Wireless Access Point / Dumb Access Point

Summary: This document describes how to create and add a wireless access point (AP), sometimes called a dumb AP, to an existing network with a single main router. The term dumb is used since the router provides no routing, DHCP or DNS services. Instead, those services are provided by the main router.

One of the most common reasons to do this is to add additional wifi coverage to an existing network, maybe on a different floor or to cover some other wireless dead spot. Adding a wireless AP will do exactly that. One way to think of this is as “daisy chaining” the routers together.

The end result of following the instructions below will be a bridged LAN with no internal subnets. Devices connected to either router will “see” each other, and will be connected to the Internet through the main router. This setup is sufficient for small office or home networks but for larger networks a more sophisticated approach is recommended.

These instructions are up to date as of October 15, 2021, and refer to the interface found in OpenWrt version 21.02.0. The interface of v21 differs in some significant ways from earlier version of OpenWrt which we try to account for… but no guarantees.

This setup requires two routers, a computer with an Ethernet port, and an Ethernet cable. We refer to the routers as the main router and the wireless AP router and we assume default settings on both. The main router should already be properly configured and connected to the Internet.

  1. Disconnect the wireless AP router from your network. Connect it to the computer with the Ethernet cable. Do not use the Internet/WAN port of the router.
  2. From a browser on the computer, navigate to the LuCI interface by going to Login. Change the admin password if necessary.
  3. Go to Network → Interfaces and click on the Edit button of the LAN interface. Ensure you are on the General Settings tab.
  4. Give the wireless AP router an IP address “next to” your main router. By default, the main router will have an address of, so use something like (The address should be on the same subnet as your main router but out of the DHCP range used when assigning addresses to connected devices. By default, that means the wireless AP router IP should be between and
  5. Save and apply the new IP address, then navigate back here in a browser. Make sure your browser uses the new IP address you assigned in the previous step (by default Why? Because in the next step, the gateway needs to be changed to point to the main router, and LuCI will not allow you to change the gateway to while the wireless AP router is using that IP address. So back to Network → Interfaces, Edit the LAN interface, General Settings tab.
  6. Change the IPv4 gateway to point to your main router, by default. This sets the wireless AP router to use the main router for Internet access.
  7. Use the main router for DNS. Same page but the Advanced Settings tab. Enter the IP of your main router in the Use custom DNS servers field and click +.
  8. Use the main router for DHCP. Same page again, now the DHCP Server tab. Should be at the General Setup sub-tab. (In version 18.06 and earlier of LuCI, no tabs: just scroll down.) Ensure the Ignore interface checkbox is checked.
  9. Disable IPv6 DHCP. Same page, DHCP Server tab again, but click on the IPv6 Settings sub-tab. Set the RA-Service, DHCPv6-Service, and NDP-Proxy dropdowns to disabled.
  10. In versions of OpenWrt older than 21.02.0: Under “Physical Settings” tab, ensure “Bridge interfaces” is ticked, and ensure BOTH of your interfaces (eth0, wlan0) are selected, in order to allow traffic between wireless and wired connections.
  11. To save resources on the wireless AP router, disable some now unneeded services. Navigate to System → Startup. Disable the services labeled firewall, dnsmasq and odhcpd. (Perhaps ironically, click Enable to toggle.) Note even though these services are now disabled, after you flash a new image to the device they will be re-enabled. For a more permanent fix see Disable Daemons Persistently.
  12. Optionally, remove or disbable the WAN and WAN6 interfaces. On the Network → Interfaces page, Edit the WAN and WAN6 interfaces to uncheck the Bring up on boot checkbox. Or just delete the interfaces.
  13. Note that by default OpenWrt does not enable wireless access. So, from a default installation, at the very least you will need to review the wireless SSIDs, enable wireless security, and then enable the wireless networks from the Network → Wireless page.
  14. Click the Save and Apply button.
  15. Use an Ethernet cable to connect one of the LAN ports on your main router to one of the LAN ports (not the WAN/Internet port) of the wireless AP router.
  16. You may need to reboot or power cycle either or both routers, the device connecting your main router to the Internet, and potentially any connected devices. In many cases this will not be necessary.
  17. Done!

The changes below assume an OpenWrt default configuration, the relevant files are:

Edit /etc/config/network and change the interface section:

For switch-less devices, e.g. Alix Board, wr1043nd v2

On switchless devices, simply bridge all ethernet interfaces together, remove the existing WAN interface - if any.

config interface lan
        option type     'bridge'
        option ifname   'eth0 eth1'   # Bridges lan and wan
        option proto    'dhcp'        # Change as appropriate

For devices with switch and dedicated WAN, e.g. WNDR3700, WR1043ND v1, WR741ND v2.4

On devices with a separate WAN interface, bridge the LAN VLAN together with the WAN interface, remove the existing WAN interface - if any.

config interface lan
        option type     'bridge'
        option ifname   'eth0.1 eth1'  # Bridges vlan 1 and wan
        option proto    'dhcp'         # Change as appropriate

Switch configuration on WR1043ND (barrier breaker):

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 4 5t'  # 1. add 0 in here

#config switch_vlan               # 2. comment out or delete the whole vlan 2 section
#       option device 'switch0'
#       option vlan '2'
#       option ports '0 5t'

For devices with switch only, e.g. WRT54GL

On devices where WAN and LAN are separated by switch config, reconfigure the LAN VLAN to cover all ports, remove the existing WAN interface and its related VLAN - if any.

config switch_vlan eth0_1
        option vlan     '1'
        option ports    '0 1 2 3 4 5t' # Might vary depending on the device

config interface lan
        option type     'bridge'
        option ifname   'eth0.1'      
        option proto    'dhcp'         # Change as appropriate

Edit /etc/config/wireless, and don't worry about most of it, things that might need changes are commented.

config 'wifi-device' 'radio0'
        option type    'mac80211'
        option channel '11'
        option macaddr '12:e4:4a:b3:83:1a'
        option htmode  'HT20'
        list ht_capab  'SHORT-GI-20'
        list ht_capab  'SHORT-GI-40'
        list ht_capab  'TX-STBC'
        list ht_capab  'RX-STBC1'
        list ht_capab  'DSSS_CCK-40'

config 'wifi-iface'
        option device  'radio0'
        option network 'lan'  # Set to the name of the bridged interface
        option mode    'ap'
        option ssid    'ap_myaccesspoint'
        option encryption 'psk2'  # Change as appropriate
        option key     'ap_password'

If you still need dnsmasq running for something else (e.g. TFTP server) you can do:

uci set dhcp.lan.ignore=1
uci commit dhcp
/etc/init.d/dnsmasq restart

If not disable dnsmasq service:

/etc/init.d/dnsmasq disable
/etc/init.d/dnsmasq stop

Disable odhcpd with uci:

uci set dhcp.lan.dhcpv6=disabled
uci set dhcp.lan.ra=disabled
uci commit

Or disable service:

/etc/init.d/odhcpd disable
/etc/init.d/odhcpd stop
/etc/init.d/firewall disable
/etc/init.d/firewall stop

Reloading the network config should be enough, it should automatically restart if necessary.

/etc/init.d/network reload

If you would like your AP to receive IPv6 as a host only and not for routing you have to tell the DHCPv6 client not to request prefix delegation. If you do not do this the AP will reject basic IPv6 addresses. If you want to still be able to use IPv6 on the router itself change the wan6 to lan6 and @wan to @lan.

config interface 'lan6'
	option proto 'dhcpv6'
	option ifname '@lan'
	option reqprefix 'no'

Note that although the start-up of daemons such as firewall, dnsmasq, and optionally odhcpd have been set to disabled, when a new image is flashed to the device, they will be re-enabled. To work-around this, simply add the following to /etc/rc.local on the device:

# these services do not run on dumb APs
for i in firewall dnsmasq odhcpd; do
  if /etc/init.d/"$i" enabled; then
    /etc/init.d/"$i" disable
    /etc/init.d/"$i" stop

DLNA and UPnP clients and printer or SMB discovery protocols on LANs tend to work by using multicast packets. For example PS3, xbox, TVs and stereos use DLNA to detect, communicate with and stream audio/video over the network. By default on bridged interfaces on OpenWrt (at least tested in 18.x series) multicast snooping is turned off. This means all network interfaces connected to a bridge (such as a WiFi SSID and ethernet VLAN) will receive multicast packets as if they were broadcast packets.

On WiFi the slowest modulation available is used for multicast packets (so that everyone can hear them). If you have “enabled legacy 802.11b rates” on your WiFi (Advanced settings checkbox in LuCI under the WiFi settings, or option legacy_rates '1' in /etc/config/wireless file) then 1Mbps is the rate that will be used. This can completely use up the WiFi airtime with even fairly light multicast streaming.

There are two possible fixes for this, one is to enable multicast snooping: option igmp_snooping '1' under the appropriate /etc/config/network settings for the bridge. This will cause the bridge to forward only on bridge ports that have requested to receive the particular multicast group. On the other hand, if someone on WiFi requests the group, it will still flood the multicast there, and some people have reported problems with certain devices such as android phones and with ipv6 when igmp_snooping is enabled (requires further debugging to identify if there is really a problem or not). By disabling legacy 802.11b rates (option legacy_rates '0') you can at least force the use of 6Mbps or more on the WiFi multicast packets, and this opens up more airtime for other uses.

  • The Dumb AP wireless can be configured to control access as Open/WPA/WPA2/etc. MAC-based access control is controlled by the main router.
  • 'Static DHCP' is not covered here: this procedure creates an AP that provides wired/wireless access and won't interfere with Static DHCP.
  • This recipe is similar to the “Bridged AP” recipe at Bridged AP. These pages should probably be merged.
  • Firewall bridge mode support in OpenWrt is provided by the kmod-br-netfilter module.
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/10/15 10:14
  • by 6cef