Ok, it'll be hard for me to explain what I require. But I'll try.

I have three routers at my home.

First one is my ISP's router and I have to use it to connect to my ISP ( to my chagrin ). It is a very bad router and it doesn't even have a regular DHCP which I could pair MAC ID to internal IP. Also after 30 entries you cannot open any more ports... But as I said at the start it's required for me to connect to ISP.

Next, I have two routers with OpenWRT. Buffalo and Netgear 3700.. Couldn't remember model number on Buffalo right now but it's the same chipset as Netgear with a little more space.

So, I configured both as Dumb AP following the tutorials online and it works.. I would post my config in here but I don't think you'll need it, it's the same as Dumb AP tutorial, very generic.

What I want is a little more complex..

Here are what I want from my network:

• I want to use one of my openwrt routers as DHCP server.

• I want to connect via OpenVPN to another server on the internet and give access as one of the LAN ports or WiFi AP

• I want to connect to TOR and give access as one of the LAN ports or WiFi AP ( This, especially for WiFi )

---

Ok, first one I tried. While it's possible to have a DHCP server on my OpenWRT routers, I needed to disable DHCP server on the main router. Is it not possible to have two DHCP servers on the same network giving different range IPs or do I have to create different VLANs to have what I need.

---

My second question is, if it's possible to connect to OpenVPN via a config file ( which will have everything needed to automatically connect ) and give this connection as a port on the router or better a WiFi access point different than Internet AP.

---

My third question is about the same thing as OpenVPN, but with TOR. I did see something like that integrated in one of the compiled Netgear firmwares but when I switched to DumbAP it didn't work. Maybe it needed a direct connection or something but I couldn't find how I could make it work.

---

So these are my three questions, if you could help me on any one of them I would be grateful.

You have to disable the DHCP on the ISP router, and enable it on one of your OpenWrt devices. Be careful to configure it properly (should not announce itself as a gateway, for example).

Yes, many people do that, and there is a ton of guides on how to do it, just google for "openwrt openvpn guest ap" and similar terms.

Neither TOR or VPN will work like that in a pure "dumb AP" configuration, because packets go directly from the clients to the main router; you should follow the "guest AP" recipe or similar first.

for openVPN and TOR as you said dumb AP would not work.. Is it because we have to disable firewall ( iptables ) to configure it? Is it not possible that firewall + dumb AP would work together?

What about guest AP, is it possible to configure guest AP and dumb AP in the same router ( multiple WLANs )?

Also is it not possible to route some traffic to openvpn server but otherwise still work in current network?

for example:

gateway: 192.168.1.1
dhcp server: 192.168.1.100 ( OpenWRT )
openvpn client ip: 172.x.x.x ( just made it up )

so route almost all of the traffic to the gateway, and only route some ip segments to openvpn client... I know with route command in config it's possible for the openvpn client.

But it should be in the same network. I mean guest AP should access to LAN resources also. ( not actually guest of course, just mixed vpn/lan )

Hey there.

The easiest way would probably be to set up one of your OpenWRT routers not as Dumb AP but as regular router. 
Of course you *can* use OpenWRT as DHCP server and Wifi to advertise stuff but your ISP router as default gateway for all clients. But when it comes to routing, firewall rules, port forwarding and nearly every configuration interface I know, making the ISP router as dumb as possible and using it only as nearly unconfigured upstream rj45 link is probably the best bet.

Use the WAN port of your OpenWRT router to connect to your ISP router. Enable NAT on OpenWRTs WAN port. Sice that's default, so I'd better say "keep NAT enabled". Make sure your OpenWRT network uses a different IP range than your ISPs router uses, like 192.168.1.0/24 for your ISP router, 192.168.100.0/24 for your OpenWRT router, 192.168.100.1 for your OpenWRT as internal address, 192.168.1.whatever as your OpenWRT s WAN address assigned through DHCP by your ISP.
The one remaining Dumb AP can stay as it is, just make sure it's connected to your OpenWRT router, not to your ISP router.

Go to your ISP router and enable port forwarding fore ach and every port to your OpenWRT router. Most routers allow to forward an entire range, so try to forward "1 - 65535" as a single forward rule.

Now you can set up VPN and Tor as you like and add routing to your OpenWRT.

You *could* adjust the DHCP server to advertise routing through DHCP. DHCP options 121 and 249. Both aim to do basically the same, but better configure them bot equally. Something like this:

config 'dnsmasq'
        list 'dhcp_option' '121,172.0.0.0/24,192.168.1.100,172.0.1.0/24,192.168.1.200'
        list 'dhcp_option' '249,172.0.0.0/24,192.168.1.100,172.0.1.0/24,192.168.1.200'

This advertises routes for 172.0.0.0/24 via router 192.168.1.100 and 172.0.1.0/24 via router 192.168.1.200.
But I wouldn't do that unless you're absolutely certain. Once a client accepted a route via DHCP, there's no mechanism for the DHCP server to revoke such a route. So if you decide one route should be slightly different, you need to either "route del" them from your clients manually or reboot all your clients.

If you're advertising local route to a storage network connected by 1GE or 10GE that's totally worth it, but if you're only advertising remote VPN connections with only a couple of MBit, one additional hop in your local network doesn't cost too much overhead so staying with not exposing the route to the client but letting the default gateway handle the routing is most likely the better way.

Regards,
Stephan.

In "dumb AP" mode, traffic goes directly from the wireless clients to the main router, neither the firewall nor the routing configuration in the device plays any role, they do not even "see" the packets.

Yes, it is possible; and you could redirect the traffic through TOR or the VPN.

Yes, that seems possible.