Topic: Routed AP on TP-Link WA901N(D) v2

This is my configuration for a routed AP for a TP-Link WA901N or WA901ND where the ethernet port IP address is assigned by another DHCP server.

You might want this configuration if you want to filter traffic between the wlan on the WA901 and the rest of the network. I specifically wanted this so that my kids internet devices (ipod, tablet, phone etc) would resolve their DNS using dnsmasq (as a caching server) on the router and then OpenDNS. I've configured OpenDNS to prevent resolving inappropriate site domains.

The idea is that you add this router to your existing network and configure all the kids devices to use this router for internet access. Because the router acquires its IP address from your existing DHCP server there should be no additional configuration to do.

You may find it *hard* to locate the router on your network unless you can detect the IP address that it has been assigned. If that's problematic, then boot the router in failsafe mode, attach a computer to it with a fixed 192.168.1.2 ip address, telnet in, and mount the file system. Make your changes and reboot. (See http://wiki.openwrt.org/doc/howto/generic.failsafe for more info)

/etc/config/network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'


# ip address allocated by another DHCP server
config interface 'lan'
    option ifname 'eth0'
    option type 'bridge'
    option proto 'dhcp'

# for a fixed IP for the ethernet port use these settings instead
# UNCOMMENT these and comment the block above
#config interface 'lan'
#    option ifname 'eth0'
#    option type 'bridge'
#    option proto 'static'
#    option ipaddr '192.168.1.1'
#    option netmask '255.255.255.0'

# seperate subnet for the wlan clients
config interface 'wifi'
    option 'proto' 'static'
    option 'ipaddr' '192.168.11.1'
    option 'netmask' '255.255.255.0'

/etc/config/dhcp

config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.auto'
#resolve using OpenDNS servers
    list server '208.67.220.220'
    list server '208.67.222.222'

config dhcp 'wifi'
    option interface 'wifi'
    option start '100'
    option limit '150'
    option leasetime '1h'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

/etc/config/wireless

config wifi-device 'radio0'
    option type 'mac80211'
    option macaddr 'b0:48:7a:ea:7d:66'
    option hwmode '11ng'
    option htmode 'HT20'
    list ht_capab 'SHORT-GI-40'
    list ht_capab 'DSSS_CCK-40'
    option channel '6'
#set the txpower and country according to where you are
    option txpower '27'
    option country 'US'

config wifi-iface
    option device 'radio0'
    option network 'wifi'
    option mode 'ap'
    option ssid 'WA901N'
    option encryption 'psk2'
    option key 'xyz1234abc'

/etc/config/firewall

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option network 'lan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config zone
option name 'wifi'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config forwarding
option src 'wifi'
option dest 'lan'

config forwarding
option src 'lan'
option dest 'wifi'

config rule
option name 'Allow-DHCP-Renew'
option src 'lan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'lan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'lan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'lan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'lan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option src 'wifi'
option dest_port '53'
option proto 'tcpudp'
option target 'ACCEPT'

config rule
option src 'wifi'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

Please be aware that these may not be the best settings as I'm know practically jack about networking, but you might find them useful none the less.

Re: Routed AP on TP-Link WA901N(D) v2

There's an error in the firewall rules which will stop you being able to access Luci (WebGUI) or ssh'ing into the router after you apply these settings.

Just change the firewall lan zone input setting from REJECT to ACCEPT

config zone
option name 'lan'
option network 'lan'
option input 'REJECT'
...

to

config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
...

The complete firewall rules are:

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config zone
option name 'wifi'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config forwarding
option src 'wifi'
option dest 'lan'

config forwarding
option src 'lan'
option dest 'wifi'

config rule
option name 'Allow-DHCP-Renew'
option src 'lan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'lan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'lan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'lan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'lan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option src 'wifi'
option dest_port '53'
option proto 'tcpudp'
option target 'ACCEPT'

config rule
option src 'wifi'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

Re: Routed AP on TP-Link WA901N(D) v2

I am not a network person and I am an openWRT noob. Sorry to post on this old thread but I could use the help and after searching online for days this is all I could come up with. I am trying to implement a similar configuration to the OP on a WNDR3700v2.

I have been reading posts for days and I can't figure this problem out. I set up #1 and #2 by following the guest-wlan instructions. The Routed AP instructions aren't making sense to me and I'm getting confused on how to keep my config for #1 and #2 like it's working now plus have #3 as a Routed AP.

In my configuration I want to have>

1) wifi for adults WPA/WPA2 mixed (not through OpenDNS)
2) wifi for kids WPA/WPA2 mixed (through OpenDNS)
3) wifi for adults with WEP Shared Key (not through OpenDNS)

I don't really care if the devices on the three wifi's can talk to each other.

I have a dynamic IP through Comcast. I currently have the first 2 wifi's working.

I have tried adding the #3 wifi as an additional wireless+interface using the guest-wlan instructions like I did for #2 and the wifi does not provide an IP. I have also tried adding #3 on the 5ghz, and that worked. I can surf the web on #3 and I am in my correct subnet, but OpenDNS is not filtering content on #3 when I use 5ghz. I'm wondering if at this point I should just back everything up and start with a clean config using these instructions above.....Any help would be much appreciated

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        list server '208.67.220.220'
        list server '208.67.222.222'
config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config domain
        option name 'StaticIP-Xbox'
        option ip '192.168.1.50'

config domain
        option name 'SecondaryWorkLaptop'
        option ip '192.168.1.112'

config domain
        option name 'XfinityModem'
        option ip '67.189.xxx.x'

config domain
        option name 'PrimaryWorkLaptop'
        option ip '192.168.1.146'

config dhcp
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'dlink'

config dhcp
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'SETIDNS'

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'wan'
        option network 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '3074'
        option dest_ip '192.168.1.50'
        option dest_port '3074'
        option name 'xboxlive'

config zone
        option name 'dlink'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'dlink'
        option input 'REJECT'

config forwarding
        option dest 'wan'
        option src 'dlink'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option name 'Dlink DNS'
        option src 'dlink'

config rule
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'
        option name 'Dlink DHCP'
        option src 'dlink'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '8100-8199'
        option dest_ip '192.168.1.51'
        option dest_port '8100-8199'
        option name 'sony'
config zone
        option name 'setidns'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'setidns SETIDNS'
        option input 'REJECT'

config forwarding
        option dest 'wan'
        option src 'setidns'

config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option name 'Setidns-DNS'
        option src 'setidns'

config rule
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'
        option name 'Setidns-DHCP'
        option src 'setidns'

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option _orig_ifname 'eth0.1 wlan0 radio1.network1'
        option _orig_bridge 'true'
        option ifname 'eth0.1'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option type 'bridge'

config switch
        option name 'rtl8366s'
        option reset '1'
        option enable_vlan '1'
        option blinkrate '2'

config switch_vlan
        option device 'rtl8366s'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_port
        option device 'rtl8366s'
        option port '1'
        option led '6'

config switch_port
        option device 'rtl8366s'
        option port '2'
        option led '9'

config switch_port
        option device 'rtl8366s'
        option port '5'
        option led '2'

config interface 'dlink'
        option _orig_ifname 'wlan0-1'
        option _orig_bridge 'false'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

config interface 'SETIDNS'
        option proto 'static'
        option ipaddr '192.168.6.1'
        option netmask '255.255.255.0'
        option _orig_ifname 'radio0.network4'
        option _orig_bridge 'false'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option macaddr 'e0:91:f5:xx:xx:xx'
        list ht_capab 'SHORT-GI-40'
        list ht_capab 'TX-STBC'
        list ht_capab 'RX-STBC1'
        list ht_capab 'DSSS_CCK-40'
        option country 'US'
        option txpower '20'
        option channel 'auto'
        option hwmode '11ng'
        option htmode 'HT20'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option ssid 'setiarray'
        option key 'xxxx'
        option encryption 'psk-mixed'
        option network 'lan'

config wifi-device 'radio1'
        option type 'mac80211'
        option macaddr 'e0:91:f5:xx:xx:xx'
        option hwmode '11na'
        list ht_capab 'SHORT-GI-40'
        list ht_capab 'TX-STBC'
        list ht_capab 'RX-STBC1'
        list ht_capab 'DSSS_CCK-40'
        option txpower '17'
        option htmode 'HT20'
        option channel '48'
        option country 'US'

config wifi-iface
        option device 'radio1'
        option mode 'ap'
        option encryption 'psk-mixed'
        option key 'xxxxx967'
        option ssid 'setiarraydns'
        option network 'wan'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option ssid 'setiarrayIII'
        option encryption 'psk-mixed'
        option key 'xxxx967'
        option disabled '1'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option ssid 'dlink'
        option network 'dlink'
        option wmm '0'
        option encryption 'wep-shared'
        option key '1'
        option key1 's:xxxx'
        option key2 's:xxxx'
        option key3 's:xxxx'
        option key4 's:xxxx'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option ssid 'setidns'
        option key 'xxxx967'
        option encryption 'psk2'
        option disabled '1'