I am renting an upstairs inlaw unit in a home and share the internet with the owners. The main router is ATT and providing subnet 192.168.1.x with gateway on 192.168.1.254. Years ago I ran a direct cable to the main router in the garage and installed a NG R3500U running OpenWRT to subnet my space to 192.168.10.x with router on 192.168.10.1 with my own wifi which has worked fine. Recently they upgraded to fiber internet with a BGW320-500 gateway and we now have a Gibit speeds coming into the home but the R3500U only has 10/100 ports. I want to replace the R3500U with an NG WAC104 running OpenWRT (latest version). I've got the firmware installed and runnng but the WAC104 is an AP only with 4 GBE ports so it is not plug-and-play like the R3500U which has a WAN port.
Following this guide Mini tutorial for DSA network config I have bridged the 4 ports on the WAC104 into two subnets. br-lan 192.168.1.x on ports 3/4 and br-home 192.168.10.x on ports 1/2 with both bridges set to LAN firewall. With the main gateway plugged into port 4 devices connected to port 3 get 192.168.1.x IPs via dhcp running on the main gateway and internet access. Devices plugged into port 1 or 2 get 192.168.10.x IPs via dhcp running on the WAC104 but no internet obviously.
The goal now is to just get the WAC104 working and to learn OpenWRT (coming from DD-WRT) and VLANs. The BGW320 supports IP passthrough or router-behind-router settings (they are there but not sure if they work) so the wider goal is to get a more powerful router behind the ATT gateway and VLAN the whole house with upstairs/downstairs VLANs, IOT and Guest wifi, etc. Landlord is willing to pay for it since their network is a hodgepodge of garbage and unreliable.
Step one in this process is to get my place working with the WAC104. Here are some questions that I have...
When I configure the 2 bridges on the WAC104 initially I tried to use P1/P2 for the main network (192.168.1.x) and P3/P4 as the subnet (192.168.10.x) but it didn't work, got locked out. I noticed that when configuring the bridges that P4 is listed in the drop down menu as "Ethernet Adapter Lan4" whereas the other 3 ports are listed as "Switch ports". I think the WAC104 ports are all behind an ethernet switch chip but that P4 is a special port to the switch chip. Can someone confirm and explain what that difference is and the consequences of that?
To get internet access to the br-home subnet can I just add a static route in the dhcp or firewall settings to the br-lan subnet?
The linked guide above also describes how to use VLANs to segment a network. I went with bridges because a) I don't understand VLANs (yet) and b) it would be handy to have an unused port on the WAC104 that gives me access to the gateway in the garage without unplugging it from my router. Based on searches here and elsewhere it is possible to configure the WAC104 with a VLAN based WAN port but the details are sketchy or over my head probably because I don't know VLANs but willing to learn but need some guidance.
Right now the radios are off but once I get the basic network functional I want to add Wifi (upstairs only, no guests). I believe that should be fairly simple as turning on the radios and adding them to the br-home but not sure about that or if there are other issues.
If I leave the WAC104 with 2 bridges for Main and Home is there a way to block Main IPs from access or logging into my router (other than just passwords)? Should I change the br-lan bridge to WAN firewall and how would the impact internet access and routing between the subnets?
Do I understand you correctly that you are making Dumb-AP / Wireless backhaul type setup?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
I may misunderstand your network topology, but you don't seem to have defined a wan interface - just splitting the four ports into br-lan (lan[34]) and br-home (lan[12]). I don't think that's really your goal here.
Please clarify what you'd like each port to do, where 'the internet' is coming in - and where it should go to.
MT7621 is a tad marginal for routing at 1 GBit/s, yes it can do it with hardware flow-offloading, but only for the simple -offloaded- cases. It's not really the best choice here (filogic 830 or x86_64 would be).
The main ISP router is on 192.168.1.x with dhcp and gateway on 192.168.1.254 that has WAN access. I split the ports using br-lan so that P3/P4 get normal IPs and routing from the ISP router. I created br-home to subnet for my use with 192.168.10.x with the WAC104 running dhcp on that subnet. As mentioned, the bridges work for subnet creation and (broadcast) separation but no internet on 192.168.10.x yet. I believe (feel free to correct me if I am wrong) that WAN access can be given to subnet 192.168.10.x via 192.168.1.x with "old school" static routes defined in the WAC104. A picture is worth a thousand words so I will post a diagram tomorrow.
Also, my current router R3500U (running OpenWRT) doing the subnetting has a WAN port so it was easy to setup. However, it has a10/100 ethernet port bottleneck and the WAC104 had GBE ports so even if the WAC104 can't keep up it will still be a big improvement in my speeds. The WAC104 does not have a dedicated WAN port (it is sold as a 4P wireless access point) but I don't think that will matter as I think routing can be done via static routes or using VLANs which I want to learn anyway.
Add a gateway and dns to the lan interface above. Probably 192.168.1.254 for both.
Remove the lan network from the lan firewall zone.
Then add that lan network to the wan firewall zone.
(Alternatively, instead of moving the lan network from the lan to wan firewall zone, you could rename the lan network interface to wan - all lowercase).
This is ultimately what I did and it works. To recap the WAC104 is a dumb wireless access point with a 4p switch and no wan port. After a hard reset to defaults the Interfaces menu only shows 'lan' linked to br-lan device. So...
Step1: Remove lan1 from br-lan so lan1 can be used as the wan port.
Step4: On the interfaces page select Edit for the 'wan' interface. Select device 'lan1' port freed up in step1. I left the interface on DHCP so it gets IP/routing info from the main gateway/router.
Step6: In the Wireless menu I enabled radio1 (5Ghz only), then clicked on edit button to configure Wifi. When active the radio is automatically linked to 'lan'
Plug the upstream gateway into Lan Port 1 and Save & Apply and it should work when it comes back up. If not try a power cycle or disable/enable your NIC.
I posted all the steps because I found it very frustrating not to find detailed steps on how to do the simplest things. Most posts assume a lot of knowledge (which is understandable) or are answering a similar but not quite the same goal or the same goal on different hardware. I found that the differences between DSA -v- non-DSA, Luci -v- UCI setup, routing -v- vlan to be very confusing and often not explicitly declared. I'll post some additional info/comments below when I get the time. But for now it is working and the speeds are much improved with GBE ports instead of 10/100 ports. Thank you.
Things I learned enroute to learning other things...
Just to be clear this is a layer3/router solution to subnetting, i.e. no layer2/vlan packet routing involved. I tried implementing the vlan bridging method in the linked post in my first post but I didn't get very far. Activating vlan filtering just got me locked out so I still need to learn how that works. I still have the R3500U with OpenWRT so I'll use that as my test device to figure out vlanning.
Using 'wan' (lower case) for the WAN port seems to be a key tip that automagically links the two subnets without adding static routes & etc. I will probably examine the CAT files to understand what is going on "under the hood". I think there is also some default/implicit programming/routing regarding turning on the radio/wifi which was automatically linked to br-lan. I'd like to learn the details of how that works for more complicated setups.
Speeds coming into the home are 800-900mbps symmetric Up/Down. While testing the speeds I discovered that two of my ethernet cables were bad.Fun times. I didn't mention it in my reply to @psherman but I first tried using Port/lan4 as the WAN port and it worked but speeds were capped at 250mbps so I moved the WAN port to Port/lan1 as described and get around 400mbps U/D on ports 2 and 3. Port 4 is still capped at 250mbps and I suspect it has something to do with how that is connected to the CPU/Switch-chip. As mentioned in my original post, ports 1-3 are just labeled lan1, lan2, lan3 in devices but port 4 is labeled "Ethernet Adapter Lan4" so something is different about port 4. I noticed when testing download speeds on port 4 that "jitter" was >20ms (<5ms on all other ports) so I suspect it has something to do with bufferbloat but would love to know what is special about port4 that is causing that. Anyone?
I think the WAC104 is 800MHz CPU and I've been reading posts on hardware that can keep up with a 1Gb WAN and that isn't enough as @slh mentioned. I'm going to try to convert to a vlan packet routing and see if that makes a difference, maybe lessening the load on the CPU.
In any case, the speeds upstairs are much improved not being stuck behind 10/100 ports on the R3500U so the project is a success and my next step is to learn to vlan. Hopefully this post helps others just coming to OpenWRT and learning how vlans work. Thanks for all the help.
