Separate Wifi and LAN

I really liked the idea of splitting up my wireless and wired networks into different subnets, so when I found the Routed AP page, I followed it. At first it seemed that everything worked correctly. That is, until I added a second SSID to the 2.4Ghz band.

Nothing complicated, it was not isolated and identical to the primary SSID. My logs became spammed with DHCP packet received on interface wlan1-1 which has no address and constant WiFi associations and disassociations. The connection could be made, but DNSMasq refused to give out an IP. The other devices had a connection but no more internet connectivity.

Later it even started happening to the primary SSID's.

Eventually I switched back to the default LAN network and now everything works.

I noticed the little link at the bottom of the page, which indicates there may be another firewall setting there. Unfortunately, that link is dead.

So, how can I make this work? I really liked the concept.

If we don't see the config it is hard to guess what went wrong.
However if you followed the routed AP guide and added a second SSID on an interface wifi2 I don't see where the problem would be.

Well, I don't like doing the same things over and over, so...

uci set network.wifi='interface'
uci set network.wifi.proto='static'
uci set network.wifi.ipaddr=''
uci set network.wifi.netmask=''

uci set dhcp.wifi='dhcp'
uci set dhcp.wifi.interface='wifi'
uci set dhcp.wifi.start='101'
uci set dhcp.wifi.limit='50'
uci set dhcp.wifi.leasetime='12h'

uci set firewall.wifi='zone'
uci set'wifi'
uci set'wifi'
uci set firewall.wifi.input='ACCEPT'
uci set firewall.wifi.output='ACCEPT'
uci set firewall.wifi.forward='ACCEPT'

uci set firewall.wifi2wan='forwarding'
uci set firewall.wifi2wan.src='wifi'
uci set firewall.wifi2wan.dest='wan'

uci set firewall.lan2wifi='forwarding'
uci set firewall.lan2wifi.src='lan'
uci set firewall.lan2wifi.dest='wifi'

uci set firewall.wifi2lan='forwarding'
uci set firewall.wifi2lan.src='wifi'
uci set firewall.wifi2lan.dest='lan'

uci set firewall.wifi2vpn='forwarding'
uci set firewall.wifi2vpn.src='wifi'
uci set firewall.wifi2vpn.dest='vpn'

uci set'wifi'
uci set'wifi'

uci set wireless.guest_radio1='wifi-iface'
uci set wireless.guest_radio1.device='radio1'
uci set wireless.guest_radio1.mode='ap'
uci set'wifi'
uci set wireless.guest_radio1.key='verysecretpassword'
uci set wireless.guest_radio1.wpa_disable_eapol_key_retries='1'
uci set wireless.guest_radio1.ssid='obviousname'
uci set wireless.guest_radio1.encryption='psk2+ccmp'

I think that's it. Clean install, configured the standard LAN with my range, configured and tested OpenVPN, then did this to add the WiFi into the network.

When I did the reinstall I forgot to change wifi back to lan so I got the same error on the existing wlan's. Leading me to believe that uci set dhcp.wifi.interface='wifi' would be the culprit. And yet, it is set correctly as far as I can see.

You may assume that my lan network is

Shouldn't the "wifi" interface be configured as a bridge? Anyway, I would like to see the files, instead of the commands used to modify them.

1 Like

type=bridge is not in the instructions on that page. I'm just versed enough to work in uci, not to get creative yet.

Maybe it is in my backup partition, I think I only reinstalled once afterwards. Since everything is barely working now (my 5Ghz band turned off during the night and won't turn on unless I reset it and I still have some routing issues) I may not be able to retry or boot into it as long as I need it to connect to work tomorrow. But I will try.

Since it is a completely default install, what are you looking for? I do have the script with every change made during the install, including dnsmasq, but I fail to see how the other changes could lead to this. Then again, you're the expert and I don't understand every aspect of dnsmasq.

Not necessarily, it is running as a standalone interface only with wifi, no lan ports.

@PowerCoder you can post the following:
uci export network; uci export wireless; uci export dhcp; uci export firewall
Remove any sensitive data. like passwords/keys/macs.


Turns out my backup partition contains the old build that I came from, so that's not going to help. I will see if I can re-implement the config this weekend.