Need some help in extending my guest Wifi already up and running on my main router to my other DumbAP routers. Searched in the forum but cannot find a guide nor the correct information I could use here. I am quite new in OWRT and appreciate your support.
Vlan sounds for me quite complex and absolutely not easy to setup ...
My setup: 3 Cudy WR3000s and 1 TPLink EAP225v3 all an actual OWRT.
1 Cudy is the main router connected to WAN all DumbAP connected on ethernet.
DumbAP and Guest were setup following the LUCI guides working flawless.
Guest is only on the main router and I would like to have the same Guest/DHCP
on all APs as well. Is that possible?
This is usually pretty straight forward. How is everything physically connected? Do you have any switches between the devices? If so, are they managed switches?
A diagram, including the brand+model of each device, the port numbers used for the connections, and their addresses will be very helpful here (and in fact necessary to ensure that we set things up properly).
Please post the configs of your devices, too.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Pretty straight forward 
not for me ...
I do have three un-managed netgear switches in the house.
Ethernet outgoing main router LAN1 ingoing all other dumbAPs LAN1
Three Cudy WR3000s and one TP-LinkEAP225v3 all on latest build
APs are all configured like dumbAP config. No config changes for APs yet.
Main router config and further below one dumbAP config
Main router config
-----------------------------------------------------
OpenWrt 24.10.1, r28597-0425664679
-----------------------------------------------------
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.86",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Cudy WR3000S v1",
"board_name": "cudy,wr3000s-v1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.1",
"revision": "r28597-0425664679",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.1 r28597-0425664679",
"builddate": "1744562312"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd60:2579:bae9::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'pppoe'
option ipv6 'auto'
option username ''
option password ''
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option band '2g'
option channel '1'
option htmode 'HE20'
option cell_density '0'
option country 'US'
option txpower '20'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'SEK'
option encryption 'psk2'
option key ''
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option band '5g'
option channel '36'
option htmode 'HE40'
option txpower '21'
option country 'US'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'SEK'
option encryption 'psk2'
option key ''
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'Guest'
option encryption 'psk2'
option key ''
option network 'guest'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'Guest'
option encryption 'psk2'
option key ''
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '101'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option src 'guest'
option name 'Allow-DNS-Guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option src 'guest'
option name 'Allow-DHCP-Guest'
list proto 'udp'
option dest_port '67'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'guest'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'NGINX 443'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.2.100'
option dest_port '443'
DumbAP config
-----------------------------------------------------
OpenWrt 24.10.1, r28597-0425664679
-----------------------------------------------------
root@Tobi:~# ubus call system board
{
"kernel": "6.6.86",
"hostname": "Tobi",
"system": "ARMv8 Processor rev 4",
"model": "Cudy WR3000S v1",
"board_name": "cudy,wr3000s-v1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.1",
"revision": "r28597-0425664679",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.1 r28597-0425664679",
"builddate": "1744562312"
}
}
root@Tobi:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd9:bbff:195d::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.8'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.2.1'
list dns '192.168.2.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option disabled '1'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option disabled '1'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
root@Tobi:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option band '2g'
option channel '9'
option htmode 'HE20'
option txpower '19'
option country 'US'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'SEK'
option encryption 'psk2'
option key 'x'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option band '5g'
option channel '36'
option htmode 'HE40'
option txpower '19'
option country 'US'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'SEK'
option encryption 'psk2'
option key 'x'
root@Tobi:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ignore '1'
option dynamicdhcp '0'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@Tobi:~# cat /etc/config/firewall
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
This is a showstopper. VLANs should not be used with unmanaged switches because the behavior is undefined and may be unpredictable. At best, nothing bad happens, at worse the entire network goes down or has hard to troubleshoot issues.
Is it possible to make connections such that all of your OpenWrt devices are directly connected to each other without any switches between them? You can have switches on other ports of the OpenWrt devices.
Or, can you replace those switches with managed models.
A diagram would help here.
1 Like
How should that look like, directly connected?
Main router LAN1 to AP1 LAN1
AP1 LAN2 to AP2 LAN1
AP2 LAN2 to AP3 LAN1
If Yes I don't think that I can do that, only when I would use such a cable split gigabit to two 100mbit connections, but this isn't cool, right?
What do you think?
That is one way to achieve the connections. But there are others ways to do the same thing. The main question is if you can avoid using the unmanaged switches. Can you show a diagram of your network?
Quickly drafted 
hope you can read that.
I don't know how a managed switch is working and if I would need to replace all switches, but I could replace that one switch in the middle of the house upper floor and from this one I could get direct connections to all other routers. Is this maybe a working solution?
I just checked in Amazing 
there are 8 port managed switches supporting VLAN from Zyxcel and TPLink for around 26 Euros, is this what you mean?
A managed switch is VLAN aware and can be configured such that you can define which VLANs are available on each physical port. This is necessary if you want to use VLANs through any given bit of switch hardware. For devices that run OpenWrt and contain a switch, essentially all of them can be configured to carry VLANs properly in this way. And of course there are many managed switches on the market that are designed with this functionality in mind.
This differs from unmanaged switches which have no configurability and are not designed to carry VLANs.
The overarching goal/requirement here is to be able connect all of the OpenWrt devices without ever passing through an unmanaged switch on that path. You can have unmanaged switches on a branch, but not in the main connection path.
Based on the current diagram, all of the switches would need to be replaced. But that's not not an absolute because I don't know if you have some flexibility in the setup as drawn.
The Cudy devices all have built-in switches, so is it possible in your scenario to use those such that they are in the 'backbone' path instead of the existing switches? For example, if "router 1" and "router 4" are both Cudy units, we could possibly rearrange the wiring a bit. Where a wire currently connects "switch basement" to "switch upper" (on the right side of the diagram), you could unplug the connection from the basement switch and plug it into "router 1". This would allow the right side "switch upper" to be directly connected to the router, rather than through "switch basement". Similarly, if you then unplug the connection from "switch upper" and plug it directly into "router 4", we've established a direct connection from "router 1" to "router 4".
Do you see what I'm getting at there? If you can do the same thing with the middle/left side of the network diagram, you can create a path between all of the OpenWrt devices that never includes an unmanaged switch.
I don't know if any of that is physically possible in your environment, though. But even if you can't do this with all of the switches in the network, you still may be able to adjust the topology such that you only need to replace 1 or 2 switches rather than all 3.
1 Like
Just to (slightly) extend on the above.
The big/ major question is how close (physically) your AP-routers are to the each of the three switches, respectively how close they could reasonably be.
An unmanaged switch mustn't be exposed to tagged packets ~= multiple VLANs, so on the face of it, all three unmanaged switches would have to be replaced with (correctly configured) managed switches. However, your APs (running OpenWrt) do contain a configurable managed 5-port switch themselves, which could be used for this purpose as well… So if you can put the (correspondingly) OpenWrt routers into the postitions currently held by your unmanaged switches -and only use the unmanaged switches behind the routers, connected to a plain access port (single VLAN, all-untagged)- that could sort out your issues as well, in the sense of switches/ routers trading places (only sensible if switch and router are ~within arm's length, meaning you could easily change the network cabling accordingly).
Yes, it would be more sensible to keep everything as-is and to replace all three unmanaged switches with managed switches (and not the entry level with known firmware deficiencies), but as that comes with a certain expense, cheating around with by (ab-)using your AP-routers as managed switch may be a cheaper approach (it's limited in scale/ number of ports, but also has the advantage of a common configuration interface and semantics).
If physically convenient (and as long as <=5 ports suffice), this (using OpenWrt routers are managed switches) is a correct solution, the only (real) disadvantage would be number of ports and convenience/ placement options.
Unfortunately I cannot connect these router directly one after the other, neither can I just replace the switches with the router.
The location won't work.
As said I could get a direct connection from main router to switch3 which sits somehow in the middle. Can such one managed switch not serve all the other 3 routers?
Just for the VLAN enabling "one" guest network I don't think that changing all switches is worth the money.
Maybe one other possibility. Can I just setup a different guest (e.g guest2 and guest3) on the dumb APs? That would be an additional separate DHCP on each and not centrally managed, right?
Is that a possibility and if yes, could I use the guide for guest on dumbAP?
You would have two. Guest and Main. Once you understand vlans, you will expand the number quickly.
Vlan100 = main
Vlan200 = guest
Vlan300 = IOT
Vlan400 = private
Vlan500 = NAS
etc
A. Netgear GS305E is five port managed switch that is $19 USD x 3. Just buy all the same brand so you don't have to learn three different UI's and their weird vlan GUI settings.
B. Find free gigabit routers that can be flashed with openwrt and run them as wired managed switches. e.g. anything broadcom based that has been abandoned should be easy to find for free. I know there are millions of Asus AC68U's being tossed away currently that run great as wired openwrt gigabit switches.
C. Redo your entire network with one central switch. Internet -> Gateway (openwrt router) -> 1 managed switch -> dumbAP's (openwrt routers).
It can be a bit confusing, but you can think of it like this:
- In the path from the main router to any of the other routers, there must never be an unmanaged switch.
- If you can, for example, get a direct connection from the main router to the middle switch and you replaced that with a managed model, that would certainly provide a path to router2 and router3 that never pass through an unmanaged switch. This would allow proper VLAN service to those routers and thus you can extend the guest network to those devices.
- Router4, it seems, will always be running through at least one or two unmanaged switches, so in that case, you'd simply exclude that whole branch of the network from the guest network/VLANs.
Does that help?
Yes. That would be a good option. Of course, it does depend on how many ports you need. You might be able to get a 5 port switch for less, or a larger one if you need it.
Looks good I would say -> Yes, I can get a direction connection from the main router to that one switch in the middle and also could directly connect router 4 (on the roof) to that switch in the middle.
That means all routers can be connected to that (later managed) switch in the middle.
For my understanding
- Can that managed one serve all routers connected each on different ports?
- How many VLANs can be assigned to one port, what is the logic here?
- Is it recommendable to use here an O-WRT router as "managed switch"?
OK. The 3 Cudy routers are now directly connected - all in a row. Main router LAN port1 to router 2 LAN port1 from there LAN port 2 to router 3 LAN port 1.
Configured as shown above means following the official config documents.
All stable up and running.
On main router the guest network also stable up and running, following the config document.
Now I would like to push the guest to the other routers using VLAN.
I tried already to find some meaningful documentation but it looks like all different requirements.
Can you please support me setting up the VLANs in this more or less standard setup?
Or is there a official document I could use?
Great!
You can follow the DSA tutorial, but it might be easier for us to help directly.
We need to know the port numbers for each device that connects to/from the next/previous.
For example: main router port 1 > ap1 port 1: ap1 port 4 > ap2 port 1 and so on.
Then, post the network config file from each device.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
OK, MR means Main Router, AP means Access Point
MR port 1 > AP1 port 1
MR port 2 > AP3 port 1 (not yet directly connected, only one port, outdoor)
AP1 port 2 > AP2 port 1
MR
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.86",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Cudy WR3000S v1",
"board_name": "cudy,wr3000s-v1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.1",
"revision": "r28597-0425664679",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.1 r28597-0425664679",
"builddate": "1744562312"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'x'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'pppoe'
option ipv6 'auto'
option username 'x'
option password 'x'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
AP1
root@Sissi:~# ubus call system board
{
"kernel": "6.6.86",
"hostname": "x",
"system": "ARMv8 Processor rev 4",
"model": "Cudy WR3000S v1",
"board_name": "cudy,wr3000s-v1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.1",
"revision": "r28597-0425664679",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.1 r28597-0425664679",
"builddate": "1744562312"
}
}
root@Sissi:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'x'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.7'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.2.1'
list dns '192.168.2.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option disabled '1'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option disabled '1'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
AP2
root@Tobi:~# ubus call system board
{
"kernel": "6.6.86",
"hostname": "x",
"system": "ARMv8 Processor rev 4",
"model": "Cudy WR3000S v1",
"board_name": "cudy,wr3000s-v1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.1",
"revision": "r28597-0425664679",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.1 r28597-0425664679",
"builddate": "1744562312"
}
}
root@Tobi:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'x'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.8'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.2.1'
list dns '192.168.2.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option disabled '1'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option disabled '1'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
AP3 (Outdoor only one LAN port)
root@OWEAP225v3:~# ubus call system board
{
"kernel": "6.6.73",
"hostname": "OWEAP225v3",
"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
"model": "TP-Link EAP225-Outdoor v3",
"board_name": "tplink,eap225-outdoor-v3",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "ath79/generic",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
}
}
root@OWEAP225v3:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'x'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.9'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.2.1'
list dns '192.168.2.1'
Thanks for all the requested info.
This should be pretty straightfoward....
On MR, add bridge VLANs:
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan1:t'
list ports 'lan2:t'
Edit the lan interface to use br-lan.2:
config interface 'lan'
option device 'br-lan.2'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
[EDIT: Fixed a critical typo -- I accidentally had the interface as lan.2 and device as br-lan in the above stanza. The way it appears now is the correct formulation (interface lan and device br-lan.2]
Delete br-guest:
Edit the guest network to use br-lan.3:
config interface 'guest'
option proto 'static'
option device 'br-lan.3'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
On AP 1, add bridge VLANs:
config bridge-vlan
option device 'br-lan'
option vlan '2'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan1:t'
list ports 'lan2:t'
Edit the lan interface to use br-lan.2:
config interface 'lan'
option device 'br-lan.2'
option proto 'static'
option ipaddr '192.168.2.7'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.2.1'
list dns '192.168.2.1'
And add a new unmanaged interface for the guest netowrk:
config interface 'guest'
option proto 'none'
option device 'br-lan.3'
On AP2, you'll make the same changes as you did for AP1 (IIRC, it's the same model device), except that you can omit port lan2 from the VLAN 3 bridge-vlan stanza.
Finally, on AP3, there are two possible ways to make this work... if the following doesn't work as expected, we'll take the other approach...
Add a new bridge:
config device
option name 'br-guest'
option type 'bridge'
list ports 'eth0.3'
And a new unmanaged network interface:
config interface 'guest'
option device 'br-guest'
option proto 'none'
Now, with all the APs, you can add an SSID for the guest network -- it should be the same SSID, passphrase, and encryption type for all of the APs such that devices roam from one AP to the next.
Reboot after making the changes and test. Let me know if you run into any issues.
Uuups - not working, network is completely down, no Internet.
No WLAN as well. PC is connected to AP1 and can open that IP as well as AP3 which is currently also connected to AP1.
Can not open MR neither AP3.
Followed exactly your instructions.
Just rebooted the devices before adding the guest SSID to the APs.
What can I do now?
Let's start with reviewing the configs... are you able to reach the devices? If so, please post the network config files of each. And, critically, all of this is predicated on the fact that there are no unmanaged switches connected to any of the trunk ports (i.e. the ports that carry multiple VLANs)... please confirm that this is the case.
Can reach AP1 and AP3 , MR and AP2 I need to walk and connect directly, no access via LAN.
And yes directly connected only managed devices, as described port1 and port1 on MR and AP1.
Let me collect the configs...
1 Like