Separate routes for 2.4G and 5G WiFi clients, how?

My WiFi router D-Link DIR-860L B1 is used as access point, connect to upstream main router. Now I am having trouble trying using separate routes for 2.4G and 5G WiFi clients.

My idea is that while forwarding packets from 2.4G Hz clients (with 172.16.2.0/23) to ip of 860L B1 is 192.168.3.2 (WAN port of the AP) which connect to the main router, send all 5G Hz clients traffic to 192.168.1.2 (LAN1 port of the AP).

Just it won't work as expected. Checking the routes shows gateway of 0.0.0.0/0 is 192.168.3.1 which is the route of WAN port of 860L B1.

Is it possible to configure in a way that 5G Hz clients following another route to 192.168.1.1 instead?

network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '0'

config device
        option name 'br-lan'
        option type 'bridge'
        #list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr '54:b8:0a:a6:3b:90'

config device
        option name 'lan2'
        option macaddr '54:b8:0a:a6:3b:90'

config device
        option name 'lan3'
        option macaddr '54:b8:0a:a6:3b:90'

config device
        option name 'lan4'
        option macaddr '54:b8:0a:a6:3b:90'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.2.1'

config device
        option name 'wan'
        option macaddr '54:b8:0a:a6:3b:93'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'guest0'
        option proto 'static'
        option ipaddr '172.16.0.1'
        option netmask '255.255.255.0'

config interface 'guest1'
        option proto 'static'
        option ipaddr '172.16.1.1'
        option netmask '255.255.255.0'

config interface 'guest2'
        option proto 'static'
        option ipaddr '172.16.2.1'
        option netmask '255.255.255.0'

config interface 'guest3'
        option proto 'static'
        option ipaddr '172.16.3.1'
        option netmask '255.255.255.0'

config interface 'GATE'
        option proto 'dhcp'
        option device 'lan1'
        option gateway '192.168.1.1'

firewall:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '0'
        option flow_offloading_hw '0'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'

config zone
        option name 'lan1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'GATE'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option enabled '0'

config zone
        option name 'lan'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan'
        option input 'REJECT'

config zone
        option name 'WiFi'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        #list network 'guest0'
        #list network 'guest1'
        list network 'guest2'
        list network 'guest3'

config zone
        option name 'WiFi_5G'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest0'
        list network 'guest1'
        #list network 'guest2'
        #list network 'guest3'

config rule
        option name 'Allow WiFi DHCP'
        list proto 'udp'
        option src 'WiFi'
        option src_port '68'
        option dest_port '67'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow WiFi_5G DHCP'
        list proto 'udp'
        option src 'WiFi_5G'
        option src_port '68'
        option dest_port '67'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow br-lan DHCP'
        list proto 'udp'
        option src 'lan'
        option src_port '68'
        option dest_port '67'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow WiFi DNS'
        option dest_port '53'
        option target 'ACCEPT'
        option src 'WiFi'
        option family 'ipv4'

config rule
        option name 'Allow WiFi_5G DNS'
        option dest_port '53'
        option target 'ACCEPT'
        option src 'WiFi_5G'
        option family 'ipv4'

config rule
        option name 'Allow br-lan DNS'
        option dest_port '53'
        option target 'ACCEPT'
        option src 'lan'
        option family 'ipv4'

config rule
        option name 'Allow br-lan Visit SSH/HTTP(S)'
        list proto 'tcp'
        option src 'lan'
        option dest_port '22 80 443'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow lan1 Visit SSH/HTTP(S)'
        list proto 'tcp'
        option src 'lan1'
        option dest_port '22 80 443'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow WAN Visit SSH/HTTP(S)'
        list proto 'tcp'
        option src 'wan'
        option dest_port '22 80 443'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow WiFi_5G Access NAS'
        option family 'ipv4'
        option src 'WiFi_5G'
        option dest 'lan1'
        option dest_port '445'
        list dest_ip '192.168.1.3'
        list dest_ip '192.168.1.7'
        #option device 'phy0-ap1'
        option target 'ACCEPT'

config rule
        option name 'Block WiFi Visit Private Net'
        option family 'ipv4'
        option src 'WiFi'
        option target 'REJECT'
        option dest '*'
        list proto 'all'
        list dest_ip '10.0.0.0/8'
        list dest_ip '172.16.0.0/12'
        list dest_ip '192.168.0.0/16'

config rule
        option name 'Block WiFi_5G Visit Private Net'
        option family 'ipv4'
        option src 'WiFi_5G'
        option target 'REJECT'
        option dest '*'
        list proto 'all'
        list dest_ip '10.0.0.0/8'
        list dest_ip '172.16.0.0/12'
        list dest_ip '192.168.0.0/16'
        #option enabled '0'

config rule
        option name 'Block br-lan Visit Private Net'
        option family 'ipv4'
        option src 'lan'
        option target 'REJECT'
        option dest '*'
        list proto 'all'
        list dest_ip '10.0.0.0/8'
        list dest_ip '172.16.0.0/12'
        list dest_ip '192.168.0.0/16'

config nat
        option name 'Allow Access NAS 1'
        list proto 'tcp'
        list proto 'udp'
        option dest_ip '192.168.1.3'
        option dest_port '445'
        option target 'SNAT'
        option snat_ip '192.168.1.2'
        option src 'lan1'

config nat
        option name 'Allow Access NAS 2'
        list proto 'tcp'
        list proto 'udp'
        option dest_ip '192.168.1.7'
        option dest_port '445'
        option target 'SNAT'
        option snat_ip '192.168.1.2'
        option src 'lan1'

config forwarding
        option src 'WiFi'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'lan1'

config forwarding
        option src 'WiFi_5G'
        option dest 'lan1'

Your setup seems quite complex, and I am still unsure what your actual goal is (especially regarding what is happening at the upstream router). And how the two routers are connected, with one or two cables? (As you want to use both wan and lan1, I assume that you have two cables.)

Your AP is not just a dumb AP, but is a second router. (With double NAT, actually multiple double NAT address spaces)

If it is a router with logic, and you want to route/separate Lan ports from eachother, then you should not assign the same MAC also to lan1, which you want to separate to its own firewall zone.

I first got confused, as you call lan1 with Lan related terms in firewall, although it apparently is a wan connection (with its own cable?). Might be more clear if you call it wan2 in firewall config.

You might get better answers, if you clarify how the two routers are connected, and e.g. where are the NAS devices etc. connected (At the main router?) And from where is the access to Nas allowed...

1 Like

The normal way of accomplish this is to have one router and a dumb access point and connect them with one ethernet cable with the number of VLAN you need to separate the wifi clients. And then you make the number of ssid you need to connect the clients to the right frequency with the right separation.
Then you connect the ssid to the vlan you want to connect.

1 Like

It's the same upstream router, connected to two ports of the WiFi AP router, lan1 and wan, with different mac address.

Since I don't do masquerade at the ports, there's no double nat problem. The only nat is done at the upstream router, an apu2 running OpenBSD.

My goal is to only let WiFi 5G clients be able to access nas server in 192.168.1.0/24 at full speed, while do qosify with 2.4 G clients traffic, hence need two interfaces to route them separately.

Edit: With cuttent config the 5G clients can access internal nas server with full speed, but can't access internet.