I am renting an upstairs inlaw unit in a home and share the internet with the owners. The main router is ATT and providing subnet 192.168.1.x with gateway on 192.168.1.254. Years ago I ran a direct cable to the main router in the garage and installed a NG R3500U running OpenWRT to subnet my space to 192.168.10.x with router on 192.168.10.1 with my own wifi which has worked fine. Recently they upgraded to fiber internet with a BGW320-500 gateway and we now have a Gibit speeds coming into the home but the R3500U only has 10/100 ports. I want to replace the R3500U with an NG WAC104 running OpenWRT (latest version). I've got the firmware installed and runnng but the WAC104 is an AP only with 4 GBE ports so it is not plug-and-play like the R3500U which has a WAN port.
Following this guide Mini tutorial for DSA network config I have bridged the 4 ports on the WAC104 into two subnets. br-lan 192.168.1.x on ports 3/4 and br-home 192.168.10.x on ports 1/2 with both bridges set to LAN firewall. With the main gateway plugged into port 4 devices connected to port 3 get 192.168.1.x IPs via dhcp running on the main gateway and internet access. Devices plugged into port 1 or 2 get 192.168.10.x IPs via dhcp running on the WAC104 but no internet obviously.
The goal now is to just get the WAC104 working and to learn OpenWRT (coming from DD-WRT) and VLANs. The BGW320 supports IP passthrough or router-behind-router settings (they are there but not sure if they work) so the wider goal is to get a more powerful router behind the ATT gateway and VLAN the whole house with upstairs/downstairs VLANs, IOT and Guest wifi, etc. Landlord is willing to pay for it since their network is a hodgepodge of garbage and unreliable.
Step one in this process is to get my place working with the WAC104. Here are some questions that I have...
When I configure the 2 bridges on the WAC104 initially I tried to use P1/P2 for the main network (192.168.1.x) and P3/P4 as the subnet (192.168.10.x) but it didn't work, got locked out. I noticed that when configuring the bridges that P4 is listed in the drop down menu as "Ethernet Adapter Lan4" whereas the other 3 ports are listed as "Switch ports". I think the WAC104 ports are all behind an ethernet switch chip but that P4 is a special port to the switch chip. Can someone confirm and explain what that difference is and the consequences of that?
To get internet access to the br-home subnet can I just add a static route in the dhcp or firewall settings to the br-lan subnet?
The linked guide above also describes how to use VLANs to segment a network. I went with bridges because a) I don't understand VLANs (yet) and b) it would be handy to have an unused port on the WAC104 that gives me access to the gateway in the garage without unplugging it from my router. Based on searches here and elsewhere it is possible to configure the WAC104 with a VLAN based WAN port but the details are sketchy or over my head probably because I don't know VLANs but willing to learn but need some guidance.
Right now the radios are off but once I get the basic network functional I want to add Wifi (upstairs only, no guests). I believe that should be fairly simple as turning on the radios and adding them to the br-home but not sure about that or if there are other issues.
If I leave the WAC104 with 2 bridges for Main and Home is there a way to block Main IPs from access or logging into my router (other than just passwords)? Should I change the br-lan bridge to WAN firewall and how would the impact internet access and routing between the subnets?
Do I understand you correctly that you are making Dumb-AP / Wireless backhaul type setup?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
I may misunderstand your network topology, but you don't seem to have defined a wan interface - just splitting the four ports into br-lan (lan[34]) and br-home (lan[12]). I don't think that's really your goal here.
Please clarify what you'd like each port to do, where 'the internet' is coming in - and where it should go to.
MT7621 is a tad marginal for routing at 1 GBit/s, yes it can do it with hardware flow-offloading, but only for the simple -offloaded- cases. It's not really the best choice here (filogic 830 or x86_64 would be).
The main ISP router is on 192.168.1.x with dhcp and gateway on 192.168.1.254 that has WAN access. I split the ports using br-lan so that P3/P4 get normal IPs and routing from the ISP router. I created br-home to subnet for my use with 192.168.10.x with the WAC104 running dhcp on that subnet. As mentioned, the bridges work for subnet creation and (broadcast) separation but no internet on 192.168.10.x yet. I believe (feel free to correct me if I am wrong) that WAN access can be given to subnet 192.168.10.x via 192.168.1.x with "old school" static routes defined in the WAC104. A picture is worth a thousand words so I will post a diagram tomorrow.
Also, my current router R3500U (running OpenWRT) doing the subnetting has a WAN port so it was easy to setup. However, it has a10/100 ethernet port bottleneck and the WAC104 had GBE ports so even if the WAC104 can't keep up it will still be a big improvement in my speeds. The WAC104 does not have a dedicated WAN port (it is sold as a 4P wireless access point) but I don't think that will matter as I think routing can be done via static routes or using VLANs which I want to learn anyway.
Add a gateway and dns to the lan interface above. Probably 192.168.1.254 for both.
Remove the lan network from the lan firewall zone.
Then add that lan network to the wan firewall zone.
(Alternatively, instead of moving the lan network from the lan to wan firewall zone, you could rename the lan network interface to wan - all lowercase).
This is ultimately what I did and it works. To recap the WAC104 is a dumb wireless access point with a 4p switch and no wan port. After a hard reset to defaults the Interfaces menu only shows 'lan' linked to br-lan device. So...
Step1: Remove lan1 from br-lan so lan1 can be used as the wan port.
Step4: On the interfaces page select Edit for the 'wan' interface. Select device 'lan1' port freed up in step1. I left the interface on DHCP so it gets IP/routing info from the main gateway/router.
Step6: In the Wireless menu I enabled radio1 (5Ghz only), then clicked on edit button to configure Wifi. When active the radio is automatically linked to 'lan'
Plug the upstream gateway into Lan Port 1 and Save & Apply and it should work when it comes back up. If not try a power cycle or disable/enable your NIC.
I posted all the steps because I found it very frustrating not to find detailed steps on how to do the simplest things. Most posts assume a lot of knowledge (which is understandable) or are answering a similar but not quite the same goal or the same goal on different hardware. I found that the differences between DSA -v- non-DSA, Luci -v- UCI setup, routing -v- vlan to be very confusing and often not explicitly declared. I'll post some additional info/comments below when I get the time. But for now it is working and the speeds are much improved with GBE ports instead of 10/100 ports. Thank you.
