Hi everyone,
I have a set of old, outdated TP-Link routers laying around that have very little flash and RAM and can only still run version 18.06.
Is it fine to use these devices just as dumb APs and have a current-version main router handle the clients and DHCP?
All they would basically do is supply WAN to the guest Wifi.
Is there any particular reason not to use them this way?
which one ?
Some devices have been ported to ath79, which require less space, and are now able to fit a 19.07 image.
But yeah, AP's a good idea.
this would mean that anybody that wants to crack the wifi is facing outdated hardware that will have some vulnerabilities eventually.
At the moment I think there isn't anything major that also affects 18.06, but in the future probably will, as usual with security.
This is the only downside I can think of. As that's the only thing that is actually handled by these devices, everything else is done by the main router
which one ?
Those would be a handful of TL-WR841Ns figuratively, or two hands full, literally.
I see that they have the ar71-builds, would that work?
The wifi is already open, it's just a guest net without access to the internal network. It would be nice if they could at least already supply this network.
The only weak point would be the RJ45-ports, I don't know if they could be disabled, since they are not needed. (Maybe physically, if nothing else.)
You can run 19.07 or even 21.02 on these, if you strip PPP and LuCI etc (I'd rather compile those images instead of using the Image Generator). I have two v7 revisions myself. One is on 19.07. The other is running a pre-21.02 build.
You can remove the ports you don't use from the LAN configuration in OpenWrt. No need to disable them physically.
I've got one device running the ath79, used as an AP, works really well.
It serves low traffic IoT devices, no issues at all.
Guest wifi isn't usually open, I don't think even stock firmware makes open wifi for guestsso I didn't think you were going for open wifi.
I don't think it is a good idea to leave it open, as this means anybody with a 30$ antenna can use your internet connections to do stuff, maybe illegal, and if they get "caught" all IPs in the logs will point them to your internet contract, because that's what they used to access the internet. This is similar to using a stolen car to do a crime.
How often this happens? Not very often, but this is the risk you incur if you leave an open wifi with internet access.
I would still use a password and WPA2 for guest wifi too (a different password than the main wifi), at the very least. As it might not be 100% secure but it's at least trying to, and something that will not make you look bad if something happens, as now you are also a victim of a hack and not just someone that left the port wide open to anyone.
For the physical ports it's irrelevant, if they have physical access to the device it means they are in your house anyway.
if they have physical access to the device it means they are in your house anyway.
They are already in our "house", we are a community-center. 
As such, we have a certain obligation to supply free internet to the community, hence the open guest net. We've had this consideration. As far as I'm aware, internet suppliers will not be prosecuted for activity on their guest networks. Anyway, the bandwidth is highly limited and any protocols beyond simple browsing and email are blocked, as well as external DNS requests, so I guess the actual threat level is minimal.
The routers/"APs" are not placed in public areas, but I suppose it would still be good to limit all unnecessary vulnerabilities or even just potential issues, apparently ports can be disabled from within OpenWrt so that's good.
A bit off-topic, but I just wanted to clarify, but appreciate the concern.
Agreed. This concern about legality has been addressed by the EFF in the US:
they believe the legal risks are minimal in the US.
In general it seems to me like a community organization such as yours has good reasons to use unencrypted guest wifi. I think your devices should be fine for this use.
While afaik nobody is regulating open wifi for home, running a open guest wifi with no logging in a businness environment can be illegal too, at least where I live (nation inside EU, but this may or may not be the same in other countries in the EU) using open wifi in a "free hotspot" provider is illegal and to get access to the free wifi hotspots we need to be identified, either back in the day of "shortly post 9/11 regulations" by giving ID cards to shop owner (that will scan it to have a proof of who was connected and with what account) or by typing in the welcome page of the service our "social security number" equivalent or a phone number, and now in more recent times we can also use the SPID, the digital unique identifier of each citizen has (which is used to access the web interface of state services).
And since there is also all this logging of private information going on, it has to be done according to GDPR privacy laws, because more bureaucracy for the bureaucracy god.
And this is not a new thing, it's like a couple decades that it's like that, with ups and downs, changes in a direction and back and forth again.
Afaik in the UK and Germany you might also be required to log all visited sites for each account for "copyright protection" or not anymore if the laws requiring it were amended later then last time I checked.
So yeah if you are not just doing this at your home please check local laws about it because it can vary wildly from one country to the other, and can be a problem even if nobody abuses your infrastructure.
DISCLAIMER: None of the advice on this forum is legal advice, if you need legal advice ask an actual professional.
I think they are talking of home networks there, as a private civilian movement and all that. Not for a legal entity or a businness entity.
Also some of their opinions are debatable imho.
Doesn't opening my wireless network reward "freeloaders"?
No way! Most wireless networks use only a small fraction of their capacity. Sharing capacity helps everyone, eliminates waste, and increases the efficiency of the network.
Guys, wtf. Of course it rewards "freeloaders", because you are paying for the service that "freeloaders" use for free. It's not necessarily a bad thing, but you can't say it isn't like it is.
Is opening my network a security risk? +
If you are running an open network, it is NOT the case that anyone can break into your computer, and you are still, by and large, in a safe situation.
Yes, yes they can, and no it's not safe. Sure, it's not a particularly big attack vector, nobody runs around from home to home searching for open wifi to hack a single PC or a single network printer as it's a massive waste of time, but it's different from saying "breaking into your computer isn't the case".
Good old WannaCry cryptolocker spread itself on the network by abusing vulnerabilities in sharing protocols, for example.
To be fair, they then go on and explain about using guest network, and a whole lot of caveats and things like limiting communication between users at the router level, which yes would let you run an open network safely, but that sentence is still a bad statement.
The correct statement would be
"If you are running an open network with some specific setup and settings, it is NOT the case that anyone can break into your computer, and you are still, by and large, in a safe situation."
Will opening my wireless network slow down my Internet connection? +
For users whose routers give them the option of running a second "guest network" that is open, this should not slow down your primary network.
Until someone of your neighbors gets an antenna, connects to you and starts torrenting like a madman, then your Internet might still be OK if it has higher bandwith than the wifi, but wifi will be swamped.
Also, nowadays there are turnkey appliances to bond multiple different connections, like https://www.openmptcprouter.com/ (which is using OpenWrt as a base for the OS).
While I'm using that to bond 3 different LTE modems (that I own), it can be used to bond any number of free wifi APs to make a big honking huge bonded connection.
Again, this is not necessarily going to be common, but it should still be discussed as a potential issue because it can be. If I were living in a city with plenty of open wifi around (that are part of this project, so I know it was done on purpose and not just a mistake) I would totally do that.
I think that the people in that article are way too optimistic and carefree or have a conflict of interest in getting you to join their movement.
Agreed that they could do a better job of their advocacy. For an organization that wants to do this right, a separate guest network + VLAN and an SQM instance to limit the bandwidth should be enough.
I offer an unencrypted guest network with about 30Mbps symmetric from my gig fiber. If it makes it so my neighbors can check their email or grab some podcasts while walking their dog... Hey no problem.
If my local YMCA for example offers a free and open network to the community, it's a community charity org and it is intentionally providing network to everyone. That's a good thing.
I'm glad I don't live in oppressive govt conditions where everyone is required to keep track of everyone who connects to their network.
Yeah those regulations made sure wifi hotspots were never a major thing here, they are uncommon (for example in my city only the MacDonalds and the local public library and other local government buildings have one, both kind of suck).
On the other hand, we can easily get 30-50GB of monthly data caps on LTE (plus unlimited calls and 1000 SMS) for like 10 euro a month, and you can get flat LTE/5G contracts (no data caps, unofficially limited to 50GB per day which is fair imho) for 30 to 40 euro per month depending on ISP choice.
So yeah the need for an open wifi here dropped dramatically years ago when these contracts became available, which is why nobody pushed to change the regulations.