addr extends the original WLAN, that's it - no firewalling involved, no client isolation either (well partially, but what is isolated or not depends on how/ where it connects to…).
There can only be one STA (and therefore WDS-client) interface on a given radio, meaning you can only extend a single network (unless you tunnel the additional networks somehow, GRE, VPN, etc.)
…at some point you might want a wire, the IEEE802.11 standards don't account for any specialties.
I see, this is making a bit more sense, but it's still a bit confusing.
I have, for example, two access points on my XR500's 2.4 ghz radio. One is the default created by OpenWRT and is attached to the lan interface/network. The other is a guest wifi I set up, which is attached to a guest interface I also made. The guest SSID has client isolation enabled, and no devices on it can access the router or ssh or any of the other firewall zones.
If I were to share this guest SSID via WDS to the MR8300's 2.4 ghz wifi, would it preserve everything from the XR500's guest SSID, down to the firewall flows and isolation?
Sorry if you had already answered this, I didn't fully understand what the WLAN was here and just wanted to make sure I understood exactly.
