Struggling with guest wifi on dumb ap


Setup: mikrotik router doing NAT for the whole network ( Connected to that a RT3200 running 22.03rc as dumb ap. So far, so good.

Now I'd like to add guest wifi on the RT3200. Followed the how to on and reenabled dnsmasq, odhcpd and firewall (which curiously the howto does not mention, other thing is that any no longewr exists in firewall, so left hosts ewmpty instead). Guest wifi devices get an IP from now, but no connection to the world.

Presumably, the AP would have to run a second NAT instance for the guests as the mikrotik router has no idea what to do with the .2 subnet? How do I get it to do that? I am totally fine with double NAT as I really have no desire to go into VLAN territory...

Any pointers would be more than welcome!

Thanks a lot!

The changes below assume an OpenWrt default configuration.

Either you reset to defaults and follow the guide step by step, or you need to adjust the dumbAP configuration to your needs.

Then clearly the title of the howto is rather misleading? I took it to mean standard dumbap :smile:

Guess I will have to do some more digging then as I need wlan bridged to the mikrotik (hence the dumbap for the normal wlan) as the home automation stuff is hooked up to it and the mobile device devices need to talk to that.

You may find some useful hints here:
The iptables rule examples may or may not work with nftables based OpenWrt 22.03 and future versions. I've not set anything up this way myself in years.

Despite not wanting to use VLAN's, I think you would find it easier to set up and manage VLANs from your main router. Your RT3200 switch is on DSA, so don't use a swconfig based tutorial for that. You didn't say what microtik hardware you were using for your main router, or whether it is running OpenWrt - regardless, same caution there to determine whether its using DSA or swconfig.

I wouldn't call it misleading. It just doesn't use the dumbAP as a base configuration. And as far as I can tell, there is no guide to add a guest wifi to a dumbAP. Likewise there is no guide to use vlans for the guest.
Sure you could revert a few changes from the dumbAP guide and add the guest wifi configuration to get the desired result, but that means that you have some experience with OpenWrt and know what needs to be reverted.
Otherwise it is faster to reset to defaults and follow the guide.

It's a RB5009 on routeros7 (openwrt does not seem to be stable on it yet). Frankly speaking, routeros is intimidating and since 4g coverage of my new apartment is abysmal I don't have a backup link if I screw it up. And it was pretty much the only piece of hardware checking all the boxes on the fiber side (well, aside enterprise stuff for a lot more).

Either way, turning on masquerading on lan interface seems to have provided the expected double NAT. Setting up guest WLAN on a dumb AP (Part 2) nudged me towards that. Is there anything wrong with the approach security wise?

I think removing dumbap in the title would be justified considering that it people generally seem to understand bridge lan/wlan under it and decidedly not the standard router config...

If implemented properly, nothing more than allowing someone to use your internet.

Then it wouldn't differentiate much from the basic guest wifi guide.

1 Like

That would indeed be the plan and since is not reachable, it seems that is achieved.

Thanks a lot for confirming that.

Seems like the main differentiation is that it uses LuCI instead of CLI (which I find valuable)

1 Like