[Solved] Routed AP from WAN instead of LAN

Hi!

I'm quite new in openwrt, and I can't figure out how to setup a routed AP with it's own DHCP server using the WAN input intead of a lan one.

I've followed this guide
I've also tried this one for setting up a guest-wifi, since it's quite similar to what I need to no avail

I'm quite lost as of where should I look or anything. I can't find any relevant information in the forum.

(I'm sharing this, since I've since this requested many times, hope that helps)

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd22:39e3:e444::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.1.1'
        option netmask '255.255.255.0'

config device
        option name 'eth0.2'
        option macaddr 'd8:0d:17:c0:2a:29'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '10.0.2.1'
        option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option band '5g'
        option channel '36'
        option htmode 'VHT80'
        option country 'DK'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'sae-mixed'
        option key 'w3lc0m3!!!'
        option ocv '0'
        option network 'guest'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option band '2g'
        option channel '1'
        option htmode 'HT20'
        option disabled '1'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option nonwildcard '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

Thanks for your help

Edit: Just in case it helps:

version: LuCI openwrt-24.10 branch (25.014.55016~7046a1c) / OpenWrt 24.10.0 (r28427-6df0e3d02a)

and

router: Tp-link archer c7 v5

The default configuration does lan->wan routing. Note that with any routing, the two networks need different IP ranges. If your main router is using 192.168.1.X the same as the LAN, need to change one of them. Then set up an AP attached to lan to make it wireless. Since the WAN port is connected to your own network instead of directly to the Internet, you can open the firewall to allow login from the wan side. This would be opening TCP ports 22, 80, and 443 for ssh, http, and https respectively.

A guest network works the usual way. The instructions assume that a standard lan-wan router is set up first.

Thanks for answering this fast!

I've tried doing what you mentioned before. Default setup and just adding the ap to the LAN. I do get internet via WiFi, but I get an IP provided by my main router and on that network (10.0.0.x) instead of the 192.168.1.x

Since that failed, I've started playing around with different options.
Lemme try tomorrow again and share the configuration with it, in case I'm missing something there.

Since the WAN port is connected to your own network instead of directly to the Internet, you can open the firewall to allow login from the wan side

How can I do that? Just accept inputs?

I've tried to set the default setup, with the wifi network attached to the lan interface.

I've set the static ip for the lan interface to be 10.0.1.1 and my main network is 10.0.0.0/24. So two different subnets Afaik.

I still have the dhcp enabled for lan

When connecting to the wifi network, I'm still getting the IP address of my main subnet 10.0.0.0/24 instead of the 10.0.1.0/24.

How is the second router physically connected to the first?

Right now I have both the 2nd router Wan connection to the 1st lan.
But I also have a lan to a lan (to be able to configure the router, believe or not, my computer's lan card is broken, I only have wifi)

This is how it should be based on your goals.

Is this simultaneously connected? You must not have lan-lan connections.

This is how it should be based on your goals.

Correct. This is my goal

Is this simultaneously connected? You must not have lan-lan connections.

@mk24 mentioned that I could access the LUCI configuration via my WAN connection, but I have no idea how to do it. If that's possible, I would then disconnect the lan cable, otherwise I'm locked out of the system

Change the wan firewall zone's input rule to ACCEPT and you'll be able to access it from your upstream network.

NOTE: Never do this if the upstream network is untrusted.

That was easy
And yeah, it makes sense. I'm still relying on my ISP router for upstream WAN, so all good. Thanks for emphasizing it

Now, when I connect to the wifi network, I never get an IP

Restart the 2nd router and then test again.

What the... It just works?

Why?

Also, does this mean that if I ever connect something via lan to the 2nd router, I will be having it's dhcp server invalidated and it will only use the other dhcp? How does that work?

Also, thanks a lot for your help

Yup... as I expected.

The DHCP server was not running. That's because it detected that there was another DHCP server already running on the network (due to the lan-lan connection).

It was the lan-lan connection that was the problem. If you're always connecting lan (upstream) to wan (downstream), it'll be fine. And connecting computers or other devices to the lan won't cause the problem.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

Hmmm. So in the event of having for wherever reason a 3rd router connected to this 2nd router (I'm just trying to understand, not that I'm considering doing it right now) with the same setup as this one but having it into the 3rd router lan, and get both restarted at the same time. The fastest one rebooting will be the one being the dhcp server?

I know that it's stressing an edge case, but I'm wondering that if that's the case, how could openwrt ensure that the 2nd router would always be the dhcp server for downstream even in the event of having a 3rd router connected to lan?

Also, yeah. This is more than resolved.

Thanks again for your help and knowledge. It's quite interesting

Generally speaking, if you're cascading routers like this, there's probably a better topology you can consider...

The simple way to look at this is that only one DHCP server is allowed on a network. OpenWrt's default configuration is such that dnsmasq will not start a DHCP server if it detects another one on the same network segment. When you connected lan-lan, you created that condition where there was a potential clash of DHCP servers. This would not happen if you only had a wan connection to the upstream network.

Returning to this...
if you're going to be configuring routers and other network devices, especially OpenWrt and other systems that have wifi off by default, buy a USB ethernet adapter for your computer. They're cheap and easily available and will save you major headaches.

Returning to this...
if you're going to be configuring routers and other network devices, especially OpenWrt and other systems that have wifi off by default, buy a USB ethernet adapter for your computer. They're cheap and easily available and will save you major headaches.

You're right. This is a great example, since I've been on this for a week, when it would've been working on day 1... I'm so cheap

The simple way to look at this is that only one DHCP server is allowed on a network. OpenWrt's default configuration is such that dnsmasq will not start a DHCP server if it detects another one on the same network segment. When you connected lan-lan, you created that condition where there was a potential clash of DHCP servers. This would not happen if you only had a wan connection to the upstream network.

I see. So dnsmasq is "polite" enough to not just fight for it, but to let be (At least by default). Ok, that's good to know.

Nice. Thanks again. Great to learn new stuff

Connecting a third router would be no problem as long as you connected it wan to lan then connected a computer Ethernet only to the third router's lan to configure it. It is much easier to set up new routers with a working ethernet port in your computer.

Once you have started wifi and opened the firewall on the router then there are other ways to connect.

yeah... I guess you could call it polite. But it's practical, too.. a 2nd (rogue) DHCP server on the network can cause serious network problems and can be difficult to diagnose. So consider it more a safeguard.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.