[SOLVED] LAN and GUEST networks bridged across multiple devices with both ethernet and radio links

fist of all i want to thank everyone who tries to get the problem and also for helping out with ideas and solutions =)

is this working with just one wired connection from AP1 to AP2?

also does it make sense / is possible to use eth0 (the wan port) at AP2 to extend the switch for more wired connections? (AP1 lan -> AP2 wan)

eth0 at AP1 is connected to one of the lan ports of the ISP, which works flawlessly.. ('cause of different subnets)

EDIT2 - cause im not able to post more than 19 times (newbie restrictions)
ok.. ill try to sum up everything..:

  • every AP resetted to factory
  • connect AP1s wan to one of the lan ports of the ISP (NATing 192.168.10.0 to 192.168.20.0)
  • ill delete the wan interfaces at AP2 + AP3
  • set the lan interface to a static ip (every ap - .1 /.2 /.3)
  • bridge eth0 to eth1 (just AP2/3 to extend the switch +1)
  • setup the guest and private wireless interfaces at AP2/3 like at AP1 (first of all without any restrictions)
    -> for now i dont do a seperation of the switch, every wired connection should be handed over to the private lan
  • bridge guest and private wireless interface to the lan interface
  • disabling DHCP at AP2/3 private (lan) and guest interfaces
  • set all APs interfaces gateway and dns to the ISPs ip
  • connect AP3 to AP2 via WDS
  • use batman-adv at AP2/3 so AP3 clients are able to get an ip from AP1 (guest and private)
    -> or did i get you guys wrong and should use a DHCP at each AP like at the right side description at the picture of the first post?

and if this works ill setup the restrictions for the guest subnets?

@dlakelan you exactly got what i want to do. Just having 2 subnets covered by all APs and a not used 3rd at the ISP. As i mentioned above, ill stop for now with more edits to not get the admins get angry :wink: ill clear this thing up tomorrow if im able to do new posts.

So thank you guys for the help for now!

Yes since the LAN is a bridge, you can attach more Ethernet ports to it. As many as you have that aren't being used for other purposes.

I'm wondering why you keep cutting of my quote.

Do you think DHCP and DHCP Forwarding are the same???

Once you understand they are different, that DHCP should work.

1 Like

OK, you're editing posts to respond to subsequent posts. That's very hard to follow...so it'll be difficult to assist you from here (on my part).

  • I also am lost then - if you understand DHCP forwarding is different, why do you think you're getting a DHCP IP from AP1 to AP3?
  • Also, as they are not directly connected, why do you think that AP1 can speak DHCP directly to AP3?

Just have each router issue an IP for its own subnet (LIKE IT DOES BY DEFAULT), simple.

Otherwise, you're making config changes that you're not disclosing to us.

As I read the diagram I think there are supposed to be TWO networks: LAN and GUEST, but there are 3 APs handling these subnets, and ONE router (AP1). While the ISP device also has its own subnet but is basically nearly unused. So basically there are two bridged subnets.

I think the solution you are recommending is routed subnets: AP1 has its own subnet for LAN and GUEST, AP2 has its own subnet for LAN and GUEST, and AP3 has its own subnet for LAN and GUEST... This is a config you can set up, but you need to provide different SSIDs for each subnet, resulting in a total of 6 SSIDs and there is no possibility of roaming.

Roaming is what I think is meant by:

So what's needed is just two subnets one for LAN and one for GUEST and to provide a bridge that bridges AP1,AP2,AP3 for both VLAN subnets.

Unfortunately as I said, WDS won't do this. You need a more advanced protocol, which is BATMAN-adv

Yes absolutely, you use tagged VLANs on both AP1 and AP2 and the switch de-multiplexes based on the VLAN tag. In order to get those separate VLANs to travel across the wireless connection from AP2 to AP3 and back you need the BATMAN-adv method or some other similar method (you can do other things like GRE tunneling, but I think BATMAN is what you want)

2 Likes

@tmomas, clearly @KleBoR is not a bot or spammer, can we just manually accelerate the full user status here so things don't get more confusing from the 19 post limit?

Also I've rewritten the title to more correctly describe what the OP wants, he doesn't want cascaded routers but rather two bridged networks:

2 Likes

Indeed, it is difficult for a new user when they have a problem but reach the basic limit, so all they can do is "liking" a posts but cannot reply!

1 Like

It serves its purpose to reduce spam in general, but in this case not so much.

2 Likes

I understand.

I don't know about this forum platform, but would it be feasible to specify that if a user's post get replies form other existing users, their basic quota is increased or lift?

In the meantime, I suggest @KleBoR take a look at how VLANs work, and how BATMAN-adv works:

https://openwrt.org/docs/guide-user/network/vlan/switch_configuration

https://openwrt.org/docs/guide-user/network/wifi/mesh/batman

3 Likes

No need for any acceleration.
KleBoR advanced in the meantime to trust level 1 (Basic User), without any admin intervention, just by reading postings and showing interest in different topics :slight_smile:

Users at trust level 1 can…

  • Use all core Discourse functions; all new user restrictions are removed
  • Send PMs
  • Upload images and attachments if enabled
  • Edit wiki posts
  • Flag posts
4 Likes

finally the restrictive time is over so those are the edits from the post above.

ok.. ill try to sum up everything..:

  • every AP resetted to factory
  • connect AP1s wan to one of the lan ports of the ISP (NATing 192.168. 10 .0 to 192.168. 20 .0)
  • ill delete the wan interfaces at AP2 + AP3
  • set the lan interface to a static ip (every ap - . 1 /. 2 /. 3 )
  • bridge eth0 to eth1 (just AP2/3 to extend the switch +1)
  • setup the guest and private wireless interfaces at AP2/3 like at AP1 (first of all without any restrictions)
    -> for now i dont do a seperation of the switch, every wired connection should be handed over to the private lan
  • bridge guest and private wireless interface to the lan interface
  • disabling DHCP at AP2/3 private (lan) and guest interfaces
  • set all APs interfaces gateway and dns to the ISPs ip
  • connect AP3 to AP2 via WDS
  • use batman-adv at AP2/3 so AP3 clients are able to get an ip from AP1 (guest and private)
    -> or did i get you guys wrong and should use a DHCP at each AP like at the right side description at the picture of the first post?

and if this works ill setup the restrictions for the guest subnets?

@dlakelan you exactly got what i want to do. Just having 2 subnets covered by all APs and a not used 3rd at the ISP. As i mentioned above, ill stop for now with more edits to not get the admins get angry :wink: ill clear this thing up tomorrow if im able to do new posts.

So thank you guys for the help for now!

@tmomas even im at trust lvl 1 i had to wait until the restrictive time is over :wink:

@dlakelan ill try to get familiar with batman-adv and the vlan seperation

2 Likes

@dlakelan do you have some config templates for 2 vlans and maybe also for a batman-adv setup? i do kinda have some problems while setting this up.. (might just be some understanding problems)

could you give me a hint how it is possible to do the connection like this:

AP1 LAN -- WAN AP2 (so ive one additional port at the switch)

i might have configured something wrong by setting up the vlan/bridging of the interfaces

Usually the wan port is not special it's just another port on the switch. In any case choose two VLAN tags to be your LAN and GUEST tags, maybe 2 and 3. Then for each device make one Ethernet port be tagged for both vlans and make the CPU port be tagged for both vlans, then put a cable between the tagged ports. Now set up your two interfaces on OpenWrt to physically use eth0.2 or eth0.3 and voila the two devices are connected and the two networks are separated.

See the wiki for guest Network to get an idea how to set up firewalls to isolate the two networks.

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan

That page also discussed vlans toward the bottom

ok so i have to add 2 vlans beside vlan1, leave vlan1 as it is per default and assign the ports as i want for vlan2 and vlan3 ?

On models where everything goes through the switch, there should be two pre-defined VLANs:

  1. LAN (4 ports, untagged)
  2. WAN (one port, untagged)

Naturally you'd add a VLAN 3 for guests. Then change one of the Ethernet ports to be tagged in VLAN1 and 3, but off in 2. This will be the cable to the AP. It needs the same setup of tagged in 1 and 3 and those passed through to the CPU and the software network bridges.

well, seems i dont get you guys..

so this is my vlan setup:

AP1


AP2

at AP1 there are 2 interfaces.. private and guest. both setup with DHCP and pointing to the ISP (ISP LAN -> AP1 WAN)
everything while connected to AP1 works btw.

for now i connected AP1 LAN1 (tagged) to WAN of AP2 (also tagged). but im not able to get an ip adress if im connecting to each of the interfaces.

at both APs the guest and private interfaces are just attached to each vlan and of course wireless radio.

whats the point i got wrong in this?

do i need a 3rd vlan for guest and leave vlan1 as it is by default?

The "trunk" cable linking the two APs must be tagged in both VLANs on both ends.

If these are just APs and don't need an Ethernet connection to an ISP modem, you only need two VLANs.

Theres an ethernet connection to the WAN port at the first AP from a LAN port of the ISP.

So ive to setup another vlan and set it the same settings as vlan1 and switch back vlan1 to stock settings right?

Does your ISP router do a guest network and VLANs?

In the conventional approach, at some point you have to route both the LAN user network and the guest network separately to the Internet. In the conventional approach this is done in the main router which is closest to the Internet.

1 Like