Wireless Access Point (aka "Dumb" Access Point)

Summary: This document describes how to create and add a wireless access point (AP), sometimes called a “dumb AP”, to an existing network with a single main router. The term dumb is used since the router provides no routing, DHCP or DNS services.

In truth though, a Wireless AP is anything but dumb, it just does not provide IP routing services.

One of the most common reasons for creating a Wireless Access Point is to add additional wireless coverage to an existing network, maybe on a different floor or to cover some other wireless dead spot. Adding a wireless AP will do exactly that.

The end result of following the instructions below will be a bridged LAN with no internal subnets. Devices connected to either router will “see” each other, and will be connected to the Internet through the main router. This setup is sufficient for small office or home networks but for larger networks a more sophisticated approach is often used.

Several external videos are available on the topic which may be useful. These provide some background and context, but bare in mind they may have become somewhat outdated and generally do not take into account anything other than an ethernet backhaul.

Using OpenWRT v21 with DSA example:

Two-part older videos which are considerably outdated but give some background information:

WiFi roaming is much improved in more up to date mobile devices, so configuring Fast Roaming, aka 802.11r, may not be required. This video can be very misleading as 802.11r has nothing whatsoever to do with mesh networking. Nevertheless it may provide some background information:

These instructions were up to date as of October 15, 2021, and refer to the interface found in OpenWrt version 21.02.0. The interface of v21 differs in some significant ways from earlier version of OpenWrt which we try to account for... but no guarantees.

This setup requires two routers, a computer with an Ethernet port, and an Ethernet cable. We refer to the routers as the main router and the wireless AP and we assume default settings on both. The main router should already be properly configured and connected to the Internet.

1. Disconnect the wireless AP from your network. Use an Ethernet cable to connect your computer to one of the LAN ports (not the Internet/WAN port) of the wireless AP.
2. From a browser on your computer, navigate to the LuCI interface by going to http://192.168.1.1. Login. Change the admin password if necessary.
3. Go to Network → Interfaces and click on the Edit button of the LAN interface. Ensure you are on the General Settings tab.
4. It is best to configure the wireless AP to use DHCP to obtain an address from the main router, but here we will configure a static ip address. Give the wireless AP an IP address “next to” your main router. By default, the main router will have an address of 192.168.1.1, so use something like 192.168.1.2. (The address should be on the same subnet as your main router but out of the DHCP range used when assigning addresses to connected devices. By default, that means the wireless AP router IP should be between 192.168.1.2 and 192.168.1.100.) If you're adding multiple wireless AP routers, you could use 192.168.1.3, 192.168.1.4, etc. for additional routers.
5. Save and apply the new IP address, then navigate back to that address (say, http://192.168.1.2). Make sure your browser uses the new IP address you assigned in the previous step. Why? Because in the next step, the gateway needs to be changed to point to the main router, and LuCI will not allow you to change the gateway to 192.168.1.1 while the wireless AP router is using that IP address. So back to Network → Interfaces, Edit the LAN interface, General Settings tab.
6. Change the IPv4 gateway to point to your main router, 192.168.1.1 by default. This sets the wireless AP router to use the main router for Internet access.
   
7. Use the main router for DNS. Same page but the Advanced Settings tab. Enter the IP of your main router in the Use custom DNS servers field and click +.
8. Use the main router for DHCP (and disable DHCP for the Wireless AP). Same page again, now the DHCP Server tab. Should be at the General Setup sub-tab. (In version 18.06 and earlier of LuCI, no tabs: just scroll down.) Ensure the Ignore interface checkbox is checked.
   
9. Disable IPv6 DHCP. Same page, DHCP Server tab again, but click on the IPv6 Settings sub-tab. Set the RA-Service, DHCPv6-Service, and NDP-Proxy dropdowns to disabled.
   
10. In versions of OpenWrt older than 21.02.0: Under “Physical Settings” tab, ensure “Bridge interfaces” is ticked, and ensure BOTH of your interfaces (eth0, wlan0) are selected, in order to allow traffic between wireless and wired connections.
    
11. To save resources on the wireless AP router, disable some now unneeded services. Navigate to System → Startup. Disable the services labeled firewall, dnsmasq and odhcpd. (Perhaps ironically, click Enable to toggle.) Note even though these services are now disabled, after you flash a new image to the device they will be re-enabled. For a more permanent fix see Disable Daemons Persistently.
    
12. Optionally, remove or disable the WAN and WAN6 interfaces. On the Network → Interfaces page, Edit the WAN and WAN6 interfaces to uncheck the Bring up on boot checkbox. Or just delete the interfaces.
13. Note that by default OpenWrt does not enable wireless access. So, from a default installation, at the very least you will need to review the wireless SSIDs, enable wireless security, and then enable the wireless networks from the Network → Wireless page.
14. Click the Save and Apply button.
    
15. Use an Ethernet cable to connect one of the LAN ports on your main router to one of the LAN ports (not the WAN/Internet port) of the wireless AP router.
16. You may need to reboot or power cycle either or both routers, the device connecting your main router to the Internet, and potentially any connected devices. In many cases this will not be necessary.
17. Done!
    

The changes below assume an OpenWrt default configuration, the relevant files are:

• /etc/config/network
• /etc/config/wireless

Edit /etc/config/network and change the interface section:

On switchless devices, simply bridge all ethernet interfaces together, remove the existing WAN interface - if any.

config interface lan
        option type     'bridge'
        option ifname   'eth0 eth1'   # Bridges lan and wan
        option proto    'dhcp'        # Change as appropriate

On devices with a separate WAN interface, bridge the LAN VLAN together with the WAN interface, remove the existing WAN interface - if any.

config interface lan
        option type     'bridge'
        option ifname   'eth0.1 eth1'  # Bridges vlan 1 and wan
        option proto    'dhcp'         # Change as appropriate

Switch configuration on WR1043ND (barrier breaker):

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 4 5t'  # 1. add 0 in here

#config switch_vlan               # 2. comment out or delete the whole vlan 2 section
#       option device 'switch0'
#       option vlan '2'
#       option ports '0 5t'

On devices where WAN and LAN are separated by switch config, reconfigure the LAN VLAN to cover all ports, remove the existing WAN interface and its related VLAN - if any.

config switch_vlan eth0_1
        option vlan     '1'
        option ports    '0 1 2 3 4 5t' # Might vary depending on the device

config interface lan
        option type     'bridge'
        option ifname   'eth0.1'      
        option proto    'dhcp'         # Change as appropriate

The syntax is slightly different for these devices. You will notice that there is a config device which lists the ethernet port(s) assigned to an interface (in this case the br-lan). It will also list the assigned port under the “list ports” clause. The gotcha here is that you must add a separate line for each “list ports” added to a device. If you try to add them to one “list ports” entry space or comma separated it will not work properly. Finally you can remove/comment out any WAN interface settings identical to the above entries.

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.1.1'

Edit /etc/config/wireless, and don't worry about most of it, things that might need changes are commented.

config 'wifi-device' 'radio0'
        option type    'mac80211'
        option channel '11'
        option macaddr '12:e4:4a:b3:83:1a'
        option htmode  'HT20'
        list ht_capab  'SHORT-GI-20'
        list ht_capab  'SHORT-GI-40'
        list ht_capab  'TX-STBC'
        list ht_capab  'RX-STBC1'
        list ht_capab  'DSSS_CCK-40'

config 'wifi-iface'
        option device  'radio0'
        option network 'lan'  # Set to the name of the bridged interface
        option mode    'ap'
        option ssid    'ap_myaccesspoint'
        option encryption 'psk2'  # Change as appropriate
        option key     'ap_password'

If you still need dnsmasq running for something else (e.g. TFTP server) you can do:

uci set dhcp.lan.ignore=1
uci commit dhcp
/etc/init.d/dnsmasq restart

If not disable dnsmasq service:

/etc/init.d/dnsmasq disable
/etc/init.d/dnsmasq stop

Disable odhcpd with uci:

uci set dhcp.lan.dhcpv6=disabled
uci set dhcp.lan.ra=disabled
uci commit

Or disable service:

/etc/init.d/odhcpd disable
/etc/init.d/odhcpd stop

/etc/init.d/firewall disable
/etc/init.d/firewall stop

rm /usr/sbin/wpa_supplicant

Reloading the network config should be enough, it should automatically restart if necessary. Or just reboot.

/etc/init.d/network reload

If you would like your AP to receive IPv6 as a host only and not for routing you have to tell the DHCPv6 client not to request prefix delegation. If you do not do this the AP will reject basic IPv6 addresses. If you want to still be able to use IPv6 on the router itself change the wan6 to lan6 and @wan to @lan.

config interface 'lan6'
	option proto 'dhcpv6'
	option ifname '@lan'
	option reqprefix 'no'

Note that although the start-up of daemons such as firewall, dnsmasq, wpa_supplicant and optionally odhcpd have been set to disabled, when a new image is flashed to the device, they will be re-enabled. To work-around this, simply add the following to /etc/rc.local on the device:

# these services do not run on dumb APs
for i in firewall dnsmasq odhcpd; do
  if /etc/init.d/"$i" enabled; then
    /etc/init.d/"$i" disable
    /etc/init.d/"$i" stop
  fi
done

rm /usr/sbin/wpa_supplicant

Dumb APs will not have the data to display the respective hostnames of the associated devices. Only MAC addresses are known to it. Users wanting to see the corresponding hostnames in the Associated Stations display in LuCI can manually populate /etc/ethers on the dumb AP to achieve this.

On the router, one can extract this data with the following one-liner:

< dhcp.leases | awk '{print $2" "$4}'

See the following discussion threads for additional approaches:

• Using fping to populate ethers file: https://forum.openwrt.org/t/associated-stations-list-in-ap-how-to-show-host-names/63475/6
• An improved fping approach: https://forum.openwrt.org/t/second-device-not-getting-dns-entries-from-first-device-to-show-in-associated-stations/57005/14
• Propagating dhcp.leases to secondary (dumb) access points: https://forum.openwrt.org/t/associated-stations-making-hostnames-visible-across-multiple-aps/92593

DLNA and UPnP clients and printer or SMB discovery protocols on LANs tend to work by using multicast packets. For example PS3, xbox, TVs and stereos use DLNA to detect, communicate with and stream audio/video over the network. By default on bridged interfaces on OpenWrt (at least tested in 18.x series) multicast snooping is turned off. This means all network interfaces connected to a bridge (such as a WiFi SSID and ethernet VLAN) will receive multicast packets as if they were broadcast packets.

On WiFi the slowest modulation available is used for multicast packets (so that everyone can hear them). If you have “enabled legacy 802.11b rates” on your WiFi (Advanced settings checkbox in LuCI under the WiFi settings, or option legacy_rates '1' in /etc/config/wireless file) then 1Mbps is the rate that will be used. This can completely use up the WiFi airtime with even fairly light multicast streaming.

There are two possible fixes for this, one is to enable multicast snooping: option igmp_snooping '1' under the appropriate /etc/config/network settings for the bridge. This will cause the bridge to forward only on bridge ports that have requested to receive the particular multicast group. On the other hand, if someone on WiFi requests the group, it will still flood the multicast there, and some people have reported problems with certain devices such as android phones and with ipv6 when igmp_snooping is enabled (requires further debugging to identify if there is really a problem or not). By disabling legacy 802.11b rates (option legacy_rates '0') you can at least force the use of 6Mbps or more on the WiFi multicast packets, and this opens up more airtime for other uses.

• The Dumb AP wireless can be configured to control access as Open/WPA/WPA2/etc. MAC-based access control is controlled by the main router.
• 'Static DHCP' is not covered here: this procedure creates an AP that provides wired/wireless access and won't interfere with Static DHCP.
• This recipe is similar to the “Bridged AP” recipe at Bridged AP. These pages should probably be merged.
• Firewall bridge mode support in OpenWrt is provided by the kmod-br-netfilter module.