Hi, I am trying to have the wifi on an OpenWRT router linked to the upstream wan network, without interference with the lan network. My setup is maybe a bit unusual :
Upstream network is a provider modem, wired to my OpenWRT router on the 'Internet' port. The modem serves DHCP addresses, let's say the modem address is 192.168.1.1 and my openwrt router gets 192.168.1.2 on its wan interface
The OpenWrt router has a wireguard interface acting as a "client" to an internet vpn provider. It is also doing policy-based routing using the pbr package, with a pretty standard setup (openwrt, wireguard and pbr setup are basically standard installation and they work really great). On pbr side, default gateway is wan and some policies exist to route specific traffic through the vpn.
Some velop APs are used in Bridge mode because they provide an easy wireless mesh solution... OpenWRT wireless was disabled up until now
This is a schema of the current situation:
Now, I would like to use OpenWRT's wireless and basically use it as a sort of "Dumb AP", but I want it to bridge the wan side of the network, without interfering with the current lan setup of the OpenWRT router. I want the clients of this new wifi network to not go through the policy-routing basically... this is for a few reasons: guests, having a failover in case something is wrong with the policies, etc..
The ideal situation would look like this:
Thank you so much for your answer, I will try to configure it this evening and post the results. Is there any chance there's a detailed guide/doc somewhere I can follow ? Otherwise I'll try my best and post back ^^ Thanks !
I didn't know about DSA ^^ The openwrt router is a WRT1900ac with Openwrt v24 (recently flashed). Thank you for all the help, will try this evening as soon as I'm back home and report back
Then edit the wan interface by changing its device from wan to br-wan
Shouldn't I change something also on the wireless settings ? or just set its Network back as attached to wan instead of lan (like I first tried to do) ?
Sorry for the late reply, I couldn't play with it during the long weekend.
So it worked, I just added a MAC adress (same as wan device) and a 1500 MTU when configuring the new device (don't know if it was really needed though).
The only thing is, it took me a minute because I didn't realize I would loose access to the OpenWRT router web UI Since my wifi connected laptop is now on the 192.168.1.X subnet, it appears it doesn't know how to do routing to the 192.168.5.X subnet, which is logical and what I basically asked for.. Would you please know if it's possible to add a route to have a device connected to this wifi able to reach the 192.168.5.X subnet ?
I'm sorry if I'm asking something basic again, I'm not really confortable with networking (yet).
Thank you again for your help, really
Plug in via Ethernet (to one of the lan ports) and you should be able to regain access.
If the upstream network is fully trusted, you can simply set the wan firewall zone’s input rule to accept and it will allow you to reach the device via the address it holds on the upstream network (i.e the wan interface of the openwrt device). Note: never do this if the upstream network is not trusted.
If you want to be able to route symmetrically between the two. Reworks (in other words, regular hosts on each of the battens talking to each other), this will depend on your upstream router having the ability to set static routes.
Plugging to Ethernet does indeed give me back access to Openwrt web UI, as I’m now in the .5.X subnet.
Upstream is what seems to be a basic Nokia fiber modem with no wifi, I assume with basic router features. I don’t have admin access to it, so not sure if we can consider it trustworthy ? So also no possibility of setting a static route on it..
I’m ready to do the change on the firewall on Openwrt side as suggested, but just for curiosity is there a way to set a permanent static route on the Openwrt router in this particular situation ?
Static routes on openwrt don’t help you with access to the admin features (ssh, LuCI web interface). And openwrt will already be aware of both the upstream and downstream networks so masquerading on the wan (upstream) interface allows normal routing from the openwrt side. If you want to route from the upstream network to the one behind the openwrt router, the upstream router is the one that needs the static route.
Since my wifi connected laptop is now on the 192.168.1.X subnet, it appears it doesn't know how to do routing to the 192.168.5.X subnet, which is logical and what I basically asked for.. Would you please know if it's possible to add a route to have a device connected to this wifi able to reach the 192.168.5.X subnet ?