[SOLVED] LAN and GUEST networks bridged across multiple devices with both ethernet and radio links

Hello,

i am working with OpenWRT since a few years without any problems, but because of this situation i need some help.

I was wondering if it is possible to setup 3 dump APs (wired/wirelessly) with a seperated guest network. The ISP should be the DNS for the complete setup and AP1 should be the DHCP for the private and guest network, forwarding every request to the other APs clients are trying to connect to. I attached a picture of the setup how it should work in theory.

The problem right now is, that ive a lot of trouble with the DHCP forwarding:

  • Guest network - there is no forwarding from AP1 to AP2 and AP3
  • Private network - there is no forwarding from AP2 to AP3

AP1 and AP2 are wired and AP3 is wirelessly bridget via WDS to AP2.

It would be really great if someone could give me some instructions on how to configure this setup correctly.

The seperation of guest and private at each AP via firewall rules shouldnt be a problem afterwards.

Thank you in advance!

Is there a reason you need DHCP forwarding?

1 Like

isn't it needed? 'cause my clients dont get any ip assigned.

No, not needed. OpenWrt has a DHCP server, no need to keep forwarding upstream.

Did you disable it, or fail to set it up?

2 Likes

i tried both (disabling and also forwarding).. but like you said that its not needed i might failed with the complete configuration.

do you have some instructions on how to setup the interfaces correctly for this kind of setup?
like i said, the seperation of guest/private afterwards via the firewall of all ap's shouldnt be a problem..

Well-made graph!

2 Likes

thank you.

well, i wanted to make sure that this is a seriously ment thread, asking for some configurations to get this (kinda not common) setup running =)

I'm lost...LAN is setup by default. Just make a copy of the Network and DHCP configs for LAN.

There's already DHCP setup by default on LAN.

1 Like

i just reset everything to default to start without missconfigured devices - so there arent any changes in relation to the factory settings right now.

OK, make a copy of the LAN configs at:

  • /etc/config/network
  • /etc/config/dhcp

Use them as a template for the guest networks you create.

ok.

So what i actually did:

  • copied the lan config as a template for the guest interface (AP1)
  • changed the ip range of the guest interface to a different subnet
  • turned dhcp off at the lan and guesr interfaces at AP2 and AP3
  • set the lan interface ip static at all 3 APs

(every value according to the image)

EDIT: maybe we could write a summary after getting this done to edit the first post with it so this could be a "how to" for others

1 Like

OK, the only missing piece here is creating a firewall zone for these new guest Interfaces.

Have you done so?

There are many threads if you search; and also the Wiki has pages.

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/start

Here's some pages where I've directly assisted:

https://forum.openwrt.org/search?q=guest%20wifi%20%40lleachii

And your setup is pretty common:

https://forum.openwrt.org/search?q=cascading%20router

yes i created a new firewall zone for the guest interface. right now the guest interface is a complete duplicate of the lan interface. the seperation via firewall rules can be done if both, guest and private network are hooked up and the clients connected to AP2 and especially AP3 are able to get an ip from AP1.

just followed those guides, but this just made it possible to setup a guest interface at the AP1, but didnt helped out for this constellation with different subnets (ISP - AP1) while cascading dhcp over multiple APs

OK, now we're back to my original question:

Are you still under this impression - or are your guest networks working now?

What do you mean by this?

There are different ways to do this but here is what I would do:

The LAN is 192.168.10.0/24, controlled by the ISP router (which is what the OP wants, I would instead set up an OpenWrt main router and use the ISP box as a dumb modem, but that is a choice).

The backhaul links are all bridges on the LAN. Thus for LAN users, the APs are dumb APs and all routing, DHCP, etc is controlled by the main router / ISP box.

Guests are locally NATted into the LAN at each AP. Each AP has a guest network (any subnet other than 192.168.10.0) and a local DHCP server for it. The rest of the network sees their traffic as LAN usage (see below). This means that the rest of the network does not need to be aware that there is a guest AP at all.

Each guest network has firewall rules blocking any destination IPs in 192.168.10.0. It may seem that that would not work because the gateway is 192.168.10.1, but it does work because the rule is based on the final destination address.

Each guest network has firewall rules blocking all ports on the AP except for DHCP and DNS.

no. all clients connected to AP2 are getting an ip from AP1 (guest and private)

to explain the situation more clearly:

  • the ISP router provides a dhcp for the subnet 192.168.10.0/24 (experimental subnet beside the private and guest network)
  • AP1 (192.168.10.2) is wired to the ISP (192.168.10.1)
  • AP1 provides the private subnet (192.168.20.0/24) and also the guest subnet (10.0.0.0/24)
  • AP2 (192.168.20.2) is wired to AP1 (192.168.20.1).
  • AP3 (192.168.20.3) is wirelessly connected via WDS to AP2 (192.168.20.2)

just the clients connected to AP3 arent able to reach the DHCP of AP1.

EDIT:

thats also a thing. do i need a DHCP for each guest network at each AP? or do i can use the DHCP from the AP1 (main AP for wireless connections - private and guest)?

the ISP router is just in use as a "modem" with the option to provide a 3rd subnet beside guest and private, but without any wireless enabled.

The thing that seems problematic to me is that WDS isn't going to preserve vlan tags and the best way to isolate guest and lan is via vlans.

Each AP independently DHCP's its guests. If they move to another AP they get a new IP from that AP. That seems like it would limit operation but it really doesn't.

The LAN users get their DHCP from the main router through the bridged backhaul links, and if they move to a different AP they will keep the same IP.

Your ISP box is not "just a modem" if it is running private IPs. A true just a modem has a public IP on the Ethernet which passes everything in or out directly on the Internet.

Yes and this is why I suggest locally routing the guests rather than trying to preserve them as separate entities on the backbone. The backhaul links can even be standard AP-STA links if you don't mind the implications of that for the LAN.

got you.. so there isnt a way to get all clients an ip from the AP1's DHCP? (which isnt a problem for me.. i was just wondering if this is possible -> right sided solution at the first post picture :wink: )

i just want all the clients of the private network to reach AP1's DHCP cause i dont want them to reconnect if they move around. (if the guests have to reconnect cause there isnt a way to use also AP1's DHCP.. well bad luck :smiley: )

EDIT:

i have to use WDS because there isnt a way to wire AP3 to one of the other APs.
Just using AP3 as a repeater kinda bothers because clients will keep the connection to AP2 as long as possible which causes a reconnect to AP3 (10-20 sec without any connection).. because of this i want everything to be captured at AP1 to avoid any reconnection if moving around. ->

What you want is doable but you should run batman-adv on the ap3 and ap2. That will carry vlan tags across the radio link. Then you set up vlans and have ap1 hand out the different subnets on different vlans.

1 Like