Use LAN interface as WAN

Installing and Using OpenWrt Network and Wireless Configuration
1

I have an AP interface on the bridge br-lan2 and I want br-lan to be the "WAN" when needed.

/etc/config/wireless 
root@archer_c60:~# cat /etc/config/wireless 

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option band '5g'
        option cell_density '0'
        option channel 'auto'
        option htmode 'VHT80'
        option country 'AR'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'
        option channel 'auto'

config wifi-iface '2g_lag'
        option device 'radio1'
        option mode 'ap'
        option ssid 'LAG'
        option ifname '2g'
        option encryption 'psk2+ccmp'
        option key 'masterofpuppets'
        option network 'lan2'
        option disabled '1'

config wifi-iface '5g_sta'
        option device 'radio0'
        option mode 'sta'
        option ssid 'TeleCentro Wifi'
        option encryption 'none'
        option ifname '5g_sta'
        option network 'telecentro'
        option disabled '1'

config wifi-iface '2g_invitados'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Invitados'
        option encryption 'psk2+ccmp'
        option ifname '2g_invitados'
        option key 'REDparaINVITADOS'
        option network 'lan2'
        option disabled '1'

config wifi-iface '2g_f'
        option device 'radio1'
        option mode 'ap'
        option encryption 'psk2+ccmp'
        option key '1111111111'
        option ssid 'F'
        option ifname '2g_f'
        option disabled '0'
        option network 'lan2'

config wifi-iface '2g_sta'
        option device 'radio1'
        option mode 'sta'
        option ssid 'TeleCentro Wifi'
        option encryption 'none'
        option network 'telecentro'
        option disabled '1'

config wifi-iface '5g_lag'
        option device 'radio0'
        option mode 'ap'
        option ssid 'LAG'
        option encryption 'psk2+ccmp'
        option ifname '5g_lag'
        option key 'masterofpuppets'
        option network 'lan2'
        option disabled '1'

config wifi-iface '2g_tv'
        option device 'radio1'
        option mode 'ap'
        option ssid 'TV'
        option encryption 'psk2+ccmp'
        option key '6666666666'
        option network 'lan2'
        option ifname '2g_tv'
        option disabled '1'
/etc/config/network 
root@archer_c60:~# cat /etc/config/network 

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd32:8853:bef7::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.1.0.3'
        option gateway '10.1.0.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option description 'lan1'
        option ports '0t 4 3 2 1'

config interface 'telecentro'
        option proto 'dhcp'
        option peerdns '0'

config device
        option type 'bridge'
        option name 'br-lan2'

config interface 'lan2'
        option proto 'static'
        option device 'br-lan2'
        option ipaddr '10.2.0.1'
        option netmask '255.255.255.0'
        option defaultroute '0'
/etc/config/firewall 
root@archer_c60:~# cat /etc/config/firewall 

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'telecentro'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option proto 'esp'
        option target 'ACCEPT'
        option name 'Allow-IPSec-ESP'
        option dest 'lan'

config rule
        option src 'wan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option name 'Allow-ISAKMP'
        option dest 'lan'

config rule
        option name 'Allow-ICMPv6-Input'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'packet-too-big'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'
        option src 'wan'

config rule
        option name 'Allow-ICMPv6-Forward'
        option dest '*'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'unknown-header-type'
        option src 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'lan2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan2'
2

What do you mean "when needed"? Under what circumstances would it be needed? And what physical port would be the wan? It can't switch on the fly unless you create some script that has some sort of test condition that is evaluated and causes the switch.

3

I forgot to add the activation script.

act_telc_2g.sh 
#!/bin/sh
uci -q set wireless.5g_sta.disabled=1
uci -q set wireless.2g_sta.disabled=0
uci -q set wireless.5g_lag.disabled=0
uci -q set wireless.2g_lag.disabled=0
uci -q set wireless.2g_invitados.disabled=0
uci -q set wireless.2g_f.disabled=0
uci -q set wireless.2g_tv.disabled=0
uci commit wireless
uci set network.lan.defaultroute='0'
uci commit network
service network restart && sleep 5; service firewall restart && sleep 5; service dnsmasq restart
act_telc_5g.sh 
#!/bin/sh
uci -q set wireless.5g_sta.disabled=0
uci -q set wireless.2g_sta.disabled=1
uci -q set wireless.5g_lag.disabled=1
uci -q set wireless.2g_lag.disabled=0
uci -q set wireless.2g_invitados.disabled=0
uci -q set wireless.2g_f.disabled=0
uci -q set wireless.2g_tv.disabled=0
uci commit wireless
uci set network.lan.defaultroute='0'
uci commit network
service network restart && sleep 5; service firewall restart && sleep 5; service dnsmasq restart
des_telc.sh 
#!/bin/sh
uci -q set wireless.5g_sta.disabled=1
uci -q set wireless.2g_sta.disabled=1
uci -q set wireless.5g_lag.disabled=1
uci -q set wireless.2g_lag.disabled=1
uci -q set wireless.2g_invitados.disabled=1
uci -q set wireless.2g_f.disabled=0
uci -q set wireless.2g_tv.disabled=1
uci commit wireless
uci del network.lan.defaultroute
uci commit network
service network restart && sleep 5; service firewall restart && sleep 3; service dnsmasq restart
4

but you didn't answer the core questions -- activation scripts don't necessarily tell the story about when/why it should switch, nor does it tell what port becomes the uplink and if that uplink is always there, and so on.

5

Normally the device with OpenWrt acts as an AP connected to a main router. One of the wireless interfaces (with SSID "F") is always up to connect a client for management only. The other interfaces are for "real" clients.
By "when needed" I mean using OpenWrt STA+AP when the main router's internet connection is cut off. The script changes the upstream network to the WAN interface, but in normal use, the upstream network is LAN, but when I connect to SSID "F", I can't access the internet.

6

Your use case is a bit confusing, so it's important to make sure the details are fully understood...

Is this a wired connection? And this OpenWrt device is a dumb AP?

So when the main internet connection goes down, this device will establish a new connection on its wan? Is this a wired or wireless wan?

Are you expecting to make this seamless for the wireless devices already connected to the AP on an SSID associated with the lan? Or will the clients be required to switch to a different SSID in order to regain internet access?

Currently, your lan2 interface is associated with the lan2 firewall zone and there is no forwarding for that zone... if you want it to have access to the wan, you need to allow forwarding from lan2 > wan.

7

Yes, the upstream connection is permanently wired and is for accessing the main router and managing it via OpenWrt.

The WAN connection of the router with OpenWrt is wireless since there is an ISP that offers internet wirelessly and it is used when the internet connection of the main router is cut off.

Clients only access the OpenWrt router when there is no internet from the main router. Both devices have the same SSIDs, but not active at the same time for them to connect to the working router.

You are right (and this point is the root of the problem). You have reminded me that I had to add that forwarding to WAN to have internet. But that is the case when using the WAN which is wireless, but in the normal state of the router with OpenWrt, it is doing wired AP and the upstream connection is LAN. The only active SSID is "F" for access when needed. The problem is that I don't have internet when I connect to that SSID. I tried changing the forwarding to from LAN2 to LAN but it doesn't work.
I also want to clarify that I access the OpenWrt router from the main router when I'm using the desktop PC and not have to connect directly to it via Wi-Fi "F".

8

Does the main router completely disable the wifi when the main internet is determined to be down (this must happen, and it must be down before the backup one comes online)?

9

That's how it is. It is disabled so that clients can connect to the router with OpenWrt.

10

As I think about this, there are much better ways of handling the backup connection -- you should really be using a single main router with a mult-wan setup. OpenWrt can handle this. Your current situation is a fairly fragile hack, and you may end up having major problems if the scripts ever misfire..
Further, I see this as a minimally viable solution in general that will work only for wifi devices. Wired are not going to work.

Since you're using this device as a dumb AP normally, you'll need to do a few things in sequence...

When the main connection goes down:

  • confirm that the main router has taken down all of its SSIDs.
  • take down the local SSIDs
  • Disconnect the ethernet from the lan bridge
  • Enable the DHCP server
  • Re-enable the local SSIDs.

You'll have to activate the DHCP server since your main router is the gateway for your client systems. Therefore, you need to tell the clients to use the new gateway (i.e. this OpenWrt system). The easiest way to do this is via DHCP. And you need to make sure that doesn't back-feed into the wired connection that comes form your main router (which already has a DHCP server), so that's why you need to remove the ethernet ports and make the whole thing wireless only and disconnected from the upstream.

Then, you'll have to figure out some way to detect when the main network has come back online and reverse the process.

11

You are right, but the OpenWrt device falls short of the main connection since it is capped at 100 Mbps on its ports. The scripts don't do much. Just turn on the radios, change the gateway from "LAN" to "WAN" and restart some services. So far they do what is asked of them. And only wireless connection is desired, not wired.

The main router shuts down directly and the router with OpenWrt comes into play. Everything is manual, not automatic. That is, they are two independent devices. They don't depend on each other (at least the main router doesn't depend on the router with OpenWrt).
For simplicity, in normal use of the router with OpenWrt, the uplink is the LAN port, but when the script is activated, the uplink is the wireless WAN. The problem is that when the LAN interface is the upstream connection, the SSID "F" has no internet. And if I add that SSID to the bridge that LAN is on, in case I turn off the main router, I won't be able to receive an IP from DHCP. That's why I created LAN2 for that SSID, but I don't have internet.

12

Ok... so all the places where you have lan2 in the wireless config should just be lan and they will have internet access when the main router is working.

You could simply change them all to lan2 whenever the upstream (main router) connection dies, and then revert them back to lan when it comes back online. Your script will simply change the network to which the SSID is associated and then restart wireless.

Also, you need to remove the option defaultroute '0' line from below:

13

I already said that the router with OpenWrt is only available to clients when the main connection drops. If I add the SSIDs to the LAN bridge, they won't receive an IP in case I turn off the main router.

You could do that, but it's not what you want.

I understand that not all interfaces have to have that option enabled.